Breaking down data rules from around the globe

Privacy laws

Mcdpa

Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act (MCDPA) marks one more data privacy act to regulate consumer privacy in the United States. The new state law establishes data privacy rights for Minnesota residents and sets compliance obligations for businesses that collect or process personal data.

The MCDPA took effect on July 31, 2025.

The MCDPA is more user-oriented than business-friendly, and it strongly favors consumer empowerment and data control. Key user-focused features include:

  • Broad consumer rights.
  • opt-out rights of targeted advertising, data sales, and profiling.
  • Need for explicit consent for processing sensitive personal data.
  • Detailed transparency requirements.

 

However, the new data privacy law is also designed with a balanced compliance approach, meaning that companies don’t have too much burden for achieving compliance. The MCDPA includes measures that make compliance easier for businesses, including:

  • Clear applicability thresholds, that exempt many small operations.
  • No private right of action.
  • Cure period of 30 days to fix compliance issues before penalties are imposed.
  • Alignment with other state laws, such as the Colorado Privacy Act, setting similar requirements for multi-state compliance.

What Is the Minnesota Consumer Data Privacy Act?

The Minnesota Consumer Data Privacy Act (MCDPA) is the data privacy law of the state that protects the privacy rights of Minnesota residents and establishes data privacy responsibilities for businesses operating in the state or offering goods or services to Minnesota residents.

Effective date: July 31, 2025.

The MCDPA regulates how businesses can collect, store, and use the personal data of Minnesota residents. The law sets specific standards for user consent, data access, and consumer rights.

The law requires businesses to get explicit user consent for collecting and managing sensitive personal data of Minnesota consumers.

Who Must Comply with the Minnesota Consumer Data Privacy Act?

The MCDPA applies to organizations that conduct business in Minnesota or target Minnesota residents, and that meet one or more of the following criteria:

  • Control or process the personal data of at least 100,000 consumers in a calendar year, except for completing payment transactions.
  • Control/process the personal data of 25,000 consumers or more and gain more than 25% of revenue from the sale of personal data.

Exemptions to the MCDPA

MCDPA grants exemptions to certain entities, including:

  • Nonprofits and government agencies
  • Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
  • Healthcare providers and data already regulated by HIPAA
  • State or federally chartered banks
  • Employment-related data
  • Insurance companies
  • Federally recognized Indian tribes
  • Small businesses, as defined by the U.S. Small Business Administration.

However, small businesses need opt-in consent to sell sensitive data.

Unlike most state laws, Minnesota does not exempt institutions of higher education and offers a narrower nonprofit exemption.

Key Rights Granted to Minnesota Consumers

The Minnesota Consumer Data Privacy Act grants Minnesota residents several data privacy rights to protect their personal data and manage how it is used.

Minnesota consumers have the following rights:

  • Right to access: consumers can confirm whether the controller is processing their personal data and can access this data, with some exceptions.
  • Right to correction: consumers can request to correct any inaccuracies in their personal data, considering the nature of the personal data and purposes of processing.
  • Right to deletion: consumers can request the deletion of their personal data, with some exceptions.
  • Right to data portability: where the processing is carried out by automated means, consumers can obtain a copy of their personal data they previously shared with a business, in a portable and readily usable format, with some exceptions.
  • Right to information: consumers can obtain a list of specific third parties to whom the controller has disclosed their personal data.
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of the sale, targeted advertising, or profiling.

Businesses must respond to consumer requests within 45 days, with limited extensions in complex cases, and free of charge twice annually per person.

Core Business Obligations Under the MCDPA

Minnesota’s new data privacy law sets several crucial steps for businesses to comply with the MCDPA. The MCDPA outlines specific obligations for both data controllers and processors of personal data.

