The Minnesota Consumer Data Privacy Act (“MCDPA”) takes effect July 31, 2025

The Minnesota Consumer Data Privacy Act (“MCDPA”) introduces new rights for consumers and new obligations for businesses – and it takes effect July 31, 2025. If your business handles personal information from Minnesota residents, now is the time to prepare. Can you respond to consumer requests under the new law? Are your opt-out tools in place? Have you updated your privacy notice? The summary below highlights key areas to help you assess your readiness and next steps.

Covered Businesses

The MCDPA covers entities that: (1) conduct business in Minnesota, or target Minnesota consumers with products/services, and (2) in a calendar year either:

• control or process the personal data of 100,000 or more Minnesota residents, or
• control or process the personal data of 25,000 or more Minnesota residents and derive more than 25% of their gross revenue from the sale of personal data.

Most of the compliance burden is on “controllers,” or entities that determine the purposes and means of processing personal data. If your company determines why and how personal data is collected, used, or otherwise processed, you’re likely a controller.

“Processors” process information on behalf of a controller and are required to follow the controller’s instructions and assist the controller in meeting its compliance obligations.

Exemptions for Certain Entities and Data

MCDPA exemptions generally relate to either specific types of entities or to certain types of data.

Entity exemptions include government entities, federal American Indian tribes, chartered banks and credit unions, insurance companies, qualified small businesses, and nonprofits that detect and prevent insurance fraud. Notably, Minnesota is one of the few states with a qualified small business exemption.

Data exemptions include data governed by existing state and federal regulations like health and insurance data (HIPPA), credit and financial data (Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Farm Credit Act), educational and child data (Family Educations Rights and Privacy Act, Children’s Online Privacy and Protection Act), and certain air carrier data under the Airline Deregulation Act.

Other data exemptions relate to data used in the employment context, payment transactions, anonymous or pseudo-anonymous data, some transfers to processors or affiliated entities, compliance with other laws or law enforcement actions, public health activities, and for the recall or repair of products or services.

Minnesota Consumer Rights

Businesses must make it possible for Minnesota consumers to exercise new MCDPA rights including:

• right to conveniently opt-out of having their personal data used for:
  • targeted advertising,
  • the sale of personal data, or
  • profiling for certain automated decision-making;
• right to confirm their personal data is being processed;
• right to identify what categories of personal data are being processed;
• right to correct inaccurate personal data;
• right to have their personal data deleted;
• right to obtain copies of their personal data in a usable and transferable format;
• right to question the results of automated decision-making from profiling including: (1) requesting the reasons for the profiling, (2) being informed of the actions they can take to secure a different outcome, and (3) the ability to correct errors in the data; and
• right to know which third parties received their personal data (if no consumer-specific ledger, a general ledger of all third parties can suffice).

Business Obligations to Consumers

Businesses must provide a secure, reliable, and convenient means for Minnesota consumers to exercise these rights – and must respond to rights requests within 45 days, with a possible 45-day extension when reasonably necessary and with proper notice. A business may decline to act but then must provide the consumer with notice and a process for appeal (subject to additional requirements). Minnesota consumers must be allowed to exercise their new privacy rights at no charge, up to twice a year, unless excessive or unfounded.

Businesses must limit personal data collection to what is adequate, relevant, and reasonably necessary. Express consent is required before collecting any sensitive data (with specific requirements for children’s data), along with appropriate mechanisms to revoke such consent. There are also nondiscrimination requirements for sensitive data and certain protected classes of individuals.

Privacy Notice

Businesses must provide a privacy notice (also referred to as a privacy policy) that includes key disclosures: the categories of personal data collected or processed: the purpose for which the data is used; an explanation of the consumer rights under the MCDPA and how to exercise them; the categories of personal data sold or shared and the general types of third parties involved; current contact information; data retention policies, and the effective date of the policy.

The privacy notice must also meet specific standards for access, language, usability, clarity, timely updates, and consumer notification.

While the MCDPA does not require a Minnesota-specific policy, businesses must review their existing privacy policy and update it as necessary to ensure full compliance with the law.

Vendor Contracts

Certain provisions must be in a contract between a controller and a processor, such as processing instructions, disclosure of the nature and scope of processing, the type of personal data subject to processing, duration of processing, data deletion or retention policies, the processor’s ability to demonstrate compliance, compliance audits, processor confidentiality of the data, required notice to controller of a processor’s intent to subcontract processing, and obligations of the subcontractor to comply with the controller-processor contract as well.

Enforcement

The MCDPA is enforced by the Minnesota attorney general. Penalties for violations are capped at $7,500 per violation, but the state may also recover its expenses should it prevail in an enforcement action, as well as any other remedies permitted by law. There is currently no private right of action allowing consumers to sue for violations of the MCDPA.

Managing Privacy Risks in AI Tools

AI tools can introduce unique privacy and data security challenges – especially when used for profiling or automated decision-making. Under the MCDPA, consumers have the right to opt out of profiling that produces legal or similarly significant effects, to receive a general explanation of the logic involved, to challenge outcomes, and to correct inaccurate data. Businesses should have a clear AI policy that identifies which tools are authorized and outlines their approved use cases. Just as important, you need to understand how these tools operate to ensure compliance. When was your AI policy last reviewed and updated?

The Broader U.S. Privacy Law Landscape

At least 18 states now have comprehensive data privacy laws. Does your compliance strategy cover the full spectrum of applicable laws?

Review Your Broader Technology Contracts

This is a good time to check your other technology contracts. Are they optimized to provide the most value and protection? These may include your website terms of use or terms & conditions, your terms of sale, subscription agreements, or end user license agreements.

The attorneys at Henson Efron are ready to help your business prepare for the Minnesota Consumer Data Privacy Act and broader data governance obligations. Our team includes professionals with advanced credentials in privacy and AI governance, including the Certified Information Privacy Professional (CIPP) and Artificial Intelligence Governance Professional (AIGP) designations. Backed by a strong business law team, we provide practical, informed counsel to help clients navigate compliance, manage risk, and implement effective policies.

The purpose of this article is merely to provide general information and should not be construed as legal advice.