Minnesota’s first broad consumer privacy law is now in force, and the business owners I advise ask the same two questions: does it reach my company, and what do I do first? The Minnesota Consumer Data Privacy Act (“MCDPA”), Minn. Stat. § 325M.10, took effect July 31, 2025, and it asks covered companies for two things many privacy laws only imply: a written inventory of the personal data they hold, and a documented assessment before certain higher-risk uses of that data. In my practice, the companies that struggle are rarely the ones with bad intentions; they are the ones that never mapped where their customer data actually lives. For the underlying rules, see the basics of the Act; for related work, see the compliance side of my practice.

Who must comply with the Minnesota Consumer Data Privacy Act?

The MCDPA applies to a company that does business in Minnesota or targets Minnesota residents and, in a calendar year, either “controls or processes personal data of 100,000 consumers or more” or “derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.” Minn. Stat. § 325M.12, subd. 1.

Two features narrow that reach. First, the Act protects a “consumer,” meaning a Minnesota resident, and it excludes anyone “acting in a commercial or employment context,” so your business contacts and your own employees do not count toward the thresholds. Minn. Stat. § 325M.11. Second, the law carves out entities and data already governed elsewhere: government bodies, banks and other institutions regulated under federal financial-privacy law, small businesses as defined by the U.S. Small Business Administration, and data covered by federal health-privacy, credit-reporting, and student-records statutes. Minn. Stat. § 325M.12, subd. 2. Even an excluded small business still may not sell sensitive data without consent. Minn. Stat. § 325M.17.

For a company below the thresholds, the practical answer is often this: you are not directly covered, but you will still feel the Act through your customers’ contracts. A covered business that hires you to handle its data must push these duties down to you by contract. So the real question for many mid-sized Minnesota companies is not only “am I a controller?” but “am I a vendor to one?” For the broader picture of who the law covers, see Minnesota’s consumer privacy obligations for businesses.

What does the MCDPA data inventory requirement involve?

The MCDPA requires a controller to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices . . . including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.” Minn. Stat. § 325M.16, subd. 2(c). In plain terms: you cannot protect data you have never catalogued.

Minnesota wrote the inventory directly into the statute, which turns it into a record a regulator can ask to see, not just good hygiene. A workable inventory answers five questions for every category of personal data the company touches: what you collect, why you collect it, where it lives (which systems, which vendors, which spreadsheets), who you share it with, and how long you keep it. The security practices must be “appropriate to the volume and nature of the personal data at issue,” so a company holding payment-card and health-adjacent data carries a heavier load than one holding email addresses. Minn. Stat. § 325M.16, subd. 2(c).

In my practice, the inventory is where I send every client first, because it does double duty. It is the record the Act demands, and it is what makes every other obligation possible: you cannot answer a deletion request, honor an opt-out, or write an honest privacy notice until you know what you hold and where it sits. The inventory is also the backbone of breach response. If a system is compromised, knowing what data lived there is the difference between a contained notice and a guess, which is why the inventory and Minnesota’s separate data breach notification law work as a pair.

When does my business need a data protection assessment?

A controller must conduct and document a data privacy and protection assessment before five kinds of processing: targeted advertising; the sale of personal data; the processing of sensitive data; “any processing activities involving personal data that present a heightened risk of harm to consumers”; and profiling that carries a reasonably foreseeable risk of harm. Minn. Stat. § 325M.18, paragraph (b).

The trigger is the activity, not the company’s size. If you run retargeting ads, sell or share data for value, handle health, biometric, or precise-location data, or score people with an algorithm that affects what they pay or whether they qualify, you are in assessment territory. Targeted advertising is the trap businesses miss most often, because the pixels and ad-network tags behind ordinary digital marketing can meet the statutory definition without anyone deciding to “sell” anything. Before you expand a marketing program, it pays to read Minnesota’s rules on commercial email marketing alongside this requirement. The assessment is not a one-time form: a new data use, a new ad platform, or a new profiling model is a new activity, and the Act expects a fresh assessment for each.

What must a data protection assessment contain?

A data privacy and protection assessment must “identify and weigh the benefits that may flow . . . from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer,” as reduced by safeguards the controller can use. Minn. Stat. § 325M.18, paragraph (d).

