Minnesota Consumer Data Privacy Act: Business Compliance

Does the MCDPA Apply to Your Business?

The MCDPA applies to any legal entity that conducts business in Minnesota or produces products or services targeted to Minnesota residents, provided the entity meets one of two thresholds during a calendar year:

Threshold	Requirement
Volume threshold	Controls or processes personal data of 100,000 or more Minnesota consumers (excluding data processed solely to complete a payment transaction)
Revenue threshold	Derives over 25 percent of gross revenue from the sale of personal data AND controls or processes data of 25,000 or more Minnesota consumers

“Personal data” means information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data, publicly available information, or aggregated data. “Sale” includes exchanging personal data for monetary or other valuable consideration. See Minn. Stat. § 325M.11 for the full definitions.

Who Is Exempt

The MCDPA carves out several categories of entities and data:

Entity-level exemptions:

• Small businesses as defined by the U.S. Small Business Administration—though even exempt small businesses cannot sell sensitive data without consumer consent (Minn. Stat. § 325M.17)
• State and local government entities
• Federally recognized Native American tribes
• Airlines
• Certain nonprofit organizations engaged in insurance fraud detection

Data-level exemptions:

Federal Law	Data Excluded
HIPAA	Protected health information already governed by federal health privacy rules
Gramm-Leach-Bliley Act (GLBA)	Financial data subject to federal financial privacy requirements
Fair Credit Reporting Act (FCRA)	Consumer report data
FERPA	Student education records
Driver’s Privacy Protection Act	Motor vehicle records

The MCDPA also excludes data collected in the employment context—information maintained about job applicants, employees, owners, directors, officers, or contractors acting in their business capacity. This means your internal HR data is not subject to MCDPA consumer rights requests, though it may be covered by other laws.

Technology Providers and Education Data

One provision unique to the MCDPA: the law specifically applies to technology providers that contract with public education agencies under Minn. Stat. § 13.32, giving it broad reach into the education technology sector.

What the MCDPA Requires

Consumer Rights

The MCDPA grants Minnesota consumers a set of rights that businesses must honor within 45 days of receiving a verified request:

• Access and confirmation. Consumers can confirm whether a business is processing their personal data and access the categories and specific data involved.
• Correction. Consumers can request correction of inaccurate personal data.
• Deletion. Consumers can request deletion of their personal data, subject to certain exceptions (legal obligations, fraud prevention, contract performance).
• Portability. Consumers can obtain a copy of their data in a readily usable, portable format.
• Opt-out. Consumers can opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
• Third-party disclosure list. Consumers can obtain a list of specific third parties to whom the business has disclosed their personal data.
• Right to question profiling. Consumers can question the results of profiling decisions and understand the reasoning behind them—a provision that distinguishes the MCDPA from most other state privacy laws.
• Appeal. If a business denies a consumer’s request, the consumer has the right to appeal.

Businesses cannot discriminate against consumers for exercising these rights, and any contract provision that purports to waive consumer rights under the MCDPA is void. See Minn. Stat. § 325M.14.

Universal Opt-Out Mechanisms

Controllers must recognize opt-out requests submitted through universal opt-out mechanisms such as browser settings, browser extensions, or global device settings. If your website uses cookies for targeted advertising or shares data with third parties, you need a technical mechanism to detect and honor these signals.

Privacy Notice Requirements

Every controller must provide a privacy notice that is reasonably accessible, clear, and meaningful. Under Minn. Stat. § 325M.16, the notice must include:

• Categories of personal data the business processes
• Purposes for processing
• How consumers can exercise their rights
• Categories of personal data sold or shared with third parties
• Categories of third parties receiving the data
• Controller contact information
• Data retention policies
• The date of the last update

The notice must be linked from the website homepage using a conspicuous “Privacy” hyperlink, must be accessible to individuals with disabilities, and must be available in languages that match the languages in which the business provides its products or services.

If your business already maintains a privacy policy for your website terms of service, you will likely need to update rather than replace it.

Sensitive Data Consent

The MCDPA defines sensitive data broadly: racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic data, biometric data, data from known children, and precise geolocation data. Businesses must obtain affirmative consent before processing sensitive data, and consumers may revoke that consent at any time.

Data Minimization

Controllers must limit data collection to what is “adequate, relevant, and reasonably necessary” for the disclosed processing purposes. Data cannot be retained longer than necessary for those purposes. Processing personal data for a new purpose not disclosed in the original privacy notice requires fresh consent, unless the new purpose is reasonably compatible with the original.

Data Protection Assessments

Under Minn. Stat. § 325M.18, controllers must conduct and document data privacy and protection assessments before engaging in certain high-risk processing activities:

• Targeted advertising
• Sale of personal data
• Processing sensitive data
• Profiling that presents a risk of unfair treatment, discrimination, financial or reputational injury, or intrusion into private affairs
• Any other processing that presents a heightened risk of harm to consumers

The assessment must weigh the benefits of the processing against the potential risks to consumer rights, account for the extent of sensitive data involved, and describe the policies and procedures the business has adopted. The Attorney General may request these assessments at any time during an investigation.

