Minnesota Consumer Data Privacy Act (MCDPA) – an overview

The Minnesota Consumer Data Privacy Act (MCDPA) takes effect on July 31, 2025, establishing new standards for data privacy and consumer protection in the state. Businesses preparing for compliance must understand the key provisions and implications for consumer rights to ensure a smooth transition.
Documents with Minnesota flag
by Usercentrics
17 mins to read
Aug 19, 2024

Minnesota became the nineteenth state in the United States to pass a consumer privacy bill with the Minnesota Consumer Data Privacy Act (MCDPA) when Governor Tim Walz signed it into law on May 24, 2024. The law goes into effect on July 31, 2025, with the compliance deadline extended to July 31, 2029 for postsecondary institutions regulated by the Minnesota Office of Higher Education.

We look at how the MCDPA protects consumers’ information, and the broader implications for organizations under its jurisdiction.

What is the Minnesota Consumer Data Privacy Act (MCDPA)?

The Minnesota Consumer Data Privacy Act (MCDPA) is a regulation designed to protect the privacy and personal data of Minnesota’s residents by regulating how data is collected, processed, and used. The state-level law imposes specific obligations on businesses that either operate in Minnesota or offer products and services to its residents, known as “consumers” under the law, and process their personal data.

Under the MCDPA, a consumer is “a natural person who is a Minnesota resident acting only in an individual or household context.” The law explicitly excludes any natural person acting in a commercial or employment context.

Like most other US states with similar laws, Minnesota follows an opt-out consent model. Businesses must clearly inform consumers about:

  • what personal data they collect
  • the purpose(s) for collecting this data
  • any third parties with whom the data may be shared
  • how consumers can opt out of the collection and processing of their personal data for specific purposes.

Who must comply with the Minnesota Consumer Data Privacy Act?

The Minnesota privacy law applies to businesses that operate in the state and produce products or services targeted at Minnesota residents, and during a calendar year:

  • control or process the personal data of at least 100,000 consumers, except if the personal data is controlled or processed only for the purposes of completing a payment transaction
    or
  • control or process the personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data

The MCDPA applies to any business that fulfills these conditions, regardless of where the business is located.

Minnesota data privacy law sets itself apart from some other state laws such as the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), as it does not require businesses to comply based on annual revenue alone.

Exemptions to Minnesota Consumer Data Privacy Act compliance

The Minnesota data privacy law exempts certain entities from complying, including:

  • government entities
  • federally recognised Indian tribes
  • covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
  • state or federally chartered banks or credit unions, or their affiliates or subsidiaries primarily engaged in financial activities
  • insurance companies, insurance producers, third-party administrators of self-insurance, or their affiliates or subsidiaries primarily engaged in financial activities
  • small businesses as defined under the U.S. Small Business Act, unless they sell consumers’ sensitive data without obtaining prior consent
  • air carriers subject to the Airline Deregulation Act where the personal data collected relates to prices, routes, or services
  • nonprofit organizations established to detect and prevent insurance fraud

Data that is exempt from the law includes:

  • protected healthcare-related information, research data, and employment-related data
  • data collected or maintained as emergency contact information for a natural person if used for emergency contact purposes only
  • data created for or collected under several federal laws, including, among others:
    • Gramm-Leach-Bliley Act (GLBA)
    • HIPAA
    • Health Care Quality Improvement Act
    • Family Educational Rights and Privacy Act (FERPA)
    • Farm Credit Act (FCA)
    • Minnesota Insurance Fair Information Reporting Act
    • Driver’s Privacy Protection Act
    • Fair Credit Reporting Act (FCRA)

Definitions under the Minnesota Consumer Data Privacy Act

The Minnesota privacy law defines key terms that explain the types of data it covers and the data processing activities involved.

Personal data under the MCDPA

The Minnesota privacy law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition specifically excludes de-identified data or publicly available information.

Common types of personal data that businesses collect include name, phone number, email address, Social Security number, or driver’s license number.

