Minnesota now has a comprehensive consumer privacy law, and as of 2026 it is being actively enforced. The Minnesota Consumer Data Privacy Act, codified at Minn. Stat. § 325M.10 through § 325M.21, took effect on July 31, 2025. It gives Minnesota residents new rights over their personal data and puts new duties on the businesses that collect and use that data. The first question for most business owners is simple: does this law reach my company, and if it does, what do I actually have to do. This article walks through the answers. For broader context on staying ahead of new state requirements, see our regulatory compliance practice area.
Does the Minnesota Consumer Data Privacy Act apply to my business?
The Minnesota Consumer Data Privacy Act applies to a business that conducts business in Minnesota or targets Minnesota residents and meets one of two data thresholds in a calendar year. The first threshold: the business controls or processes personal data of 100,000 consumers or more, excluding data processed solely to complete a payment transaction. The second: the business derives over 25 percent of gross revenue from the sale of personal data and processes data of 25,000 consumers or more.
Two points matter for a CEO running the numbers. First, the payment-transaction carve-out keeps routine credit-card processing from inflating a retailer’s count toward the 100,000 figure. Second, “consumer” is a Minnesota resident only, and only when acting in an individual or household context, so business-to-business contacts do not count. Many midsized Minnesota companies fall below both thresholds. If yours does, the main body of the act does not bind you, but read on to the small-business section below, because one rule still applies.
What businesses and data are exempt from the Minnesota privacy law?
The Minnesota Consumer Data Privacy Act carves out specific entities and data categories. Some exemptions operate at the data level: protected health information governed by the Health Insurance Portability and Accountability Act (“HIPAA”), data regulated by the Gramm-Leach-Bliley Act (“GLBA”), consumer-report information regulated by the Fair Credit Reporting Act (“FCRA”), and education records under the federal student-records law. Other exemptions operate at the entity level: banks, credit unions, and insurance companies are excluded outright.
The distinction matters in practice. A medical clinic is not categorically exempt; only its HIPAA-protected health information is, and other personal data it holds, such as a marketing list, can still fall under the act. The act also excludes employee and job-applicant data used within the employment context. In my practice, the most common misread is a business assuming that because it operates in a regulated industry, the whole company sits outside the law. Often only a slice of its data does. Sorting which data is exempt and which is not is the first real compliance task.
Is my business a controller or a processor under the Minnesota privacy law?
The act regulates two roles, and your business may occupy both. A controller is the person or company that “determines the purposes and means of the processing of personal data.” A processor handles personal data “on behalf of a controller.” When you decide what customer data to collect and why, you are a controller. When you process data for a client under that client’s instructions, you are a processor for that engagement.
The two roles carry different duties:
| Question | Controller | Processor |
|---|---|---|
| Who decides why and how data is used? | Yes | No, follows the controller |
| Must publish a privacy notice? | Yes | No |
| Must respond to consumer rights requests? | Yes | Assists the controller |
| Must sign a data processing contract? | Yes, with each processor | Yes, with the controller |
Status is not a label you choose. The act states that whether a person is a controller or a processor “is a fact-based determination that depends upon the context.” A vendor that takes your data and decides on its own how to use it has become a controller of that data, with all the duties that follow.
What rights do my customers have over their personal data in Minnesota?
A Minnesota consumer has six core rights over personal data a business holds. Under the act, a consumer may confirm and access the categories of personal data a controller is processing, correct inaccurate data, delete data, and obtain a portable copy of data the consumer previously provided. A consumer may also opt out of processing for targeted advertising, the sale of personal data, or profiling. Profiling, in the act’s terms, covers automated decisions that could change a person’s access to a job, credit, housing, or similar significant outcomes, and is a common feature of how businesses screen and monitor people, including when they monitor consumers on social media.
One right is worth singling out. A consumer may obtain “a list of the specific third parties” to which the controller has disclosed the consumer’s personal data. The Minnesota act goes beyond a categories-only disclosure here: a consumer can ask for the actual list of the specific third parties that received their data, not just a description of the kinds of recipients. A business that cannot name the specific vendors, partners, and buyers that received a given consumer’s data will struggle to honor this right, which makes a clear data inventory a practical necessity, not just good hygiene.
