On May 24, 2024, Governor Walz signed the recently passed Minnesota Consumer Data Privacy Act (“MCDPA” or “the Act”), making Minnesota the nineteenth state to enact a comprehensive data privacy law.  The MCDPA, effective July 31, 2025, provides robust protections for Minnesota consumers regarding the use and misuse of their personal data, while imposing new obligations on the organizations to which it applies.

Applicability: Who does the MCDPA Apply To?

The MCDPA applies to organizations conducting business in Minnesota or offering products/services to Minnesota residents that:

  1. During a calendar year control or process the personal data of at least 100,000 consumers (not including payment transaction data); or
  2. Derive over 25 percent of gross revenues from the sale of personal data and process or control the personal data of at least 25,000 Minnesota consumers.

Exemptions: Who’s Exempt?

Every state’s data privacy act exempts certain categories of organizations from complying with the relevant acts, and the MCDPA is no different. The Act exempts governmental entities, federally recognized Indian tribes, chartered banks and credit unions, and insurance companies. One of the MCDPA’s more unique exemptions is for small businesses as defined by the United States Business Administration.

Beyond these exempted organizations, the MCDPA also exempts certain types of data, including data obtained for job applications or employment, emergency contact information, and data necessary to retain or administer benefits. More specifically, the MCDPA exempts information covered by certain enumerated federal statutes, including information regulated by the:

  • Gramm-Leach-Bliley Act (consumer financial information)
  • Drivers Privacy Protection Act (personal information of licensed drivers)
  • Family Educational Rights and Privacy Act (educational records)
  • Fair Credit Reporting Act (information held by consumer reporting agencies)
  • Farm Credit Act, governed by the
  • Health Insurance Portability and Accountability Act (protected health insurance information)

The Act also exempts nonprofit organizations established to detect and prevent insurance fraud.

Consumer Rights under the MCDPA

Like other states’ data privacy acts the MCDPA grants consumers a plethora of new personal data rights. Under the Act, a “consumer” is defined as a natural person or legal person who is a Minnesota resident acting only in an individual or household capacity, and who is not acting in a commercial or employment context. The Act provides consumers the right to:

  • Confirm whether a controller is processing their personal data and, if so, access the personal data being processed,
  • Correct inaccurate personal data,
  • Delete personal data concerning the consumer,
  • Obtain personal data concerning the consumer in a usable, portable format, and
  • Opt-out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling by automated decision-making systems, and may do so via authorized agents or technological means such as an internet link browser setting, or other device indicating the consumer’s intention to opt out.

Additionally, consumers can challenge profiling decisions that produce legal effects, the consumer has the right to:

  1. Question the result of the profiling,
  2. Be informed of the reason the profiling resulted in the decision, and
  3. If feasible, be informed of what actions the consumer may have taken to secure a different decision, and what actions might result in a different decision in the future.

Finally, consumers have the right to review the information used in the profiling decision, and if found to be incorrect, the consumer has the right to have the information corrected and the profiling decision reevaluated based on the corrected information.

How Consumers Exercise their Rights

Data controllers  must provide at least one secure and reliable means for consumers to submit a request to exercise their rights. Additionally, controllers must comply with a consumer’s request to exercise their rights no later than 45 days after receipt of the consumer’s request. Action on such a request may be extended one time, when reasonably necessary, by an additional 45 days. Any information provided by a controller to a consumer is to be provided free of charge, but not more than twice annually. The MCDPA prohibits controllers from providing certain sensitive information, i.e., social security numbers, driver’s license numbers, financial and health account numbers, biometric data, etc., to consumers in response to requests for information.

To address instances where a controller refuses to take action after receiving a consumer request, the controller must establish an appeals process that is conspicuously available to consumers. Upon receipt of a consumer appeal, if the controller still refuses to take action, it must provide the consumer with information about how to file a complaint with the Office of the Attorney General. Controllers must maintain records of all such appeals for at least 24 months and provide a copy to the Attorney General upon written request.