In practice the assessment is a short, honest memo. It describes the processing, states the business purpose, identifies the categories of data (and whether any of it is sensitive), names the risks to the people whose data it is, and explains the safeguards that bring those risks down. The Act also tells controllers to “document and maintain a description of the policies and procedures” adopted to comply, so the assessment lives inside a written program rather than a lone file. Minn. Stat. § 325M.18, paragraph (a).

Two points give the assessment teeth. First, the attorney general can demand it. As part of a civil investigative demand, a formal records request in an investigation, the attorney general may require a controller to hand over any assessment relevant to that investigation, though the statute treats the assessment as nonpublic and preserves attorney-client privilege and work-product protection. Minn. Stat. § 325M.18, paragraph (f). Second, you may not have to start from scratch: an assessment you already run for another law or standard can count here if it has a similar scope and effect. Minn. Stat. § 325M.18, paragraph (g). A company with a mature security program can often adapt what it already keeps.

What are a controller’s core responsibilities under the MCDPA?

Beyond the inventory, a controller’s core duties include giving consumers a “reasonably accessible, clear, and meaningful privacy notice”; collecting only data that is “adequate, relevant, and reasonably necessary”; obtaining consent before processing sensitive data; and not penalizing a consumer for exercising a right. Minn. Stat. § 325M.16.

The privacy notice carries real content. It must state the categories of data you process and why, the categories you sell or share and with whom, your retention policy, your contact information, the date it was last updated, and how a consumer can exercise rights and appeal a denial. Minn. Stat. § 325M.16, subd. 1. Data minimization is the quiet sleeper: the less you collect and keep, the smaller every other duty becomes, which is why I treat “reasonably necessary” as a design rule, not a slogan. Minn. Stat. § 325M.16, subd. 2(a).

Sensitive data deserves its own attention. A controller “may not process sensitive data concerning a consumer without obtaining the consumer’s consent,” and for a known child the parent or guardian must consent. Minn. Stat. § 325M.16, subd. 2(d). Sensitive data covers health conditions, biometric identifiers, precise geolocation, and a handful of other categories, so the duty reaches more businesses than the label suggests. If you scan fingerprints for timekeeping or collect health information from customers, the consent rule applies, and the analysis runs parallel to biometric and other sensitive-data obligations under Minnesota law. The Act also bars discrimination against a consumer for exercising a right, such as denying service or charging a different price. Minn. Stat. § 325M.16, subd. 3.

How do I build a process for the consumer rights the MCDPA grants?

Minnesota consumers can confirm and access their data, correct it, delete it, take a portable copy, opt out of targeted advertising, sale, and profiling, and obtain “a list of the specific third parties” that received their data. A controller must answer a request no later than 45 days after it arrives. Minn. Stat. § 325M.14, subd. 1 and subd. 4.

Two of these rights are unusual and worth building for now. The right to a list of specific third parties means a consumer can ask exactly who received their data, not just the categories, so your inventory has to track recipients at a useful level of detail. And when profiling drives a decision with legal or similarly significant effects, the consumer “has the right to question the result of the profiling, to be informed of the reason” for it, and to review the data used. Algorithmic scoring that affects pricing, credit, or eligibility now comes with an explanation duty.

Operationally, you need three things: a way for consumers to submit requests, a process to verify identity and respond no later than 45 days after receipt, and an internal route to appeal a denial. Minn. Stat. § 325M.14, subd. 4 and subd. 5. The opt-out rights deserve special care, because honoring an opt-out of sale or targeted advertising means your ad and analytics vendors have to stop too. This is where casual data practices get expensive: a company that has quietly shared a customer list without consent, or that runs employee or customer monitoring that crosses privacy lines, discovers the gap only when the first request lands.

What do my vendor contracts need under the MCDPA?

When another company processes personal data for you, the MCDPA requires a binding written contract. It “shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” Minn. Stat. § 325M.13, paragraph (c).

The Act splits the world into controllers, who decide why and how data is processed, and processors, who handle it on the controller’s instructions; the required terms bind the processor. Minn. Stat. § 325M.11. The processor must keep each person handling the data under a duty of confidentiality and may bring in a subcontractor only “pursuant to a written contract” that passes the same duties down. Minn. Stat. § 325M.13, paragraph (c). The contract must also let the controller verify compliance: the processor has to “delete or return all personal data to the controller . . . at the end of the provision of services,” make available “all information necessary to demonstrate compliance,” and “allow for, and contribute to, reasonable assessments and inspections.” Minn. Stat. § 325M.13, paragraph (e).

