Minnesota Passes Privacy Law

Minnesota is the latest state to jump on the privacy law bandwagon, with its Legislature passing the Minnesota Consumer Data Privacy Act (MCDPA). The law will go into effect on July 31, 2025.

The Minnesota privacy law largely mirrors privacy laws passed in other states. One unique aspect of the MCDPA is its privacy policy and data protection assessment requirements, which state that organizations must identify and provide contact information for the chief privacy officer or other person in charge of privacy matters.

Applicability

The law will apply to entities that conduct business in the state or produce services and products targeted to Minnesota residents and meet one of the following criteria:

• Controlled or processed the data of at least 100,000 consumers, excluding data for the sole purpose of completing payment transactions
• Controlled or processed the data of at least 25,000 consumers and derived more than 25% of its gross revenue from the sale of personal data

Minnesota’s law exempts data subject to HIPAA and the GLBA, but not the organization. Further, the law does not apply to small businesses as defined by the U.S. Small Business Administration or non-profit organizations assisting law enforcement agencies investigating insurance.

Consumer Rights

Minnesota’s privacy law grants consumers the following rights:

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller if the processing of the data is done by automatic means
• Opt out of the processing of personal data for targeted advertising, the sale of personal data, or certain types of profiling
• Obtain a list of third parties or categories of third parties to controller has shared personal data with
• Designate another person as their authorized agent to opt out of processing data for targeted advertising and sale

Business Obligations

The Minnesota privacy law places the following requirements and restrictions on businesses:

• Businesses must limit the collection and processing of personal data to what is reasonably necessary
• Gain consent before processing sensitive data. Sensitive data includes data that reveals racial and ethnic origins, religious beliefs, health information, sexual orientation, immigration status, genetic or biometric data, the data of a child, and specific geolocation data
• Follow COPPA requirements when processing the data of a known child
• Processing data for targeted advertising or selling the personal data of a consumer between the ages of 13-16 is prohibited without consent
• Cannot process a consumer’s data in a manner that discriminates against individuals based on an individual’s actual or perceived race, color, ethnicity, sex, sexual orientation or gender identity, physical or mental disability, religion, ancestry, familial status, or national origin
• Prohibited from discriminating against a consumer for exercising any of the consumer rights
• Provide a mechanism for consumers to revoke consent
• Provide the consumer with an opt-out mechanism that is easy to use
• Establish data security practices to protect personal data
• Maintain a personal data inventory

Businesses must respond to consumer requests within 45 days. A 60-day extension is available when reasonably necessary.

Privacy Notice

The law requires businesses to provide a “reasonably accessible, clear, and meaningful” privacy notice on the organization’s webpage as a link that includes the word “privacy.” The privacy notice must include the following:

• The categories of personal data the controller processes
• The purpose of processing personal data
• How consumers may exercise their rights, including how a consumer may appeal a controller’s decision concerning the consumer’s request
• The categories of personal data that the controller shares with third parties
• An active e-mail address or other online mechanism a consumer may use to contact the controller
• How consumers can opt out of the selling of their data for targeted advertising
• A description of its retention policies for personal data

Data Protection Impact Assessments

The Minnesota Consumer Data Privacy Act requires businesses to conduct and document a data privacy and protection assessment of each of the following processing activities:

• Processing personal data for targeted advertising
• The sale of personal data
• Processing data for profiling
• Processing sensitive data
• Processing data that presents a heightened risk of consumer harm

Enforcement

Enforcement is the responsibility of the Minnesota Attorney General. There is no private right of action. There is a 30-day right-to-cure period that expires on January 31, 2026. Penalties can be as much as $7500 per violation.

CompliancePoint can help your organization comply with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more about our privacy services.