Minnesota Consumer Data Privacy Act: First Look & Summary

In May 2024, Minnesota lawmakers passed the first consumer data privacy law in the state, the Minnesota Consumer Data Privacy Act (MCDPA).

Below, I walk you through the MCDPA, including what it requires, how it impacts businesses and consumers, and what the penalties are for noncompliance.

Table of Contents

What Is the Minnesota Consumer Data Privacy Act (MCDPA)?
MCDPA Key Terms and Definitions
What Does the Minnesota Consumer Data Privacy Act Cover?
Requirements of the Minnesota Consumer Data Privacy Act
Minnesota Consumer Data Privacy Act vs. Other States: Similarities and Differences
How Will Consumers Be Impacted by the MCDPA?
Who Does the MCDPA Apply To?
How Will Businesses Be Impacted by the MCDPA?
Who Must Comply with Minnesota’s New Data Privacy Law?
How Can Businesses Prepare for the MCDPA?
How Will the MCDPA Be Enforced?
Fines and Penalties Under the Minnesota Consumer Data Privacy Act
How Will Termly Help with MCDPA Compliance?
Are There Other Privacy Related Laws in Minnesota?
Summary

What Is the Minnesota Consumer Data Privacy Act (MCDPA)?

The Minnesota Consumer Data Privacy Act (MCDPA) is the state’s first comprehensive consumer privacy law.

It outlines residents’ protections and rights over how their personal information gets collected, processed, and used by external entities.

The law also describes the penalties for noncompliance.

MCDPA Effective Date

The MCDPA becomes effective on July 31, 2025.

MCDPA Key Terms and Definitions

To help you better understand the MCDPA, I’ve included several key terms and their definitions exactly as they appear in the text of the law:

Consent: Any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer.
- Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. A consent is not valid when the consumer’s indication has been obtained by a dark pattern. A consumer may revoke consent previously given, consistent with this chapter.
Consumer: A natural person who is a Minnesota resident acting only in an individual or household context. Consumer does not include a natural person acting in a commercial or employment context.
Controller: The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data: Any information that is linked or reasonably linkable to an identified or identifiable natural person.
- Personal data does not include deidentified data or publicly available information.
Process/processing: Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, including but not limited to the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Processor: A natural or legal person who processes personal data on behalf of a controller.
Sensitive data: Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; the processing of biometric data or genetic information for the purpose of uniquely identifying an individual; the personal data of a known child; or specific geolocation data.

These terms are used throughout this guide with these definitions in mind.

What Does the Minnesota Consumer Data Privacy Act Cover?

The MCDPA covers the personal information of residents of the state of Minnesota.

It does not cover de-identified or publicly available information.

Requirements of the Minnesota Consumer Data Privacy Act

Below, I explain some of the critical business requirements outlined by the MCDPA.

Lawful Basis for Processing Personal Data

According to the MCDPA, entities can only collect personal data that’s considered reasonable and necessary to achieve the processing purposes as disclosed to the consumer.

To collect any information that falls beyond this scope or to collect categories of sensitive data or data from a known child, you must obtain legal consent from users or their legal guardians.

Consent

The MCDPA outlines a precise definition of consumer consent, and for it to be considered lawful, it must meet the following conditions:

Consent must be freely given, informed, and unambiguous.
Acceptance cannot be convoluted with broad terms of use or other similar language.
Hovering over, muting, pausing, or closing content does not qualify as consent.
Consent cannot be obtained through a dark pattern.
Consumers may revoke their consent at any time.

Contractual Obligations Between Controllers and Processors

The MCDPA requires controllers who work with third-party processors to both sign a binding contract outlining the following:

Set forth the instructions for the processing, its nature and purpose, the types of data subject to the processing, its duration, and the rights and obligations of both parties.
Ensure each person processing data is subject to a duty of confidentiality.
Engage a subcontractor only after giving the controller a chance to object and require the subcontractor to sign a construct outlining these same obligations.
At the controller’s direction, the processor is required to delete or return all data at the end of the contract unless retention is required by law.
At the controller’s direction, the processor is required to make available all information necessary to demonstrate compliance with the MCDPA.
Require the processor to allow for and contribute to reasonable assessments and inspections by the controller or a designated assessor.

Nondiscrimination

The MCDPA explains that controllers cannot process personal data in a manner that unlawfully discriminates against the consumer or class of consumers based on offering or the provision of:

Housing
Employment
Credit
Education
Goods
Services
Facilities
Privileges
Advantages
Accommodations of any place of public accommodation

Universal Opt-Out Mechanisms

The MCDPA explicitly gives consumers the right to use a universal opt-out mechanism (UOOM) to submit verifiable requests to follow through on their opt-out rights.

UOOM technology, like Global Privacy Controls (GPC), is a browser setting or extension users can enable to automatically inform websites that they don’t want to be subject to targeted advertising or to have their data sold or shared with third parties.

Data Privacy and Protection Assessments

The MCDPA describes robust data privacy and protection assessment requirements in Section 10 of the law.

