What You Need To Know About Minnesota’s New Privacy Law

Minnesota is set to join the growing number of states implementing comprehensive privacy laws in 2025, contributing to what promises to be an active summer for U.S. privacy regulation. Following Tennessee’s law taking effect on July 1, Minnesota’s Consumer Data Privacy Act (MCDPA) will come into force on July 31, 2025. 

While the MCDPA builds on established frameworks like the Washington Privacy Act, it introduces important new provisions, particularly around profiling tied to automated decision- making, and raises the bar with formal governance requirements including appointing a Chief Privacy Officer and maintaining detailed data inventories. Further, it includes unique transparency rules for sensitive data collection and third-party sharing.

We’re here to guide you through the necessary steps to ensure compliance and readiness for the MCDPA. Continue reading for a breakdown of the law’s key provisions, how it differs from other state laws, and what your organization should do to prepare.

Understanding the MCDPA | Scope of Application | Rights Granted to Consumers | Key Obligations for Businesses Under Minnesota’s Privacy Law | Enforcement of The MCDPA | How DataGrail Can Help

Understanding the MCDPA

Signed into law by Governor Tim Walz on May 24, 2024, the Minnesota Consumer Data Privacy Act (MCDPA) introduces a familiar set of consumer rights found in many other state privacy laws like the right to access, correct, delete, and port their personal data, as well as opt out of targeted ads, data sales, and certain types of profiling.

When individuals exercise any of their privacy rights, organizations must disclose, without revealing the data itself, whether sensitive categories like Social Security numbers, government IDs, financial or medical account data, passwords, or biometrics have been collected. This added layer of transparency helps limit exposure and supports identity theft prevention.

Like Oregon, Minnesota also requires organizations to provide consumers with a list of third parties their data has been shared with, or at the very least, a list of those who’ve received personal data more broadly. 

Where Minnesota stands out most is in its approach to profiling. It’s the first state to give individuals the right to challenge profiling decisions that carry legal or similarly significant impacts. This includes the ability to review the data used, correct inaccuracies, and understand what actions could have led to a different outcome, adding a level of transparency not yet seen in other states. 

While the MCDPA aligns with core requirements we’ve seen elsewhere such as conducting risk assessments and maintaining privacy notices, it also sets stricter operational expectations. Unlike most state privacy laws, the MCDPA explicitly requires organizations to appoint a Chief Privacy Officer (or designee) and to maintain documented internal privacy policies and a formal data inventory, marking a shift toward mandated internal accountability and governance.

We’ll break down these details further and the scope of the law next.

Scope of Application

The Minnesota Consumer Data Privacy Act (MCDPA) applies to businesses operating in Minnesota or offering products or services to Minnesota residents as long as they meet at least one of the following thresholds in a calendar year:

• They process or control personal data of 100,000 or more consumers, not counting data handled purely to complete a payment transaction,
  or
• They derive 25% or more of their gross revenue from selling personal data and process or control data of 25,000 or more consumers.

Exemptions

MCDPA includes many of the same carve-outs seen in other state laws. Entire categories of organizations are exempt, including:

• State agencies and political subdivisions
• Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
• Healthcare providers and data already regulated by HIPAA
• State or federally chartered banks
• Insurance companies

Small businesses, as defined by the U.S. Small Business Administration, are also exempt—but they still need opt-in consent to sell sensitive data.

Unlike most state laws, Minnesota does not exempt institutions of higher education and offers a narrower nonprofit exemption. Organizations should consult with legal counsel to assess whether they qualify for any exemptions under the MCDPA.

Rights Granted to Consumers

The Minnesota law provides consumers with several rights to safeguard their personal data and manage how it is used:

1. Right to Access: Consumers can confirm whether their personal data is being processed by a business and request access to their data, with certain limitations.
2. Right to Deletion: Consumers can ask businesses to delete their personal data, whether it was provided by the consumer or collected about them, though some exceptions apply.
3. Right to Correction: Consumers can request that any inaccuracies in their personal data be corrected, considering the nature of the data and its intended use.
4. Right to Data Portability: Consumers can request a copy of the personal data they previously shared with a business, provided in a usable format, subject to some exceptions.
5. Right to Opt-Out: Consumers can opt out of having their personal data used for sales, targeted advertising, or profiling.

