U.S. states continue to take charge of data privacy for their residents, as Minnesota passed its Consumer Data Privacy Act (MCDPA). This latest comprehensive privacy law is based on the model first passed by Virginia, Colorado, and others, but adds a few of its own innovations as well.

Here’s what you need to know about the Minnesota Consumer Data Privacy Act.

When Does the MCDPA Go Into Effect?

The Minnesota privacy law goes into effect on July 31, 2025.

Who Does It Apply To?

The Minnesota Consumer Data Privacy Act applies to any person or organization that does business in the state or targets its products or services toward state residents, and meets at least one of the following requirements:

• Controls or processes the personal data of at least 100,000 state residents per year (excluding data processed solely to complete a payment transaction), OR
• Controls or processes the personal data of at least 25,000 state residents per year AND derives over 25% of its revenue from the sale of personal data

The MCDPA contains a number of exemptions, such as for data that is covered by federal laws such as HIPAA and the Gramm-Leach-Bliley Act. A unique provision in the Minnesota law exempts all “small businesses,” as that term is defined by the Small Business Administration. The MCDPA can also apply to nonprofit organizations.

What Privacy Rights Do Minnesota Residents Have?

The MCDPA gives state residents the following rights.

• Right to Know - Consumers have the right to confirm whether a business is processing their personal data and to access that data.

• Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.

• Right to Delete - Upon request, businesses must delete personal data concerning the consumer.

• Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.

• Right to Opt Out - Consumers can opt out of:

• • The sale of their personal data
  • Targeted advertising
  • Profiling in furtherance of automated decisions that produce legal or similarly significant effects

• Right to Question Profiling Results - If a consumer is subject to profiling in furtherance of decisions that produce legal or similarly significant effects, they have a number of rights concerning that process:

• To question the result of the profiling
• To be informed of the reasoning behind the decision
• To be informed what actions they could have taken to secure a different decision, and what actions they can take to secure a different decision in the future
• To review and correct the personal data used in the profiling

• Right to Receive a List of Third Parties - Consumers can request a list of the specific third parties to whom their personal data was disclosed.

How Much Do Violations Cost?

Violations of the Minnesota Consumer Data Privacy Act are punishable by civil penalties of up to $7,500 per violation.

Can Businesses Be Sued by Consumers?

The MCDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. Only the Minnesota Attorney General’s Office has authority to enforce the law.

What’s Different in this Law?

New Rights

As described above, the MCDPA grants consumers new rights not found in other privacy laws: the right to question profiling results, and the right to receive a list of third parties.

Record-Keeping Requirements for Appeals

Most state privacy laws require businesses to offer an appeals process in case they deny a consumer’s privacy request. Minnesota’s privacy law is no different in this respect, except that it imposes an additional record-keeping requirement. Businesses must retain records relating to all appeals for at least 24 months, and make those records available to the Attorney General upon request.

Internal Data Privacy Policies

The MCDPA introduces a new compliance task for data controllers: documenting and maintaining “a description of the policies and procedures the controller has adopted to comply with [the MCDPA].”

This description should include the following.

• Name and contact information for the business’s chief privacy officer or other individual tasked with managing the business’s privacy compliance.
• A description of policies and procedures that reflect the MCDPA’s requirements for controllers, including any policies and procedures regarding:
  • How MCDPA requirements are reflected in the design of the controller's systems
  • Identifying and providing personal data to a consumer per their access rights
  • Data security practices
  • Data minimization practices
  • Preventing the retention of personal data that is no longer necessary for the purposes for which it was collected
  • Identifying and remediating violations of the MCDPA

Creating this documentation could be a significant project for businesses, so it may be a good idea to begin well in advance of the MCDPA’s 2025 effective date.

‍