Sensitive data under the MCDPA

Sensitive data is personal data that could harm consumers if abused. Under the MCDPA, it includes:

  • racial or ethnic origin
  • religious beliefs
  • mental or physical health diagnosis
  • sexual orientation
  • citizenship or immigration status
  • genetic or biometric data processed for the purpose of uniquely identifying an individual
  • personal data collected from a known child (under 13 years of age)
  • precise geolocation data that can accurately identify an individual’s specific location within an accuracy of more than three decimal degrees of latitude and
  • longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates

Controller under the MCDPA

Controller under Minnesota’s privacy law is “a natural or legal person who, alone or jointly with others, determines the purpose and means of processing personal data.“

A controller, also known as a “data controller” under some laws, is responsible for protecting personal data under the law.

Processor under the MCDPA

A processor under the law is “a natural or legal person who processes personal data on behalf of a controller.”

Sale of personal data under the MCDPA

Sale of personal data means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.“

The MCDPA’s definition specifically excludes the following:

  • disclosure of personal data to a processor that processes the personal data on the controller’s behalf
  • disclosure of personal data to a third party for the purposes of providing a product or service the consumer has requested
  • disclosure or transfer of personal data to the controller’s affiliate
  • disclosure of information that the consumer has intentionally made available to the public through a mass media channel not restricted to a specific audience
  • disclosure or transfer of personal data to a third party as an asset that is part of a proposed or completed merger, acquisition, bankruptcy, or other transaction
  • exchange of personal data between the producer of goods or services and its authorized agents who sells these goods and services, to enable both parties to provide the goods and services

Targeted advertising under the MCDPA

The MCDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”

Targeted advertising under the MCDPA does not include:

  • ads based on activities within a controller’s own websites or online apps
  • ads based on the context of a consumer’s current search query, visit to the website, or online app
  • ads directed to a consumer in response to the consumer’s request for information or feedback
  • processing of personal data solely for measuring or reporting ad performance, reach, or frequency

The Minnesota privacy law defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer.”

Excluded from the definition are:

  • acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
    hovering over, muting, pausing, or closing a given piece of content
  • consent obtained through the use of dark patterns

Consumer rights under the Minnesota Consumer Data Protection Act

Consumers have several rights under the MCDPA that enable them to protect their personal data and control how it’s used, in particular:

  • Right to access: consumers can confirm if the controller is processing their personal data and can access this data, with some exceptions
  • Right to correction: consumers have the right to have any inaccurate personal data about them corrected, taking into account the nature of the personal data and purposes of processing
  • Right to deletion: consumers can request the deletion of their personal data, with exceptions
  • Right to data portability: where the processing is carried out by automated means, consumers can obtain a copy of their personal data that they previously provided to the controller, in a portable and readily usable format, with some exceptions
  • Right to information: consumers can obtain a list of specific third parties to whom the controller has disclosed their, or any consumer’s, personal data
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling

Check your MCDPA compliance risk level with a data privacy audit.

Get started

Consumers have the following additional rights if their data is used for profiling that affects legal decisions about them:

  • to question the outcome of the profiling
  • to know why the profiling led to that outcome
  • if possible, to learn what actions they could have taken to achieve a different outcome and what they can do in the future to achieve such an outcome
  • to review the personal data used in the profiling, and, if the decision was based on incorrect data, to correct this data and request a reevaluation of the profiling decision with the corrected data

There is no private right of action that gives consumers the right to directly sue a controller for violations of the Minnesota privacy law.

Controllers’ obligations under the Minnesota Consumer Data Privacy Act

Under the Minnesota data privacy law, controllers are required to meet specific obligations to protect consumers’ personal data.

Consumer rights requests under the MCDPA

Controllers must provide one or more secure and reliable methods for consumers to exercise their rights. While consumers can be asked to log in to an existing account for identity verification, requiring them to create a new account is not permitted under the law.

Controllers have 45 days to respond to consumer requests, with the option to extend this period by another 45 days if reasonably necessary. If an extension is required, the controller must inform the consumer before the initial 45-day period expires.