Enhanced Profiling Rights and Third Party Disclosure
Minnesota introduces additional protections around profiling. Where automated profiling is used to make impactful decisions, individuals have the right to:

• Review the personal data used in the profiling
• Contest the outcome
• Receive an explanation of the decision and the reasons behind it
• Be informed of actions they could have taken to achieve a different outcome
• Understand what actions they may take to influence future decisions
• Correct inaccurate personal data and request reevaluation of the profiling decision

The MCDPA also requires organizations to provide, upon request, a list of specific third parties with whom personal data has been shared or, where a specific list is unavailable, a list of third parties who have received personal data more broadly.

Disclosure Requirements When Consumers Exercise Their Rights

Controllers must not disclose certain sensitive personal information such as Social Security numbers, government-issued ID numbers, financial account numbers, health insurance or medical IDs, account passwords or security question answers, and biometric data. Instead, they are required to inform consumers with sufficient detail that these types of sensitive data have been collected, without revealing the actual data itself. This provision balances transparency with the need to protect consumers from unnecessary exposure of highly sensitive information.

Organizations must respond to consumer requests within 45 days, with the possibility of a single 45-day extension when reasonably necessary.

Key Obligations for Businesses Under Minnesota’s Privacy Law

As Minnesota’s new data privacy law comes into effect, businesses must take several crucial steps to comply with the MCDPA. Minnesota’s privacy law outlines specific obligations for both controllers and processors of personal data. Here’s a breakdown of key responsibilities:

Controllers’ Responsibilities

Controllers—those who determine the purposes and means of processing personal data—are required to:

• Limit Data Collection: Collect only personal data that is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer. Data collected beyond these purposes must be justified by a clearly defined need and cannot be retained longer than necessary.
• Transparency and Privacy Notices: Provide a clear, accessible, and up-to-date privacy notice that includes:
  • The categories of personal data processed and the purposes for processing
  • The categories of personal data sold to or shared with third parties, if any
  • The categories of third parties receiving such data
  • Methods for consumers to exercise their rights, including the appeals process
  • The controller’s contact information
  • A description of the data retention policy
  • The date the notice was last updated

• Maintain a Data Inventory: Unlike many other state privacy laws, the MCDPA explicitly requires controllers to maintain an inventory of personal data. This inventory supports accountability and helps ensure data processing aligns with legal obligations and internal privacy policies.
• Data Security Practices: Implement and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of personal data. These security measures must be tailored to the volume and sensitivity of the data collected.
• Designate a Privacy Lead: Appoint a Chief Privacy Officer (CPO)—or a designated individual—responsible for directing and overseeing compliance with the MCDPA. This is a unique requirement under Minnesota’s law and emphasizes a formal governance structure for data privacy. If your organization already has a Data Protection Officer (DPO) appointed for GDPR compliance, that person can often fulfill the CPO role under the MCDPA. However, ensure this individual is clearly tasked with the specific duties required by the MCDPA to maintain full compliance. 
• Document Internal Compliance: Controllers must document and maintain a description of the policies and procedures adopted to comply with the MNCDPA. This includes:
  • The name/contact of the CPO or responsible individual
  • Descriptions of how each controller duty is fulfilled
  • These records must be available for review and reflect current practices.
• Consumer Rights Fulfillment: Ensure timely and accurate fulfillment of consumer rights to access, correct, delete, portability, and opt out of targeted advertising, data sales, and certain profiling activities, while complying with any applicable limitations discussed above.  
• Opt-Out Opportunities: Enable consumers to opt out of the sale of personal data, targeted advertising, and profiling that results in legal or similarly significant effects. These opt-out options must be clearly presented and accessible, avoiding the use of dark patterns. For example, you may provide a button labeled “Your Opt-Out Rights” or “Your Privacy Rights” that either opens an opt-out request dialog or links to a web page where users can submit their opt-out request. This approach aligns with similar practices recognized in jurisdictions like California and Colorado.
• Sensitive Data Processing: Obtain explicit consent before processing sensitive data—including racial or ethnic origin, religious beliefs, health information, sexual orientation, biometric or genetic data, and precise geolocation. Processing data from children requires compliance with COPPA.
• Conduct Data Privacy and Protection Assessments (DPPAs): For processing activities that may pose heightened risks, controllers must conduct a Data Privacy and Protection Assessment (DPPA). These assessments are required for: targeted advertising, selling personal data, processing sensitive data and high-risk profiling
  Unlike other states, Minnesota’s law includes prescriptive content requirements for DPPAs, including details about the data involved, processing context, and a reference to the controller’s documented compliance procedures.

