One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
U.S. states continue to take charge of data privacy for their residents, as Minnesota passed its Consumer Data Privacy Act (MCDPA). This latest comprehensive privacy law is based on the model first passed by Virginia, Colorado, and others, but adds a few of its own innovations as well.
Here’s what you need to know about the Minnesota Consumer Data Privacy Act.
The Minnesota privacy law goes into effect on July 31, 2025.
The Minnesota Consumer Data Privacy Act applies to any person or organization that does business in the state or targets its products or services toward state residents, and meets at least one of the following requirements:
The MCDPA contains a number of exemptions, such as for data that is covered by federal laws such as HIPAA and the Gramm-Leach-Bliley Act. A unique provision in the Minnesota law exempts all “small businesses,” as that term is defined by the Small Business Administration. The MCDPA can also apply to nonprofit organizations.
The MCDPA gives state residents the following rights.
Violations of the Minnesota Consumer Data Privacy Act are punishable by civil penalties of up to $7,500 per violation.
The MCDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. Only the Minnesota Attorney General’s Office has authority to enforce the law.
As described above, the MCDPA grants consumers new rights not found in other privacy laws: the right to question profiling results, and the right to receive a list of third parties.
Most state privacy laws require businesses to offer an appeals process in case they deny a consumer’s privacy request. Minnesota’s privacy law is no different in this respect, except that it imposes an additional record-keeping requirement. Businesses must retain records relating to all appeals for at least 24 months, and make those records available to the Attorney General upon request.
The MCDPA introduces a new compliance task for data controllers: documenting and maintaining “a description of the policies and procedures the controller has adopted to comply with [the MCDPA].”
This description should include the following.
Creating this documentation could be a significant project for businesses, so it may be a good idea to begin well in advance of the MCDPA’s 2025 effective date.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.