Controllers are required to perform data privacy and protection assessments for any of the following reasons:

To process data for the purposes of targeted advertising
The sale of personal data
To process sensitive personal data
Any processing activities involving personal data that present a heightened risk of harm to consumers
Processing of personal data for purposes of profiling

The assessment must identify and weigh the benefits of the processing against the potential risks associated with it, as mitigated by any safeguard employed by the controller.

An assessment used to meet similar requirements of another data privacy law that’s similar in scope may also count towards the MCDPA.

Requirements for Small Businesses

According to Section 9 of the MCDPA, entities that qualify as small businesses as defined by the United States Small Business Administration and produce products in Minnesota or target state residents cannot sell sensitive personal data without obtaining consent.

While these small businesses are not subject to following the rest of the MCDPA guidelines, they must respect these consumer consent rights or risk getting fined up to $7,500 per violation.

Minnesota Consumer Data Privacy Act vs. Other States: Similarities and Differences

Several other U.S. states also have privacy laws in place, including the following:

California Consumer Protection Act (CCPA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
Florida Digital Bill of Rights (FDBR) — currently in force
Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
Nebraska Data Privacy Act (NDPA) — effective Jan. 1, 2025
New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
Oregon Consumer Privacy Act (OCPA) — currently in force
Tennessee Information Protection Act (TIPA) — effective July 1, 2025
Texas Data Privacy and Security Act (TDPSA) — currently in force
Utah Consumer Privacy Act (UCPA) — currently in force
Virginia Consumer Data Protection Act (VCDPA) — currently in force

You can compare these laws to the NDPA in the table below.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
MN CDPA	✓	✓	✓	✓	✓		✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
DPDPA	✓	✓	✓	✓	✓		✓
FDBR		✓	✓	✓	✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
KCDPA	✓	✓	✓	✓	✓
MT CDPA		✓	✓	✓	✓		✓
MODPA	✓	✓	✓	✓	✓		✓
NDPA	✓	✓	✓	✓	✓		✓
NHDPL	✓	✓	✓	✓	✓		✓
NJDPA	✓	✓	✓	✓	✓		✓
OCPA		✓	✓	✓	✓		✓
TIPA	✓	✓	✓	✓	✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

How Will Consumers Be Impacted by the MCDPA?

The MCDPA impacts consumers by granting them the following rights over their personal data:

Confirm if a controller is processing their personal data and to access the categories of personal data being processed.
Correct inaccuracies in their personal data.
Delete their personal data.
Obtain the personal data collected about them in a portable format.
Opt out of processing for the purposes of targeted advertising.
Opt out of the sale of their personal data.
Opt out of profiling in furtherance of automated decisions that produce legal effects.

Consumers also have the right to obtain a list of the specific third-parties a controller has disclosed their personal information to.

They can exercise these rights by submitting a request to a controller at any time, specifying which rights they’d like to exercise.

Who Does the MCDPA Apply To?

The MCDPA applies to residents of Minnesota acting in an individual or household context and does not cover anyone in the state acting in an employment or commercial context.

How Will Businesses Be Impacted by the MCDPA?

Beyond the contractual obligations and UOOM requirements I outlined previously in this guide, the MCDPA also impacts businesses’ privacy and cookie policies.

How Will the MCDPA Affect My Privacy Policy?

The MCDPA heavily impacts privacy policies and outlines more specific requirements than most other current state privacy laws in the U.S.

Specifically, Section 8 of the MCDPA affects businesses’ privacy policies by requiring them to include all of the following information:

The categories of personal data being processed.
The purposes for which the data is being processed.
An explanation of consumers’ rights over their data, how they can follow through on them, and how they can appeal a controller’s decision.
The categories of personal data shared or sold to third parties, if any.
The categories of the third parties data is shared or sold to, if any.
The controller’s contact information, including an active email address or other online mechanism consumers may use to contact them.
A description of the controller’s retention policies for personal data
The date the privacy notice was last updated
Details about if the controller sells personal data to third parties, processes data for targeted advertising, or engages in profiling, and a disclosure of how consumers can opt out of such processing.

Additionally, the law says that privacy notices must be made available to the public in each language the controller provides a product or service in that is subject to the privacy notice.

It must be accessible and usable by individuals with disabilities.

If the policy is changed materially, the controller must notify consumers affected by the change and give them an opportunity to opt-out or withdraw their consent.

Finally, the privacy policy must be posted through a conspicuous hyperlink using the word “privacy” on the website’s homepage or the mobile application’s app store or download page.

If a controller doesn’t use a website, the privacy policy should be presented to users in whatever way they usually interact with the controller, including through the mail.

How Will the MCDPA Affect My Cookie Policy?

The MCDPA affects businesses’ cookie policies because the law gives consumers the right to opt out of data processing, which is often performed by deploying internet cookies on users’ browsers. It also outlines transparency requirements that must be met.