Processors’ Responsibilities

Processors—those who process data on behalf of a controller—are required to:

• Data Processing Agreements: Enter into binding contracts with controllers that clearly define the scope of processing activities, the nature of the data involved, and the processor’s obligations. These contracts must also require processors to assist with privacy rights requests and security measures.
• Assist with Compliance: Support controllers in complying with their obligations under the MCDPA, including facilitating data protection assessments, responding to consumer rights requests, and maintaining proper data inventories and safeguards.
• Implement Security Measures: Maintain appropriate technical and organizational measures to protect personal data from unauthorized access or loss. This includes safeguards tailored to the sensitivity of the data processed.

Both controllers and processors should be aware that failure to comply with these requirements can lead to enforcement by the Minnesota Attorney General and potential penalties.

Enforcement of the MCDPA

The Minnesota Consumer Data Privacy Act (MCDPA) is enforced solely by the Minnesota Attorney General and does not include a private right of action. This means individual consumers cannot bring lawsuits directly under the law, unlike in California where private enforcement is available under certain circumstances.

Warning and Cure Period:
Before initiating formal enforcement actions, the Attorney General must issue a warning letter to the organization (controller or processor) alleged to have violated the MCDPA. This letter will:

• Identify the specific provision(s) of the law that are believed to have been violated
• Trigger a 30-day cure period during which the organization has an opportunity to correct the violation(s) without penalty

Sunset Clause:
The 30-day cure provision is temporary and will expire on January 31, 2026. After this date, the Attorney General will no longer be required to provide an opportunity to cure before pursuing enforcement.

Penalties:
If violations remain uncured after the warning period—or occur after the cure provision sunsets—the Attorney General may initiate legal action and seek civil penalties of up to $7,500 per violation. 

How DataGrail Can Help

Minnesota’s new privacy law brings some of the most detailed obligations we’ve seen yet, particularly around profiling, data inventories, and consumer rights. 

DataGrail is built to take the complexity out of compliance and help your team stay ahead of requirements like those in the MCDPA. Here’s how:

• Automate Consumer Rights Requests: Easily manage consumer requests for access, deletion, and opt-out, all while ensuring timely responses in line with MCDPA deadlines.
• Maintain a Compliant Data Inventory: Minnesota is one of the first states to explicitly require a formal data inventory. DataGrail’s Live Data Map gives you real-time visibility into where personal data lives across your tech stack, so you can meet this requirement without spreadsheets or manual processes.
• Monitor and Manage Third-Party Data Sharing: DataGrail makes it easier to track and report on who you’re sharing data with—supporting Minnesota’s unique requirement to disclose specific or broad lists of third parties.

With DataGrail’s Request Manager, businesses can efficiently handle data subject access requests (DSARs), deletion requests, and opt-out actions. This means you’re covered not just for MCDPA, but also for other major laws like CCPA and GDPR.

By using DataGrail, your business can stay ahead of privacy laws, reduce risk, and maintain trust with your customers.

Request a demo here.   

Want to learn more? Check out our Guide to State Privacy Laws to discover how these regulations will impact your business and ensure your compliance strategy is up to date. 

Additionally, join Privacy Basecamp, our exclusive Slack community of privacy professionals, to connect, share resources, and discuss best practices in privacy management. Stay updated on the latest state privacy legislation and engage with experts in the field.

For questions, reach out to your CSM or email [email protected]. Interested in seeing the platform? Request a demo here.