How fast must my business respond to a consumer privacy request?
A controller must respond to a consumer’s privacy request without undue delay and within 45 days of receiving it. The 45-day period can be extended once by an additional 45 days when reasonably necessary, and the controller must tell the consumer about the extension and the reason for it. Information must be provided free of charge up to twice in a 12-month period.
The act also requires an internal appeal process. If a controller refuses to act on a request, it must give the consumer a way to appeal that refusal and respond to the appeal within 45 days. The controller must also point the consumer to a method for contacting the Attorney General to submit a complaint. For a business, this means the consumer-request workflow is not a one-step task. It is an intake process, a response process, and an appeal process, and each step has its own clock. In my experience advising on compliance programs, the recurring failure point is not the response itself but the lack of any defined intake channel, so a request lands in a general inbox and the 45-day clock runs while no one is assigned to it. Building that workflow before the first request arrives is far easier than improvising it under a deadline.
What does my business have to put in its privacy notice?
A controller must publish a privacy notice that gives consumers specific information. The act requires the notice to state the categories of personal data the controller processes, the purpose of processing, how consumers exercise their rights and appeal a refusal, the categories of personal data sold or shared with third parties, and the categories of those third parties. The notice must be accessible, including to people with disabilities, which connects privacy compliance to the same website accessibility obligations many businesses already face.
A generic privacy policy copied from a template will rarely satisfy this. The notice has to describe what your business actually does with data. If the business sells personal data or runs targeted advertising, the act requires a “clear and conspicuous method outside the privacy notice” for a consumer to opt out, such as a labeled link on the homepage. Businesses that handle consumer data in marketing should also confirm their practices align with Minnesota’s rules on commercial email marketing, which operate alongside the privacy law.
What ongoing duties does the Minnesota privacy law put on data controllers?
Beyond the privacy notice, a controller carries substantive duties in how it handles data. The act requires a controller to limit data collection to what is “adequate, relevant, and reasonably necessary” for its stated purpose. That is a data-minimization rule: collecting data the business does not need is itself a compliance gap. The act also requires a controller to maintain “reasonable administrative, technical, and physical data security practices.”
Two further duties deserve attention. A controller must obtain a consumer’s consent before processing sensitive data, a defined category that includes health, racial or ethnic origin, religious belief, sexual orientation, citizenship status, genetic and biometric data, precise geolocation, and data of a known child. And a controller may not discriminate against a consumer for exercising a privacy right, including by denying goods or services, charging a different price, or providing a different quality of service. A loyalty program offering a discount in exchange for data is permitted; punishing a consumer who opts out is not.
What is a data privacy and protection assessment, and when does my business need one?
A data privacy and protection assessment is a written analysis a controller must complete and document before engaging in certain higher-risk processing. The act requires an assessment for several activities: processing personal data for targeted advertising, the sale of personal data, the processing of sensitive data, any processing that presents a heightened risk of harm to consumers, and profiling that presents “a reasonably foreseeable risk” of unfair or deceptive treatment, financial or physical or reputational injury, or an intrusion that would be offensive to a reasonable person.
The assessment is not a form. It weighs the benefits of the processing, to the controller and to consumers, against the risks to consumers, factoring in the sensitivity of the data and whether safeguards reduce the risk. The act also requires written compliance policies and documentation of the chief privacy officer or other individual with primary responsibility for the controller’s privacy program. One feature protects the business: an assessment is classified as nonpublic data and retains attorney-client privilege protection, though the Attorney General can request it through a civil investigative demand. Treating the assessment as a genuine pre-launch review, rather than paperwork generated after the fact, is what gives it value if the Attorney General ever asks to see it.
What if my business is too small to meet the Minnesota privacy law thresholds?
A business below the 100,000-consumer and revenue thresholds is outside the main act, but it is not fully unregulated. The act states that a small business, defined by the federal Small Business Administration’s size standards, that conducts business in Minnesota or targets Minnesota residents “must not sell a consumer’s sensitive data without the consumer’s prior consent.” That single rule binds even the smallest covered business.