If you use internet cookies to collect personal data from Minnesota users, you must clearly disclose this to consumers and inform them how they can follow through on their rights.

Therefore, under the MCDPA, your cookie policy must be up-to-date, accurate, and linked to your privacy policy.

Who Must Comply with Minnesota’s New Data Privacy Law?

Your business must comply with the MCDPA if you conduct business in Minnesota or produce products and services targeted at residents of the state and meet one or more of the following:

Controls or processes the personal data of 100,000 consumers during a calendar year, excluding data processed solely to complete a payment transaction.
Derives over 25% of gross revenue from the sale of personal data and processes or controllers the data of 25,000 consumers or more.

Who Is Exempt From the MCDPA?

Several different entities are exempt from following the MCDPA, including the following:

Government entities
Nonprofits established to detect and prevent insurance fraud
Federally recognized Indian tribes
Certain banks, credit unions, and insurance companies
Protected health information governed by the Health Insurance Portability and Accessibility Act (HIPAA)
Financial data regulated by the Gramm-Leach-Bliley Act (GLBA)

How Can Businesses Prepare for the MCDPA?

To prepare for Minnesota’s new data privacy law, businesses must update privacy and cookie policies to meet all notification guidelines outlined by the MCDPA.

Also use a consent management platform (CMP) to provide users with a way to follow through on their opt-out rights for certain data processing, like targeted advertising.

Add a Data Subject Access Request (DSAR) form to your site so Minnesota residents can submit verifiable requests to exercise their rights, and establish an appeals process.

Finally, ensure your website is ready to acknowledge consumer opt-out preferences set by UOOMs like GPC and other browser extensions and settings.

How Will the MCDPA Be Enforced?

The Minnesota attorney general has the sole authority to enforce the MCDPA.

Entities allegedly violating the law have a 30-day cure period that sunsets on January 31, 2026.

Fines and Penalties Under the Minnesota Consumer Data Privacy Act

Fines for violating the MCDPA can reach as high as $7,500 per violation.

However, consumers do not have a right to private action under this law.

How Will Termly Help with MCDPA Compliance?

Termly will help with MCDPA compliance by ensuring our Privacy Policy Generator is updated to include all required notification details before the law enters into effect in 2025.

Our legal team and data privacy experts back our generators, which are incredibly easy to use.

It asks straightforward questions about your business and, based on your answers, creates a comprehensive policy for you.

We also offer a Consent Management Platform (CMP) you can configure to meet all opt-out requirements outlined by the law.

It comes with a free Data Subject Access Request (DSAR) form, which makes it easier for you to present your Minnesota users with a way to submit verifiable requests to follow through on their new privacy rights.

Minnesota is protected by a few other privacy-related laws that will work in tandem with the MCDPA once it enters into force, including the following:

Chapter 325M, Internet Privacy: This chapter outlines when disclosure of personal information on the Internet is prohibited, when it’s required, and describes the guidelines for permissions and authorizations concerning Internet Service Providers.
Chapter 325E, Section 61, the Breach Notification Law: This chapter describes guidelines for notifying individuals if their data was compromised in a breach and the responsibilities of the covered entity.
Chapter 325E, Section 64, Plastic Card Security Act: This chapter outlines the data breach notification requirements in relation to financial institutions.
Chapter 325E, Section 59, Use of Social Security Numbers: This chapter prohibits entities from requiring consumers to share social security numbers over the Internet without proper protections in place.
Chapter 626A, Section 02, Intersection and Disclosure of Communications: This chapter prevents entities from intercepting certain forms of communication through wire, electronic, or other means.
Chapter 609, Section 527, Identity Theft: This chapter describes the penalties if someone transfers or uses another person’s data or identity for nefarious purposes.
Chapter 13, the Minnesota Government Data Practices Act (MGDPA): This chapter describes the requirements for government entities to collect and use personal data.

Summary

If your business is subject to following the Minnesota Consumer Data Privacy Act, make sure you take the proper steps to prepare for compliance:

Ensure your privacy and cookie policies are updated and accurate.
Set your website up to understand and honor consumers’ opt-out preferences using technology like a UOOM.
Add a DSAR form on your website and describe the appeals procedure consumers can follow to appeal your decisions based on their privacy requests.
Make and sign adequate contracts if you work with any third-party data processors.
Perform data privacy and protection assessments for specific processing activities.

Remove some of the hassles of privacy compliance by using solutions like our Privacy Policy Generator and CMP to meet the requirements outlined by laws like the MCDPA.

More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author

Privacy Policy for a Portfolio Website: How To Create One

Privacy Policy for a Travel Website: How To Create One

Privacy Policy for Dropshipping Websites and Stores

Privacy Policy for a Photography Website

Privacy Policy for Clothing Websites

What Is Data Privacy? Complete Guide for Businesses

Website Checklist for Data Privacy and Security

7 Step CCPA Compliance Checklist for Websites and Apps

Does Google Analytics 4 Comply With the GDPR?