Minnesota
Minnesota Consumer Data Privacy Act (MCDPA)
| Passed | May 19, 2024 |
| Effective Date | July 31, 2025 |
| Who it applies to |
Entities that (1) conduct business in Minnesota or target products/services to Minnesota residents and (2) either process data of 100,000+ consumers (excluding payment-only data) or derive 25%+ of revenue from selling data of 25,000+ consumers. Exemptions include state agencies, GLBA-regulated financial institutions, HIPAA-covered entities, and small businesses. Notably, higher education institutions are not exempt, and the nonprofit exemption is narrower. |
| Penalties | Up to $7,500 per violation. A 30-day cure period is available, but only until January 31, 2026. |
What’s notable about it:
Minnesota is the first state to grant consumers the right to challenge profiling decisions that carry legal or similarly significant effects such as those used in housing, credit, or employment. This includes the right to access the underlying data, correct errors, and understand what actions could have led to a different outcome.
The law also includes formal governance requirements not seen in most other states. Businesses must appoint a Chief Privacy Officer or a designated privacy lead and are explicitly required to maintain a data inventory and internal records of how they meet their compliance obligations.
In terms of transparency, Minnesota takes an extra step by requiring businesses to disclose, upon request, the specific third parties with whom they’ve shared personal data or at minimum, a general list of recipients. When consumers exercise their rights, businesses must also confirm whether certain sensitive data types (such as SSNs, biometrics, and medical information) have been collected, without revealing the data itself.