State Privacy Law Tracker: Minnesota

Minnesota Data Privacy Law

On May 24, 2024, Minnesota Governor Tim Walz signed into law the Minnesota Consumer Data Privacy Act (MCDPA), making Minnesota the 19th state to implement comprehensive data privacy legislation. 

Scheduled to take effect on July 31, 2025, this act introduces robust privacy protections for consumers and sets forth significant compliance requirements for businesses. While similar to data privacy laws in Washington, New Hampshire, and Maryland, the Minnesota Act includes unique provisions. 

Scope and Applicability

The MCDPA imposes obligations on “controllers”—entities or individuals that determine the purposes and means of processing personal data—operating in Minnesota or targeting products or services to Minnesota residents. To be subject to this law, controllers must meet one of the following criteria within a calendar year:

  • Control or process the personal data of at least 100,000 unique Minnesota consumers.
  • Control or process the personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of personal data.


Several entities and types of data are exempt from the MCDPA:

  • Government entities, Indian tribes, chartered banks, credit unions, and insurance companies.
  • Financial data regulated by the Gramm-Leach-Bliley Act, protected health information under HIPAA, consumer credit-reporting data, and data covered by laws such as the Drivers’ Privacy Protection Act and the Family Educational Rights and Privacy Act.
  • Data for job applications, employment, benefits administration, and emergency contact purposes.
  • Nonprofit organizations are established to detect and prevent insurance fraud.
  • Small businesses, as defined by the U.S. Small Business Administration, except when selling sensitive data without consumer consent.

Consumer Rights

The Minnesota Consumer Data Privacy Act grants consumers several rights regarding their personal data:

  • Access: Confirm whether their data is being processed and obtain access to it.
  • Correction: Correct inaccuracies in their personal data.
  • Deletion: Request the deletion of their personal data.
  • Portability: Obtain a copy of their data in a portable format.
  • Opt-Out: Opt out of data processing for targeted advertising, sale of personal data, or profiling.
  • Profiling: Question profiling decisions and review and correct data used in profiling.

Controllers must respond to consumer requests within 45 days, with possible extensions if necessary. They must also establish an appeal process for denied requests and maintain records of all appeals for at least 24 months.

Controller and Processor Obligations

Controllers must provide a clear, accessible online privacy notice detailing:

  • Categories of personal data processed.
  • Purposes for data processing.
  • Consumer rights and how to exercise them.
  • Third parties with whom data is shared.
  • Data retention policies.
  • Contact information for data privacy inquiries.

Controllers selling data, engaging in targeted advertising, or profiling must prominently display opt-out options. They must also:

  • Limit data collection to what is necessary for disclosed purposes.
  • Implement robust data security measures.
  • Obtain consumer consent before processing sensitive data.
  • Provide an easy mechanism for consumers to revoke consent.
  • Conduct data protection impact assessments for high-risk data processing activities.


The Minnesota Attorney General has exclusive enforcement authority. Initially, controllers have a 30-day period to cure violations, expiring on January 31, 2026. Violations can result in civil penalties of up to $7,500 per violation, with additional penalties for non-compliance.

Unique Features

The Minnesota Consumer Data Privacy Act stands out with several unique features:

  • Profiling: Consumers can question profiling decisions and seek correction of inaccurate data.
  • Small Business Exemption: Exempts small businesses, with specific conditions for selling sensitive data.
  • Conspicuous Opt-Out Links: Requires clear opt-out links for data sales and targeted advertising.
  • Notification of Privacy Notice Changes: Controllers must notify consumers of material changes to privacy notices and allow them to withdraw consent.
  • Prohibition on Disclosing Sensitive Data: Limits the disclosure of sensitive information in response to consumer requests.

Sign up for our Data Privacy Tracker with monthly updates on the latest news and developments

Skip to content