Processor Contracts

If your business uses vendors or service providers that process personal data on your behalf, the MCDPA requires a written contract that specifies:

• The nature and purpose of the processing
• The type of personal data subject to the processing
• Duration of the processing relationship
• Confidentiality obligations for all personnel with data access
• Written subcontractor agreements (with controller approval required)
• Data deletion or return procedures at the end of the relationship
• Controller’s right to audit or arrange independent assessments

Minnesota businesses should also consider how these requirements interact with vendor contract terms more broadly.

Personal Data Inventory

The MCDPA requires controllers to maintain a personal data inventory—a first among state privacy laws. This inventory requirement reinforces the data-mapping step that underpins every other compliance obligation.

Enforcement and Penalties

The Minnesota Attorney General has exclusive enforcement authority over the MCDPA. There is no private right of action—individual consumers cannot sue businesses directly for violations. See Minn. Stat. § 325M.20.

Penalty Structure

Element	Detail
Civil penalty	Up to $7,500 per violation
Litigation costs	Attorney General recovers reasonable expenses if prevailing
Injunctive relief	AG can seek court orders requiring specific compliance measures
Waiver prohibition	Contract terms purporting to waive consumer rights are void and unenforceable

Cure Period (Now Expired)

From July 31, 2025, through January 31, 2026, the Attorney General was required to send a written warning letter before bringing an enforcement action, giving businesses 30 days to cure the alleged violation. That mandatory notice period has expired. As of February 2026, the Attorney General can bring enforcement actions immediately without prior warning.

According to the Attorney General’s office, the AG sent hundreds of educational letters and dozens of formal warning letters during the initial period, received over 200 consumer complaints, and found that most companies corrected identified problems voluntarily. That track record suggests the AG’s office is actively monitoring compliance.

Compliance Steps for Minnesota Businesses

Whether your business clearly meets the MCDPA thresholds or operates near them, the following steps represent a sound compliance framework. At Hall PC, Aaron Hall advises Minnesota business owners on regulatory compliance obligations including data privacy—if you need assistance, the firm’s Legal Operating System™ provides a structured approach to ongoing compliance management.

Step 1: Determine Whether the MCDPA Applies

Count the number of Minnesota consumers whose personal data your business processes annually. Exclude data processed solely to complete payment transactions. If you approach 100,000 consumers—or if you sell personal data and approach 25,000 consumers—assume the law applies and build your compliance program accordingly. Businesses that are close to the threshold today may cross it as they grow.

If your business qualifies as a small business under the SBA definition, you are exempt from most MCDPA requirements but must still avoid selling sensitive data without consent.

Step 2: Map Your Data

Build a personal data inventory documenting:

• What categories of personal data you collect
• Where the data is stored
• How it flows through your systems and to third parties
• How long you retain it
• What legal basis supports each processing activity

This inventory is not optional—the MCDPA requires it—and it forms the foundation for every other compliance step. Businesses that have already completed data-mapping for other purposes (HIPAA, GDPR, or California’s CCPA) have a head start, but the inventory must account for Minnesota-specific requirements.

Step 3: Update Your Privacy Notice

Review your existing privacy policy against the MCDPA’s disclosure requirements. Ensure it covers all required elements: data categories, processing purposes, consumer rights and exercise mechanisms, third-party disclosures, retention policies, and contact information. Add a conspicuous “Privacy” link to your website homepage if one does not already exist.

Businesses registered to do business in Minnesota should treat the privacy notice update as part of their broader compliance review.

Step 4: Implement Consumer Rights Mechanisms

Build a reliable process for receiving, verifying, and responding to consumer rights requests within 45 days. The Attorney General’s office has specifically recommended that businesses establish a submission mechanism such as a web portal, dedicated email address, or equivalent. Train the staff who will handle these requests on:

• Identity verification procedures
• Response timelines and extension rules
• Grounds for denial (and the obligation to explain denials and offer an appeal process)

Step 5: Obtain Consent for Sensitive Data

Audit whether your business collects or processes any categories of sensitive data. If so, implement affirmative consent mechanisms and ensure consumers can revoke consent at any time. Remember that even small businesses exempt from the broader MCDPA cannot sell sensitive data without consent.

Step 6: Update Vendor Contracts

Review all agreements with vendors and service providers that process personal data on your behalf. Each agreement must meet the MCDPA’s processor contract requirements: specified purpose, data type, duration, confidentiality obligations, subcontractor controls, deletion procedures, and audit rights.

Step 7: Conduct Data Protection Assessments

If your business engages in targeted advertising, sells personal data, processes sensitive data, or uses profiling, complete a data protection assessment before continuing those activities. Document the assessment and retain it—the Attorney General may request it during an investigation.

Step 8: Recognize Universal Opt-Out Signals

Implement technical mechanisms to detect and honor universal opt-out signals from browsers and devices. If your website uses tracking technologies for targeted advertising, this step requires coordination with your development team or marketing technology vendors.

Step 9: Train Your Team

Compliance is not a one-time project. Train employees who handle personal data on the MCDPA’s requirements, your internal data handling procedures, and how to escalate consumer requests. Document the training and update it as the law or your practices change.

The MCDPA is one of several regulatory obligations Minnesota businesses must track. A comprehensive approach to compliance—covering entity filings, employment law, data privacy, and contractual obligations—reduces the risk that any single requirement falls through the cracks.