If the controller is unable to reasonably verify the consumer’s identity, they may request additional verification or decline the request. In cases where a request is declined, the controller must notify the consumer within 45 days of receiving the request, providing the reason for the denial and information on how to appeal the decision.

Controllers must respond to appeals within 45 days, and they may extend this period by an additional 60 days if reasonably necessary. If an appeal is denied, the controller must provide a written explanation with reasons for denial and inform the consumer how to submit a complaint to the Attorney General.

Controllers are required to maintain records of all appeals and their responses for a minimum of 24 months, and they must provide the Attorney General with copies of the records if requested.

Privacy notices under the MCDPA

Under the Minnesota data privacy law, controllers must publish a clear, accessible, and comprehensive privacy notice that includes the following information:

  • categories of personal data processed
  • purposes for processing personal data
  • what rights consumers have under the law
  • how consumers may exercise their rights
  • how consumers may appeal the controller’s decision regarding a request
  • categories of personal data sold to or shared with third parties, if any
  • categories of third parties to whom the controllers sells or shares personal data, if any
  • contact information for the controller
  • a description of the controller’s retention policies for personal data
  • date of the last update to the privacy notice

Controllers that sell consumers’ personal data to third parties, or process personal data for targeted advertising purposes or profiling, must disclose this in the privacy notice. They must also provide consumers with a prominent method to opt out of the sale, processing, or profiling for these purposes. A link provided for these purposes must use the words “Your Opt-Out Rights” or “Your Privacy Rights”.

Typically, the privacy notice or privacy policy is posted in a highly visible location on the controller’s website, such as the footer, ensuring it’s easy to locate. The MCDPA mandates that controllers use the word “privacy” in the link to the privacy notice on a website, mobile app’s app store page, or download page.

The MCDPA also requires controllers who maintain apps — whether they’re mobile, tablet, web, or smart device apps — to include a link to the privacy notice in the settings menu of the app.

If a controller doesn’t maintain a website, they must make the privacy notice accessible to consumers through the regular means of communication with them, which may include postal mail.

Purpose limitation under the MCDPA

The law requires controllers to disclose the specific purposes for which they are collecting personal data and to restrict their data collection to what is “adequate, relevant, and reasonably necessary” for these identified purposes. Controllers cannot retain personal data if it is no longer needed for the original purposes of collection and processing, unless the law requires or permits it in certain circumstances.

Data security under the MCDPA

Controllers have an obligation to protect the confidentiality, integrity, and accessibility of consumers’ personal data. The Minnesota data privacy law requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical security measures for this purpose, which are appropriate to the volume and nature of the personal data being processed.

Notably, Minnesota is the first state to mandate that controllers maintain data inventories to fulfill these requirements.

Compliance policies and data privacy and protection assessments under the MCDPA

Controllers are required to document a description of the policies and procedures adopted to comply with the MCDPA, including:

  • name and contact information for the controller’s chief privacy officer, or, if one is not appointed, another individual with responsibility to monitor and achieve
  • the controller’s compliance with the law
  • description of the controller’s data privacy policies and procedures that enable controllers to fulfill their obligations under the law
  • description of any policies and procedures established to:
    • ensure that their systems are designed to comply with the law
    • identify and provide personal data to a consumer as required under the law
    • comply with the obligation for ensuring data security
    • comply with the obligation for purpose limitation
    • prevent data that is no longer required from being retained unless required by law
    • identify and rectify violations of the law

The MCDPA also requires controllers to conduct and document a data privacy and protection assessment, known as a data protection impact assessment under some laws, when processing personal data:

  • for the purposes of targeted advertising
  • for sale
  • classified as sensitive data under the law, including children’s data
  • that presents a heightened risk of harm to consumers
  • for profiling that presents a reasonably foreseeable risk of the following on consumers:
    • unfair or deceptive treatment, or disparate impact
    • financial, physical, or reputational injury
    • physical or other intrusion into private affairs
    • other substantial injury

Data privacy and protection assessments under the MCDPA must include the description of policies and procedures that the controller has adopted to comply with the law.

