Minnesota Consumer Data Privacy Act
The Minnesota Consumer Data Privacy Act grants standard data rights plus novel rights to question profiling decisions and to receive a list of specific third parties. It requires a documented data inventory and is enforced by the Minnesota Attorney General.
Minnesota Consumer Data Privacy Act
The Minnesota Consumer Data Privacy Act (MCDPA), codified at Minnesota Statutes Chapter 325O, is Minnesota's comprehensive consumer privacy statute. It took effect on July 31, 2025. While built on the common state framework, the MCDPA introduces several novel consumer rights and controller duties not found in most peer laws.
Who It Applies To
The MCDPA applies to persons that conduct business in Minnesota or produce products or services targeted to Minnesota residents and that, during a calendar year, control or process the personal data of either 100,000 or more consumers, or 25,000 or more consumers while deriving more than 25 percent of gross revenue from the sale of personal data. It exempts HIPAA and Gramm-Leach-Bliley data, and includes a notable exemption for small businesses as defined by the Small Business Administration, subject to a sensitive-data sale consent requirement.
Key Requirements
In addition to standard rights to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling, the MCDPA adds distinctive rights. Consumers may question the result of profiling that produces legal or similarly significant effects, be informed of the reason for the decision, and learn what actions they could take to secure a different result. Consumers may also obtain a list of the specific third parties to which their data has been disclosed. Controllers must maintain a data inventory and document their privacy and security policies. Opt-in consent is required for sensitive data, universal opt-out signals must be honored, and data protection assessments are required.
Penalties for Non-Compliance
The Minnesota Attorney General has exclusive enforcement authority; there is no private right of action. Civil penalties reach up to 7,500 dollars per violation. A 30-day cure period was available until January 31, 2026, after which it became discretionary.
How to Comply
Build workflows for the standard rights plus the new profiling-explanation right and the specific-third-party disclosure right. Create and maintain a documented data inventory. Implement opt-in consent for sensitive data, honor universal opt-out signals, and keep documented data protection assessments.
Relationship to Other Laws
Minnesota extends the common state model with novel rights that require new engineering and process work: the ability to question and understand the basis of significant profiling decisions, and the right to a list of specific third parties rather than categories. Its data inventory obligation formalizes a practice many organizations already perform informally. Building these capabilities in Minnesota tends to raise the maturity of an organization's overall privacy program.
Operational Mechanics
Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.