Documentation

Table of Contents

Minnesota – Consumer Data Privacy Act (MCDPA)

Effective Date: July 31, 2025

The Minnesota Consumer Data Privacy Act (MCDPA) establishes new data privacy requirements for businesses operating in Minnesota or targeting residents of the state. This Act is designed to empower consumers with rights over their personal data while imposing specific obligations on entities handling such data.

Sensitive Data Definition

The MCDPA outlines specific types of personal data considered sensitive, including:

  1. Personal data revealing sensitive characteristics such as racial or ethnic origin, religious beliefs, health conditions, sexual orientation, or citizenship/immigration status.
  2. Biometric and genetic information used for uniquely identifying an individual.
  3. Personal data of children under 13 years old (a “known child”).
  4. Specific geolocation data.

A “known child” refers to an individual under 13, where the data controller has actual knowledge or willfully disregards the fact that the individual is a child.

Applicability

The MCDPA applies to businesses that meet the following thresholds:

  1. Control or process personal data of 100,000 consumers or more annually (excluding data processed solely for payment transactions).
  2. Derive over 25% of their gross revenue from the sale of personal data and process/control personal data of 25,000 consumers or more.

Non-profits are generally subject to the MCDPA unless they are focused on detecting and preventing fraudulent insurance activities.

Other applicability exceptions include state entities, federally recognized tribes, and certain compliance activities related to legal or regulatory requirements.

Consumers’ Rights

The MCDPA grants Minnesota residents several rights related to their personal data:

Access Personal Data: Consumers can confirm whether their data is being processed and access it.

Correction of Data: Consumers can request the correction of inaccurate data.

Deletion of Data: Consumers can request deletion of their personal data.

Data Portability: Consumers can request their data in a portable format, especially when automated processing is involved.

Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, data sales, and profiling used for decisions with legal or significant effects.

Rights in relation to Profiling activities: Consumers subject to profiling may:

  • Challenge the profiling results.
  • Request information on the reason behind profiling decisions.
  • Review the data used in profiling and have it corrected if inaccurate.

Third-Party Disclosure: Consumers can request a list of third parties to whom their data has been disclosed.

Non-Discrimination: Consumers are protected from discrimination when exercising their rights.

    Consumers can exercise their rights through a request submission without the need to create an account (although an existing account may be used). Parents or legal guardians can act on behalf of minors under 13. Consumers may also designate an authorized agent to opt out of targeted advertising and data sales on their behalf.

    Requests must be fulfilled within 45 days, with an option for a 45-day extension. If a request is deemed excessive or unfounded, a reasonable fee may be charged.

    Controllers’ Obligations

    To comply with the MCDPA, businesses must:

    1. Data Minimization: Limit data collection to what is necessary for the intended purpose.
    2. Consent: Obtain explicit consent for processing personal data that is not necessary for the primary purposes disclosed in the privacy policy and for the processing of sensitive data.
    3. Processing Children’s Data: Obtain parental consent before processing data of children under 13, following COPPA.
    4. Data Security: Implement robust administrative, technical, and physical security measures to protect data.
    5. Privacy Notices: Provide clear, accessible privacy notices detailing the types of data processed, purposes for processing, and consumers’ rights.
    6. Data Retention: Do not retain personal data longer than necessary unless required by law.
    7. Opt-Out Mechanism: Allow consumers to opt out of the sale of their data and targeted advertising.
    8. Third-Party Contracts: Enter into agreements with processors to ensure compliance with the MCDPA.

    Small businesses must obtain prior consent before selling sensitive data. Additionally, businesses must notify consumers of any material changes to privacy practices and give them an opportunity to withdraw consent.

    Enforcement and Compliance

    In case of disputes, controllers must provide instructions on how consumers can contact the Minnesota Attorney General to file complaints. Controllers must also maintain records of all consumer requests and responses.

    To ensure compliance, businesses should regularly conduct data privacy assessments, especially for high-risk processing activities, and maintain documentation of their data protection measures.