For most small Minnesota companies, this is the one provision to internalize. Sensitive data, again, includes health, religious belief, sexual orientation, precise location, biometric data, and data about children. Selling or trading that category of data, including in ways a business might not think of as a sale, such as sharing a customer email list without consent for valuable consideration, requires the consumer’s prior consent. The Attorney General’s enforcement authority reaches violations of this rule, so a small business is not beyond the law’s reach on this point.
How is the Minnesota Consumer Data Privacy Act enforced?
The Minnesota Attorney General is the sole enforcer of the act. The act creates no private right of action, so a consumer cannot sue a business directly for a privacy violation. A controller or processor that violates the act “is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation.”
One point of timing matters. When the act first took effect, the Attorney General was required to send a warning letter and allow 30 days to cure a violation before filing an enforcement action. That mandatory cure window expired on January 31, 2026. A business cannot now assume it will receive notice and a grace period before the Attorney General acts. The per-violation structure of the penalty also means exposure scales with the number of affected consumers, so a single systemic gap, such as an unanswered category of consumer requests, can multiply quickly. Active enforcement is the current reality, and compliance is best treated as a present obligation rather than a future project.
What practical steps put my business on the path to Minnesota privacy compliance?
Compliance starts with a data inventory. A business cannot honor consumer rights, write an accurate privacy notice, or complete an assessment without knowing what personal data it collects, why, where the data lives, and who receives it. The inventory is the foundation everything else rests on. In my practice, the businesses that struggle with privacy compliance are almost always the ones that skipped this step and tried to write the notice first.
From the inventory, the work follows a clear sequence. Update the privacy notice so it describes what the business actually does with data. Build the consumer-request and appeal workflow, with its 45-day clocks, before the first request arrives, the same discipline that keeps a business handling opt-out requests cleanly. Put a written contract in place with every vendor that processes personal data, addressing the confidentiality terms in vendor contracts the act requires. And document a data privacy and protection assessment before any targeted advertising, data sale, sensitive-data processing, or risky profiling.
Do I need a written contract with every vendor that touches my customer data?
Yes. The Minnesota Consumer Data Privacy Act requires a controller to have a written contract with each processor that handles personal data on its behalf. The contract must set out the processing instructions, purpose, data types, and duration. A handshake arrangement with a vendor does not satisfy Minn. Stat. § 325M.13.
Can I charge a customer a fee for asking to see or delete their data?
No, not for routine requests. A controller must provide the requested information free of charge up to twice in a 12-month period. The law also bars a controller from discriminating against a consumer who exercises a privacy right, which includes charging that consumer a different price.
Does the Minnesota privacy law cover the data I hold on my own employees?
No. The law’s definition of consumer reaches only Minnesota residents acting in an individual or household context. Data collected and used in the context of someone applying to, working for, or acting as a contractor of your business is expressly excluded from the act.
Can a customer sue my business directly for a privacy violation?
No. The Minnesota Consumer Data Privacy Act creates no private right of action. Only the Minnesota Attorney General can enforce the act. A violation can result in an injunction and a civil penalty of up to $7,500 for each violation under Minn. Stat. § 325M.20.
What happens if I sell or swap a customer email list without consent?
If the list includes sensitive data, even a business too small for the main law still needs the consumer’s prior consent before selling it. A business above the law’s thresholds must also disclose data sales in its privacy notice and honor any opt-out request the consumer has made.
Is my out-of-state business covered if I have Minnesota customers?
It can be. The Minnesota Consumer Data Privacy Act applies to any business that targets Minnesota residents and meets the data thresholds, no matter where the business is based. Physical presence in Minnesota is not required for the law to reach you.
The Minnesota Consumer Data Privacy Act changed the baseline for how Minnesota businesses handle customer data, and with the early cure period now closed, the Attorney General is enforcing it in full. The practical path is the same whether a business is comfortably above the thresholds or only handles sensitive data occasionally: know your data, tell consumers the truth about it, honor their rights on time, and document the higher-risk decisions before you make them. For more on building a durable compliance program, see our regulatory compliance practice area. If you would like a second set of eyes on whether the act applies to your business and what your specific gaps are, email [email protected] with a brief description of how your company collects and uses personal data.