Two practical moves follow. First, the controller stays responsible: a contract allocates the work, it does not transfer the duty, so signing a vendor’s standard addendum without reading it is a mistake I see often. Treat these like any other vendor contract risk you manage, and look hard at the SOC 2 clauses when you select a vendor and at the return-or-destroy clauses that decide what happens to your data when the relationship ends. Second, your own customers will hand you their data processing addendum to sign. Read it against this same list before you agree, because the terms they need from you are the terms you need from your vendors.

How is the MCDPA enforced now that the cure period has expired?

The Minnesota Attorney General alone enforces the MCDPA. A violator faces an injunction and “a civil penalty of not more than $7,500 for each violation,” Minn. Stat. § 325M.20, paragraph (c), and the early grace period to fix problems has ended.

When the law first took effect, the attorney general had to send a warning letter and allow 30 days to cure before suing. That cushion was temporary. By its own terms, the cure provision “expires January 31, 2026,” which means the attorney general may now bring an enforcement action without a warning letter or a guaranteed chance to fix the problem first. Minn. Stat. § 325M.20, paragraph (a). The penalty runs per violation, and in a data program one bad practice can repeat across thousands of records, so exposure adds up quickly.

The Act creates no private right of action, so the risk is regulatory, not class-action: individuals cannot sue under it, and enforcement runs through the attorney general. Minn. Stat. § 325M.20, paragraph (d). No Minnesota court has yet interpreted the Act, so the statute’s text is the whole map for now. That is an argument for doing the unglamorous work early: the inventory, the assessments, the contract terms. It is also worth using contracts to allocate risk among the parties who touch the data, including indemnification for downstream data-breach liability when a vendor’s failure becomes your problem.

Does the MCDPA apply if my company only handles employee and business-to-business data?

Generally no. The Act protects a consumer, which Minnesota defines as a resident acting in an individual or household context, and it expressly excludes anyone acting in a commercial or employment context. Data about your employees and your business contacts does not count toward the coverage thresholds. If you also collect personal data from individual customers, that data is covered, so many companies sit on both sides of the line.

Do I have to respond to a privacy request from someone who is not a Minnesota resident?

Not under this law. The Minnesota Consumer Data Privacy Act gives rights to Minnesota residents, so an out-of-state requester cannot compel a response under it. As a practical matter, many companies honor every request rather than verify residency each time, and other states’ privacy laws may impose their own duties. When you do answer a covered request, the Act expects a response no later than 45 days after you receive it.

Do I need consent before collecting a customer's health or biometric data?

Yes. Health conditions and biometric identifiers are sensitive data under the Minnesota Consumer Data Privacy Act, and a controller may not process sensitive data without the consumer’s consent. For a known child, a parent or guardian must consent. Sensitive data also includes precise geolocation and several other categories, so check what you actually collect before assuming the consent rule does not reach your business.

Should I sign a vendor's standard data processing addendum as written?

Not before checking it. The Act requires specific terms in any controller-processor contract, and the controller stays responsible even after signing. Read the addendum against the statute’s list: processing instructions, confidentiality, deletion or return of data, proof of compliance, and subcontractor controls. Your operations lead or the vendor’s own counsel can do the first read, and a short legal check of the gaps is usually all you need.

Can the attorney general penalize my business without giving me a chance to fix the problem?

Yes, now. When the law first took effect, the attorney general had to send a warning letter and allow 30 days to cure before suing. That provision expired January 31, 2026, so the attorney general may bring an enforcement action without a mandatory cure period. Penalties run up to $7,500 per violation, and because one practice can repeat across many records, the total can climb fast.

Is a small business completely exempt from the MCDPA?

Almost, but not entirely. A small business as defined by the U.S. Small Business Administration is excluded from most of the Act’s obligations, but it still may not sell a consumer’s sensitive data without that consumer’s prior consent. And small is a Small Business Administration size question, not a headcount guess, so confirm your status before relying on the exemption.

The MCDPA rewards companies that do the basic work and exposes those that improvise. Build the inventory first, because every other duty depends on knowing what data you hold and where it lives. Run assessments before high-risk uses, write the required terms into your vendor contracts, and stand up a real process for consumer requests. None of this demands perfection on day one; it demands a written record that you took the obligations seriously. For related work, see the regulatory compliance side of my practice. If you would like a second set of eyes on how the Act applies to your specific data practices, email [email protected] with a short description of what your company collects and the kinds of data contracts you have.