Book a Demo

State Privacy Law Tracker: Minnesota

Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Illinois 
Indiana
Iowa
Kansas
Kentucky
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
Minnesota Data Privacy Law
  • Effective Date: 2025-07-31
  • Status: In Effect

Minnesota MNCDPA 2025 Update 

As of July 31, 2025, the law is officially in effect for most organizations and proves to be one of the most expansive and forward-looking state privacy frameworks in the U.S.

Here’s a breakdown of the law as enforcement begins:

Right to Contest Profiling Decisions

Minnesota goes beyond the standard opt-out rights by giving individuals the right to contest decisions made through profiling, request a review of the personal data used, correct any inaccuracies, and trigger a re-evaluation of the outcome.

Adolescent Privacy Protections with Opt-In Requirements

Businesses must obtain affirmative consent for targeted advertising and the sale of personal data if they know the individual is between 13 and 16 years old. This narrows protections compared to other states that also consider cases of “willful disregard,” but still raises the standard for youth data.

Mandatory Data Inventories and a Named Privacy Lead

The law is the first in the U.S. to explicitly require controllers to maintain a data inventory and to identify a Chief Privacy Officer or equivalent individual responsible for compliance. Organizations must also document internal privacy procedures in detail.

Broader Protections for Pseudonymized and Deidentified Data

The MNCDPA prohibits processors and third parties from attempting to re-identify deidentified or pseudonymized data without explicit authorization from the original controller.

Expanded Civil Rights Language in Data Use

Data use must not result in unlawful discrimination in contexts like housing, employment, education, credit, or public accommodations, echoing and expanding on recent laws in Maryland.

Unique Geolocation Definition

Rather than using a distance in feet, Minnesota defines “specific geolocation data” as any data that identifies a device’s coordinates to more than three decimal degrees of latitude and longitude—offering clearer technical thresholds.

Small Business Carveouts

Entities defined as small businesses by the U.S. Small Business Administration are exempt from most requirements but cannot sell sensitive data without prior consent.

New Data Privacy and Protection Assessment (DPPA) Standards

Required for high-risk processing activities, Minnesota’s DPPAs must include detailed context, type of personal data involved, and a description of internal compliance policies.

Stronger Privacy Notice Requirements

Privacy policies must include data retention timelines, the date of last update, and be prominently displayed online or within mobile apps. Businesses do not need a Minnesota-specific notice if their general privacy notice meets all requirements.

Note: Postsecondary institutions regulated by the Minnesota Office of Higher Education have a delayed enforcement date of July 31, 2029.

2024 MNCDPA Status

On May 24, 2024, Minnesota Governor Tim Walz signed into law the Minnesota Consumer Data Privacy Act (MCDPA), making Minnesota the 19th state to implement comprehensive data privacy legislation. 

Scheduled to take effect on July 31, 2025, this act introduces robust privacy protections for consumers and sets forth significant compliance requirements for businesses. While similar to data privacy laws in Washington, New Hampshire, and Maryland, the Minnesota Act includes unique provisions. 

Scope and Applicability

The MCDPA imposes obligations on “controllers”—entities or individuals that determine the purposes and means of processing personal data—operating in Minnesota or targeting products or services to Minnesota residents. To be subject to this law, controllers must meet one of the following criteria within a calendar year:

  • Control or process the personal data of at least 100,000 unique Minnesota consumers.
  • Control or process the personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of personal data.

Exemptions

Several entities and types of data are exempt from the MCDPA:

  • Government entities, Indian tribes, chartered banks, credit unions, and insurance companies.
  • Financial data regulated by the Gramm-Leach-Bliley Act, protected health information under HIPAA, consumer credit-reporting data, and data covered by laws such as the Drivers’ Privacy Protection Act and the Family Educational Rights and Privacy Act.
  • Data for job applications, employment, benefits administration, and emergency contact purposes.
  • Nonprofit organizations are established to detect and prevent insurance fraud.
  • Small businesses, as defined by the U.S. Small Business Administration, except when selling sensitive data without consumer consent.

Consumer Rights

The Minnesota Consumer Data Privacy Act grants consumers several rights regarding their personal data:

  • Access: Confirm whether their data is being processed and obtain access to it.
  • Correction: Correct inaccuracies in their personal data.
  • Deletion: Request the deletion of their personal data.
  • Portability: Obtain a copy of their data in a portable format.
  • Opt-Out: Opt out of data processing for targeted advertising, sale of personal data, or profiling.
  • Profiling: Question profiling decisions and review and correct data used in profiling.

Controllers must respond to consumer requests within 45 days, with possible extensions if necessary. They must also establish an appeal process for denied requests and maintain records of all appeals for at least 24 months.

Controller and Processor Obligations

Controllers must provide a clear, accessible online privacy notice detailing:

  • Categories of personal data processed.
  • Purposes for data processing.
  • Consumer rights and how to exercise them.
  • Third parties with whom data is shared.
  • Data retention policies.
  • Contact information for data privacy inquiries.

Controllers selling data, engaging in targeted advertising, or profiling must prominently display opt-out options. They must also:

  • Limit data collection to what is necessary for disclosed purposes.
  • Implement robust data security measures.
  • Obtain consumer consent before processing sensitive data.
  • Provide an easy mechanism for consumers to revoke consent.
  • Conduct data protection impact assessments for high-risk data processing activities.

Enforcement

The Minnesota Attorney General has exclusive enforcement authority. Initially, controllers have a 30-day period to cure violations, expiring on January 31, 2026. Violations can result in civil penalties of up to $7,500 per violation, with additional penalties for non-compliance.

Unique Features

The Minnesota Consumer Data Privacy Act stands out with several unique features:

  • Profiling: Consumers can question profiling decisions and seek correction of inaccurate data.
  • Small Business Exemption: Exempts small businesses, with specific conditions for selling sensitive data.
  • Conspicuous Opt-Out Links: Requires clear opt-out links for data sales and targeted advertising.
  • Notification of Privacy Notice Changes: Controllers must notify consumers of material changes to privacy notices and allow them to withdraw consent.
  • Prohibition on Disclosing Sensitive Data: Limits the disclosure of sensitive information in response to consumer requests.

Sign up for our Data Privacy Tracker with monthly updates on the latest news and developments

Partner Login

Try the Centraleyes
Risk & Compliance

Free for 30 Days

Skip to content