MCDPA Obligations on Controllers

Along with expanded consumer rights, the MCDPA expands the obligations that apply to controllers and processors. Most fundamentally, the MCDPA requires controllers to provide consumers with a clear and meaningful privacy notice that includes:

  • The categories of personal data processed by the controller;
  • The purpose for which the personal data is processed;
  • An explanation of consumers’ rights and how to exercise those rights;
  • The categories of personal data sold or shared with third parties;
  • The categories of third parties to whom the personal data is sold or shared;
  • The controller’s contact information, including an active email address or an online mechanism providing contact information;
  • A description of the controller’s retention policies for personal data; and
  • The date the privacy notice was last updated.

If the controller sells consumers’ personal data to third parties, processes personal data for targeted advertising, or conducts further processing relating to decisions that have legal or other significant effects concerning a consumer, then the controller must disclose such processing in its privacy notice and provide access to a clear and conspicuous method outside the privacy notice to allow consumers to opt out of the disclosed sale, processing, or profiling. This privacy notice may include a hyperlink clearly labeled “Your Opt-Out Rights” or “Your Privacy Rights, “ that is configured to accomplish the opt-out or take consumers to a separate webpage where the opt-out request can be made.

Controllers must also provide a universal opt-out mechanism, which allows consumers to opt out of any processing of the consumer’s data for purposes of targeted advertising. Such mechanisms that have been approved by other states are deemed to comply with the MCDPA.

Privacy Notices Under MCDPA

Privacy notices under the MCDPA must be provided in each language for which the controller provides a product or service that is subject to the notice or carries out related products or services. The notices must be reasonably accessible to and usable by individuals with disabilities. They do not, however, have to be specific to Minnesota consumers provided the general privacy notice meets all of the MCDPA’s requirements.

Beyond notice obligations, the MCDPA imposes other obligations on controllers, including:

  • Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary.
  • Establishing, implementing, and maintaining appropriate security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Not processing sensitive data concerning a consumer without obtaining the consumer’s consent, or in the case of a known child, consistent with the Children’s Online Privacy Protection Act. Controllers also must provide a mechanism for a consumer or parent/guardian of a child to revoke previously given consent to process sensitive data.
  • Controllers may not sell or process the personal data of a consumer for targeted advertising without consent when the consumer is between 13 and 16 years of age.
  • Controllers may not possess a consumer’s personal data that is no longer relevant unless required by law to maintain the data.

The MCDPA also obligates controllers to conduct a privacy assessment addressing certain processing activities including targeted advertising, the sale of personal data, processing activities that involve foreseeable risk of:

  1. Unfair or deceptive treatment,
  2. Financial, physical, or reputational injury to consumers,
  3. Intrusion on a consumer’s solitude or private affairs, or
  4. Other substantial harm to consumers.

The assessment must weigh the benefits of the processing against the potential risks to the rights of the consumer. The Minnesota Attorney General has the right to demand disclosure of and to evaluate controllers’ data privacy assessments. Under the MCDPA, privacy assessments prepared for other states may be acceptable provided they have similar scope and effect.

Enforcement of the MCDPA

The MCDPA does not provide a private right of action for violations but is instead enforced exclusively by the Minnesota Attorney General. Violations prompt a letter from the Attorney General, giving the controller 30 days to cure the violation. The 30-day cure period is temporary and expires on January 31, 2026. Unresolved violations can lead to enforcement proceedings and civil penalties up to $7,500 per violation, plus reasonable attorneys’ fees.

Conclusion

With the passage of the MCDPA, Minnesota becomes the latest state to enact a comprehensive data privacy law. As more states continue to pass similar laws, the likelihood of a federal data privacy law that will harmonize the current patchwork of state laws continues to grow. If your organization has questions about how to comply with this rapidly changing regulatory environment, please reach out to Chris Young at Larkin Hoffman with any questions.