Minnesota has joined the growing list of states enacting comprehensive consumer data privacy legislation. The Minnesota Consumer Data Privacy Act (MCDPA), signed into law on May 24, 2024, will take effect on July 31, 2025. This law introduces significant obligations for businesses handling personal data of Minnesota residents.
Who Must Comply with the MCDPA?
The MCDPA applies to businesses that:
- Control or process personal data of at least 100,000 Minnesota consumers annually; or
- Derive over 25% of gross revenue from the sale of personal data while processing data for at least 25,000 Minnesota consumers.
The MCDPA applies to the collection and processing of personal data about Minnesota residents acting in an individual or household context. “Personal data” is broadly defined to include any information that is linked or reasonably linkable to an identified or identifiable individual. This may include names, email addresses, device identifiers, IP addresses, geolocation data, and biometric information.
The MCDPA contains several important exemptions. To name a few, the law does not apply to small businesses as defined by the U.S. Small Business Administration, unless those businesses sell sensitive data, in which case opt-in consent is still required. The law also excludes data processed in an employment context, meaning personal data collected solely in the course of hiring and managing personnel is not subject to the MCDPA’s consumer rights framework. In addition, entities and data already subject to federal privacy laws such as HIPAA, GLBA, or FERPA are generally exempt to the extent they overlap.
Consumer Rights
Minnesota consumers are granted several rights concerning their personal data:
- Right to Access: Consumers can confirm if a business is processing their data and access that data.
- Right to Correction: Consumers may request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request deletion of their personal data.
- Right to Obtain: Consumers can obtain a copy of their data in an accessible format.
- Right to Opt-Out: Consumers can opt out of targeted advertising, the sale of personal data, and certain profiling activities.
- Right to Appeal: If a business denies a consumer’s request, the consumer can appeal the decision.
A unique aspect of the MCDPA is the right for consumers to question the results of profiling decisions, including understanding the reasoning behind such decisions and how to achieve different outcomes.
Compliance Requirements
Businesses subject to the MCDPA must undertake several actions to ensure compliance:
- Data Inventories: Maintain comprehensive records of personal data collected and processed.
- Privacy Notices: Provide clear and accessible privacy notices detailing data collection practices and consumer rights.
- Data Protection Assessments: Conduct assessments for processing activities that present heightened risks, such as targeted advertising or processing sensitive data.
- Contractual Agreements: Establish contracts with data processors outlining processing instructions, confidentiality obligations, and compliance requirements.
- Security Measures: Implement reasonable administrative, technical, and physical safeguards to protect personal data.
Enforcement and Penalties
The Minnesota Attorney General has exclusive authority to enforce the MCDPA. Penalties for non-compliance can reach up to $7,500 per violation. Until January 31, 2026, businesses have a 30-day period to cure alleged violations before enforcement actions proceed. Postsecondary institutions governed by the Office of Higher Education have until July 31, 2029 to comply with the MCDPA.
Next Steps for Businesses
With the MCDPA’s effective date approaching, businesses should:
- Assess whether they fall within the scope of the MCDPA.
- Review and update data collection and processing practices.
- Develop or revise privacy policies and notices to align with MCDPA requirements.
- Implement mechanisms for consumers to exercise their rights.
- Train staff on data privacy obligations and consumer rights under the MCDPA.
Conclusion
The Minnesota Consumer Data Privacy Act marks a significant development in the state’s approach to data privacy regulation. Given the law’s complexity and broad scope, businesses may find it difficult to determine whether they are subject to its requirements—and if so, how best to comply. While the statute provides an initial 30-day cure period for alleged violations, businesses should not wait for an enforcement letter from the Attorney General to take action. Proactive compliance is the most effective way to reduce legal risk and demonstrate good faith in handling consumer data.