The Attorney General can request the controller to disclose a data privacy and protection assessment during its investigations into any alleged violations, and the controller is obligated to make it available.

The law considers data privacy and protection assessments or risk assessments conducted by a controller for compliance with other laws as valid if the assessments share a similar scope and effect.

Minnesota has adopted an opt-out model for processing personal data, consistent with the other US state-level privacy laws. This means that controllers can collect and process personal data without obtaining prior consent from consumers in most cases. However, an important exception exists for sensitive personal data, where controllers must obtain explicit consent before processing.

Controllers must clearly inform consumers about their data processing activities and provide options for consumers to opt out of the sale of their personal data and its use for targeted advertising or profiling. Additionally, Minnesota law mandates that controllers provide an effective way for consumers to revoke previously given consent. This revocation mechanism must be as easy to use as the method used to give consent initially. Once consent is revoked, controllers are required to stop processing the relevant data as soon as practicable, and no later than 15 days after receiving the revocation request.

The MCDPA aligns with the Children’s Online Privacy Protection Act (COPPA) concerning children’s personal data, which is standard among US data privacy laws. This requires controllers to obtain consent from a parent or guardian before processing any personal data of children under 13 years old, as all personal data of children in this age group is classified as sensitive data under Minnesota law.

Controllers are prohibited from processing the personal data of consumers known to be between the ages of 13 and 16 for the purposes of targeted advertising or selling their data without obtaining prior consent from the individual.

Nondiscrimination under the MCDPA

The MCDPA explicitly prohibits controllers from discriminating against consumers who exercise their rights under the law. This means businesses cannot deny goods or services, charge different prices or rates for goods or services, or offer varying quality levels or experiences (e.g. website access) to consumers based on their choices to exercise their data privacy rights.

However, controllers may offer incentives, such as discounts or rewards, to consumers who voluntarily participate in activities involving the processing of personal data. These incentives must be reasonable and proportionate to avoid being considered coercive rather than optional and voluntary.
Certain website functions that rely on essential or necessary cookies may not operate effectively if a consumer declines these cookies. Such limitations are not regarded as discriminatory under the law.

Controllers are not obligated to provide a product or service that depends on personal data they do not collect or keep.

The MCDPA specifically prohibits controllers from processing personal data on the basis of certain characteristics, including, among others, race, ethnicity, religion, gender identity, familial status, or disability in a manner that unlawfully discriminates against consumers with respect to the provision of:

  • housing, employment, credit, or education
  • goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation

Data processing agreement under the MCDPA

The Minnesota privacy law requires controllers to enter into contracts with processors that govern data processing procedures. While the law does not explicitly use the term “data processing agreement,” this contract serves the same purpose as data processing agreements in other data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) and the Virginia Consumer Data Protection Act (VCDPA).

The contract or data processing agreement must clearly outline:

  • instructions for processing data
  • nature and purpose of processing
  • type of data subject to processing
  • duration of processing
  • rights and obligations of both parties
  • processor’s duty of confidentiality
  • conditions under which the processor may engage a subcontractor

Processors must assist controllers in meeting their obligations under the MCDPA, including ensuring security of personal data being processed.

Universal opt-out mechanism under the MCDPA

Similar to data privacy laws in states like California, Nebraska, and Texas, the MCDPA includes provisions for universal opt-out mechanisms, such as the Global Privacy Control (GPC). These mechanisms enable consumers to set their privacy preferences once via browser settings or extensions, and these preferences are then automatically applied to all websites and online services they visit.

Under the MCDPA, controllers must respect universal opt-out signals that express a consumer’s choice to opt out of activities such as targeted advertising or the sale of personal data. Controllers that recognize opt-out preference signals approved by other state laws or regulations will be deemed compliant with this requirement under the MCDPA.