The key responsibilities under Minnesota’s data privacy law include:

  • Data minimization
    Limit the collection of personal data to what is adequate, relevant or necessary to fulfil the disclosed purpose to the consumer.
  • Purpose limitation
    Don’t use the collected data for any purposes other than those disclosed to the consumer. Do not retain personal data that is no longer relevant or necessary for its original purpose unless required by law.
  • Transparency and privacy notices
    Provide clear privacy notices that explain what data is collected and why. The privacy notice should include:
    The categories of personal data processed and the purposes for processing.
    The categories of personal data sold to or shared with third parties, if any.
    List all third parties receiving such data.
    Methods for consumers to exercise their rights.
    The controller’s contact information and the date of the privacy notice was last updated.
  • Security safeguards
    Implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of personal data.
  • Sensitive data processing
    Obtain explicit consent before processing sensitive personal data.
  • Data Privacy and Protection Assessments (DPPAs)
    Conduct data protection assessments for high-risk processing activities. These activities include targeted advertising, selling personal data, processing sensitive data, and high-risk profiling. Unlike other states, Minnesota’s law sets clear requirements for DPPAs, including details about the data involved, processing context, and a reference to the controller’s documented compliance procedures.
  • Global opt-outs
    The MCDPA requires businesses to recognize universal opt-out signals.

Consent Requirements Under the MCDPA

Businesses must obtain explicit consent before processing sensitive personal data, including racial or ethnic origin, religious beliefs, health information, sexual orientation, biometric or genetic data, and precise geolocation.

For children under 13, businesses must obtain valid consent from their parents or legal guardians.

explicit consent is also necessary for processing the personal data of individuals between 13 and 16 years of age for targeted advertising, sale and profiling of personal data.

All businesses, including small businesses, must obtain consumer consent to sell sensitive personal data.

Consumers have the right to revoke their consent at any time. Businesses must provide convenient methods to revoke consent. Upon revocation, stop processing the personal data within 15 days.

Scan your website for free and see what cookies your website uses to collect Personal Information:

What Is Personal Data Under the Minnesota Consumer Data Privacy Act?

The Minnesota Consumer Data Privacy Act defines personal data as any information that is linked or is reasonably linkable to an identified or identifiable person.

Personal data does not include publicly available information or Anonymized data.

MCDPA also defines sensitive personal data. Sensitive personal data includes:

  • racial or ethnic origin
  • religious beliefs
  • health information
  • sexual orientation
  • biometric or genetic data
  • citizenship or immigration status
  • precise geolocation
  • personal data of a known child.

Businesses must obtain explicit consent before processing sensitive personal data.

Enforcement of the MCDPA

The Minnesota Attorney General is responsible solely for enforcing the MCDPA.

Businesses suspected of violation will receive a warning letter and a 30-day cure period to address non-compliance before penalties are applied.

The 30-day cure provision is temporary and is valid January 31, 2026. After this date, the Attorney General will no longer be required to provide a warning letter and an opportunity to cure before pursuing enforcement.

The Minnesota Consumer Data Privacy Act does not include a private right of action, meaning that individuals cannot bring lawsuits directly under the law.

Penalties for Non-Compliance

If violations remain uncorrected after the warning period, the Minnesota Attorney General may initiate legal action and seek civil penalties of up to $7,500 per violation.

The Attorney General can pursue legal action if a business:

  • Does not respond to consumer rights requests.
  • Processes data without valid consent.
  • Don’t implement security measures or transparency requirements.

Beyond financial consequences, failure to comply with the MCDPA could result in potential reputational damage and/ or user trust, which could be more difficult to regain.

Checklist for Minnesota Consumer Data Privacy Act Compliance

Use this quick compliance checklist to prepare for the MCDPA compliance:

  1. Limit data collection
    Collect only personal data that is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer. Don’t retain personal data longer than necessary.
  2. Collect valid consent
    Obtain explicit consent before processing sensitive personal data. explicit consent is also necessary for processing the personal data of individuals between 13 and 16 years of age for targeted advertising, sale and profiling of personal data.
  3. Maintain a data inventory
    Unlike many other state privacy laws, the MCDPA explicitly requires controllers to maintain an inventory of personal data. Identify and categorize personal and sensitive data and keep it up to date.
  4. Transparency and privacy notices
    Update your Privacy Policy and consent banners.
  5. Implement opt-out opportunities
    Implement a mechanism for consumer rights requests. Enable consumers to opt out of the sale of personal data, targeted advertising, and profiling that results in significant effects. Clearly present these opt-out opportunities.
  6. Perform Data Privacy and Protection Assessments
    Conduct DPPAs for targeted advertising, selling personal data, processing sensitive data and high-risk profiling. Unlike other state laws, MCDPA provides detailed content requirements for DPIAs, including details about the data involved, processing context, and a reference to the controller’s documented compliance procedures.
  7. Implement data security practices
    Implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of personal data against unauthorized access or data breach.
  8. Train employees on privacy and security protocols and don't discriminate agains consumers
    Don’t discriminate against consumers based on their exercise of rights. In addition, don’t process personal data in a discriminatory manner based on race, color, ethnicity, religion, national origin, sex, gender, sexual orientation, familial status, income source, or disability when offering housing, employment, credit, education, or other goods or public accommodations.
  9. Data processing agreements
    Sign binding contracts with data processors that clearly define the scope of processing activities, the nature of the data involved, and the processor’s obligations.
  10. Implement a CMP
    Use a Consent Management Platform (CMP) for consent collection, storage, and automating proof of consent.

How Can CookieScript Help to Comply with the MCDPA?

Use a professional Consent Management Platform (CMP) to comply with the MCDPA and other data privacy laws.

CookieScript Consent Management Platform (CMP) comes with a Cookie Banner, Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager. It recognizes a Global Privacy Controls signal, detects and categorizes cookies, local storage, session storage, and other trackers, and automatically blocks Third-Party Cookies, so you can be sure your website is compliant with the MCDPA and other privacy regulations 100%!

In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
It also received a GOLD Tier in the New Google Tiering System.

CookieScript CMP can help you comply with the MCDPA and avoid penalties for violating the Law.

Try a free 14-day trial of CookieScript CMP.

Register for free Show pricing plans

Frequently Asked Questions

What is the Minnesota Consumer Data Privacy Act?

The Minnesota Consumer Data Privacy Act (MCDPA) is the state’s data privacy law that protects the privacy rights of Minnesota residents and establishes data privacy responsibilities for businesses operating in the state or offering goods or services to Minnesota residents. It took effect on July 31, 2025. Use CookieScript CMP to comply with the MCDPA.

Who does the Minnesota Consumer Data Privacy Act apply to?

The MCDPA applies to organizations that conduct business in Minnesota or target Minnesota residents, and that either control or process the personal data of at least 100,000 consumers in a calendar year, except for completing payment transactions, or control/process the personal data of 25,000 consumers or more and gain more than 25% of revenue from the sale of personal data.

What rights do Minnesota consumers have under the MCDPA?

Minnesota residents gain key privacy rights under the MCDPA, including the right to access, correct, delete, port their personal data, and obtain a list of specific third parties to whom the data is shared. They can also opt out of data processing for targeted advertising, profiling, or data sales. Businesses must respond to consumer requests within 45 days.

How can businesses comply with the MCDPA?

To comply with the MCDPA, businesses must limit data collection, collect valid consent and implement opt-out opportunities, maintain a data inventory, respect transparency and provide privacy notices, perform Data Privacy and Protection Assessments, implement data security practices and train employees on privacy and security protocols, non-discriminate consumers, sign binding data processing agreements, and implement a Consent Management Platform (CMP) like CookieScript to manage consent collection and proof.

What are the penalties for violating the MCDPA?

Non-compliance with the MCDPA can result in civil penalties of up to $7,500 per violation, enforced by the Minnesota Attorney General. Businesses suspected of violation will receive a warning letter and a 30-day cure period to address non-compliance before penalties are applied. The 30-day cure provision is temporary and is valid January 31, 2026. Repeated or willful violations may lead to stricter enforcement actions.

How does the Minnesota Consumer Data Privacy Act compares to other state privacy laws?

The MCDPA is similar in structure to the Colorado Privacy Act (CPA) and Virginia’s VCDPA. The MCDPA is more user-oriented than business-friendly, emphasizing consent and transparency. However, it is also designed with a balanced compliance approach, meaning companies don't face an excessive burden in achieving compliance. The MCDPA doesn’t provide a private right of action, and businesses have a cure period.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.