Effective Date: July 31, 2025
The Minnesota Consumer Data Privacy Act (MCDPA) establishes new data privacy requirements for businesses operating in Minnesota or targeting residents of the state. This Act is designed to empower consumers with rights over their personal data while imposing specific obligations on entities handling such data.
The MCDPA outlines specific types of personal data considered sensitive, including:
A “known child” refers to an individual under 13, where the data controller has actual knowledge or willfully disregards the fact that the individual is a child.
The MCDPA applies to businesses that meet the following thresholds:
Non-profits are generally subject to the MCDPA unless they are focused on detecting and preventing fraudulent insurance activities.
Other applicability exceptions include state entities, federally recognized tribes, and certain compliance activities related to legal or regulatory requirements.
The MCDPA grants Minnesota residents several rights related to their personal data:
Access Personal Data: Consumers can confirm whether their data is being processed and access it.
Correction of Data: Consumers can request the correction of inaccurate data.
Deletion of Data: Consumers can request deletion of their personal data.
Data Portability: Consumers can request their data in a portable format, especially when automated processing is involved.
Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, data sales, and profiling used for decisions with legal or significant effects.
Rights in relation to Profiling activities: Consumers subject to profiling may:
Third-Party Disclosure: Consumers can request a list of third parties to whom their data has been disclosed.
Non-Discrimination: Consumers are protected from discrimination when exercising their rights.
Consumers can exercise their rights through a request submission without the need to create an account (although an existing account may be used). Parents or legal guardians can act on behalf of minors under 13. Consumers may also designate an authorized agent to opt out of targeted advertising and data sales on their behalf.
Requests must be fulfilled within 45 days, with an option for a 45-day extension. If a request is deemed excessive or unfounded, a reasonable fee may be charged.
To comply with the MCDPA, businesses must:
Small businesses must obtain prior consent before selling sensitive data. Additionally, businesses must notify consumers of any material changes to privacy practices and give them an opportunity to withdraw consent.
In case of disputes, controllers must provide instructions on how consumers can contact the Minnesota Attorney General to file complaints. Controllers must also maintain records of all consumer requests and responses.
To ensure compliance, businesses should regularly conduct data privacy assessments, especially for high-risk processing activities, and maintain documentation of their data protection measures.