See it in Action

State Privacy Law Tracker: Minnesota

Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware Personal
Florida
Georgia
Hawaii
Idaho
Illinois 
Indiana
Iowa
Kansas
Kentucky
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
Minnesota Data Privacy Law
  • Status: Signed

On May 24, 2024, Minnesota Governor Tim Walz signed into law the Minnesota Consumer Data Privacy Act (MCDPA), making Minnesota the 19th state to implement comprehensive data privacy legislation. 

Scheduled to take effect on July 31, 2025, this act introduces robust privacy protections for consumers and sets forth significant compliance requirements for businesses. While similar to data privacy laws in Washington, New Hampshire, and Maryland, the Minnesota Act includes unique provisions. 

Scope and Applicability

The MCDPA imposes obligations on “controllers”—entities or individuals that determine the purposes and means of processing personal data—operating in Minnesota or targeting products or services to Minnesota residents. To be subject to this law, controllers must meet one of the following criteria within a calendar year:

  • Control or process the personal data of at least 100,000 unique Minnesota consumers.
  • Control or process the personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of personal data.

Exemptions

Several entities and types of data are exempt from the MCDPA:

  • Government entities, Indian tribes, chartered banks, credit unions, and insurance companies.
  • Financial data regulated by the Gramm-Leach-Bliley Act, protected health information under HIPAA, consumer credit-reporting data, and data covered by laws such as the Drivers’ Privacy Protection Act and the Family Educational Rights and Privacy Act.
  • Data for job applications, employment, benefits administration, and emergency contact purposes.
  • Nonprofit organizations are established to detect and prevent insurance fraud.
  • Small businesses, as defined by the U.S. Small Business Administration, except when selling sensitive data without consumer consent.

Consumer Rights

The Minnesota Consumer Data Privacy Act grants consumers several rights regarding their personal data:

  • Access: Confirm whether their data is being processed and obtain access to it.
  • Correction: Correct inaccuracies in their personal data.
  • Deletion: Request the deletion of their personal data.
  • Portability: Obtain a copy of their data in a portable format.
  • Opt-Out: Opt out of data processing for targeted advertising, sale of personal data, or profiling.
  • Profiling: Question profiling decisions and review and correct data used in profiling.

Controllers must respond to consumer requests within 45 days, with possible extensions if necessary. They must also establish an appeal process for denied requests and maintain records of all appeals for at least 24 months.

Controller and Processor Obligations

Controllers must provide a clear, accessible online privacy notice detailing:

  • Categories of personal data processed.
  • Purposes for data processing.
  • Consumer rights and how to exercise them.
  • Third parties with whom data is shared.
  • Data retention policies.
  • Contact information for data privacy inquiries.

Controllers selling data, engaging in targeted advertising, or profiling must prominently display opt-out options. They must also:

  • Limit data collection to what is necessary for disclosed purposes.
  • Implement robust data security measures.
  • Obtain consumer consent before processing sensitive data.
  • Provide an easy mechanism for consumers to revoke consent.
  • Conduct data protection impact assessments for high-risk data processing activities.

Enforcement

The Minnesota Attorney General has exclusive enforcement authority. Initially, controllers have a 30-day period to cure violations, expiring on January 31, 2026. Violations can result in civil penalties of up to $7,500 per violation, with additional penalties for non-compliance.

Unique Features

The Minnesota Consumer Data Privacy Act stands out with several unique features:

  • Profiling: Consumers can question profiling decisions and seek correction of inaccurate data.
  • Small Business Exemption: Exempts small businesses, with specific conditions for selling sensitive data.
  • Conspicuous Opt-Out Links: Requires clear opt-out links for data sales and targeted advertising.
  • Notification of Privacy Notice Changes: Controllers must notify consumers of material changes to privacy notices and allow them to withdraw consent.
  • Prohibition on Disclosing Sensitive Data: Limits the disclosure of sensitive information in response to consumer requests.

Sign up for our Data Privacy Tracker with monthly updates on the latest news and developments

500 7th Avenue New York, NY 10018

Contact Us

PLATFORM

USE CASES

CERTIFICATIONS

STANDARDS

INDUSTRIES

PARTNERS

RESOURCES

ABOUT

GUIDES

© Copyright 2025 by Centraleyes Tech Ltd | Privacy Policy

Sign up for our Centraleyes
Intelligence Report

500 7th Avenue New York, NY 10018

Contact Us

PLATFORM

STANDARDS

CERTIFICATIONS

INDUSTRIES

USE CASES

ABOUT

RESOURCES

GUIDES

PARTNERS

© Copyright 2025 by Centraleyes Tech Ltd |  Privacy Policy
Watch
Demo
Partner Login

Try the Centraleyes
Risk & Compliance

Free for 30 Days

Skip to content