The law requires that the mechanism a controller employs must:

  • not unfairly disadvantage another controller
  • require consumers to make “an affirmative, freely given, and unambiguous choice“ to opt out rather than use a default opt-out setting
  • be user-friendly
  • be consistent with other similar technologies or mechanisms
  • enable the controller to determine whether the consumer is a resident of Minnesota, either through the consumer’s IP address or other means, and has made a
  • legitimate opt-out request

Enforcement of the Minnesota Consumer Data Privacy Act

The Minnesota Attorney General has exclusive authority to enforce the MCDPA. While the law does not grant consumers a private right of action, they can still file complaints about alleged violations or denials of their privacy rights directly with the Attorney General’s office. Before initiating an enforcement action, the Attorney General must issue a written notice to the implicated party, detailing the alleged violations.

The MCDPA includes a 30-day cure period for organizations to address and rectify any alleged violations after receiving the notification. This cure period has a sunset date of January 31, 2026, after which this provision will no longer apply, and any cure period will be at the discretion of the Attorney General’s office.

Fines and penalties under the MCDPA

The Minnesota Attorney General can initiate enforcement actions against controllers or processors if they fail to remedy a violation within the 30-day cure period. An enforcement action might include seeking injunctive relief and/or imposing civil penalties, which can reach up to USD 7,500 per violation, along with recovering reasonable costs related to investigating the violation.

Like consumer privacy laws in other US states, the Minnesota privacy law adopts an opt-out consent model. This means businesses can collect and process personal data without obtaining prior consent, except for sensitive personal data and data belonging to children.

Consumers have the right to opt out of the collection and processing of their personal data for purposes such as sale, targeted advertising, or profiling. Businesses are required to clearly present this opt-out option on their websites, typically within the privacy policy or privacy notice.

Many websites use cookie consent banners that include clear links or buttons that enable users to opt out of data processing. A consent management platform (CMP) like Usercentrics CMP can automate this process by managing cookies and other tracking technologies and blocking their use until the consumer gives consent, or by enabling opt-out, depending on the relevant legal model.

CMPs also enable websites to offer clear information to users regarding the types of data collected, the purposes for collection, and the third parties that might receive this data, in line with the MCDPA and other data privacy regulations.

Since there is currently no unified federal privacy law in the US, businesses that operate around the country and/or internationally likely need to comply with multiple state and international privacy regulations. CMPs can assist in this by customizing cookie banners based on the user’s location, helping businesses meet the requirements of state-level laws like the MCDPA as well as international regulations such as the GDPR.

Preparing for the Minnesota Consumer Data Privacy Act

Businesses operating in Minnesota have until the effective date of July 31, 2025, to prepare for compliance with the MCDPA. Those that are already compliant with privacy regulations in other states may find themselves ahead, as there are several overlapping requirements. However, businesses must also prepare for specific MCDPA provisions, such as the obligation to maintain data inventories and to document data privacy policies and processes. Integrating a privacy by design approach not only benefits compliance efforts but also enhances overall organizational operations.

Companies must assess whether they meet the MCDPA compliance thresholds, and, if applicable, take steps to provide users with clear opt-out options and accessible privacy notices. Using a Consent Management Platform (CMP) like Usercentrics CMP can assist in managing cookies on websites and apps.

As the MCDPA adapts to technological advancements and shifts in consumer expectations, it is crucial for businesses to consult with qualified legal professionals or data privacy experts, such as a Data Protection Officer, to maintain compliance.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Aug 29, 2024
Understanding the distinctions between PII, PI, and sensitive data is essential for effective data protection and regulatory compliance. By properly classifying and safeguarding these data types, organizations can mitigate risks and build stronger trust with their customers.
Aug 21, 2024
Let’s talk about data privacy and security. What are their differences, the goals of the policies and activities, the best practices, and the methods for implementing them?
Aug 15, 2024
Achieving and maintaining CCPA compliance shouldn’t take resources away from your core business. Find out which tool can help you meet your privacy compliance requirements.