.svg)
The Minnesota Consumer Data Privacy Act (MNCDPA) was signed into law on May 24, 2024, by Governor Tim Walz, becoming the 19th comprehensive data privacy law in the United States. The law went into effect on July 31, 2025.
The MNCDPA adopts a regulatory framework similar to other state-level consumer data privacy laws, including those in Virginia, Connecticut, and Montana. Like these, and other state laws, the MNCDPA applies only to certain businesses that meet a specific application threshold based on the volume of data processing in a given year. The MNCDPA also establishes an array of compliance requirements on businesses that process personal data, such as:
- Adherence to data minimization and purpose limitation principles
- Regularly-updated privacy notices
- Security protocols to protect consumer data
- Data processing agreements when using a third-party data processor
The MNCDPA also contains several novel provisions, including enhanced rights related to certain forms of profiling, particularly those that produce legal or similarly significant effects. These provisions are explored in more depth later on in this article.
Understanding and effectively navigating the MNCDPA’s compliance requirements is essential for businesses operating in the Land of 10,000 Lakes. The information below provides guidance on which businesses must comply with the MNCDPA, the regulatory requirements it contains, and the potential consequences for non-compliance.
Who the law applies to
A key question Minnesota businesses are asking is, “Do we have to comply with the MNCDPA?” The answer is - it depends. The MNCDPA sets an application threshold based on the volume of data processing a Minnesota business conducts in a given year. Keep reading to learn more.
Businesses that meet the MNCDPA’s application threshold must comply
The Minnesota data privacy law focuses on the data processing activities of “controllers,” which are defined as individuals or legal entities that determine the purpose and means of processing personal data. Controllers that either conduct business in Minnesota or produce products or services targeted to Minnesota residents must comply with the MNCDPA when, within a calendar year, they meet either of these thresholds:
- They control or process the personal data of at least 100,000 unique Minnesota consumers; or
- They control or process the personal data of 25,000 unique Minnesota consumers and derive over 25% of their gross revenue from the sale of that data.
-
Exempted entities
Like many other state-level consumer data privacy laws, the MNCDPA exempts several categories of entities, including:
- Government entities
- Native American tribes
- Chartered banks or credit unions
- Insurance companies
The MNCDPA also exempts certain data governed by other regulatory frameworks, including:
- Financial data regulated by the Gramm-Leach-Bliley Act
- Protected health information governed by the Health Insurance Portability and Accountability Act
- Consumer credit-reporting data
- Data covered by the Drivers' Privacy Protection Act
- Data covered by the Family Educational Rights and Privacy Act
- Data covered by the Fair Credit Reporting Act
- Data covered by the Farm Credit Act.
In addition, the MNCDPA exempts data for the purposes of job applications or employment, data necessary to administer benefits, and data processed or maintained for emergency contact purposes.
Notably, the MNCDPA is among a small number of states, including Texas and Nebraska, that explicitly reference Small Business Administration size standards for certain exemptions(as defined by the United States Small Business Administration) from having to comply with the law. Sensitive data generally may not be processed without consumer consent, subject to limited statutory exceptions.
Requirements for businesses under the MNCDPA
Businesses subject to the Minnesota data privacy law must meet an array of compliance obligations. For example, the law requires that privacy notices be clear, conspicuous, and accessible.
These notices should inform consumers about the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, and the categories of personal data shared with third parties. In addition, the notice must be reasonably accessible and written in plain language that consumers can understand.
The MNCDPA requires businesses to adhere to data minimization principles, such as limiting their collection of personal data to only what is adequate, relevant, and reasonably necessary for the disclosed purposes. This principle prevents businesses from engaging in overly broad data collection practices that accumulate information without clear justification.
In addition, the MNCDPA requires businesses to adhere to purpose limitation obligations, which generally mean that businesses should not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes, unless they obtain consumer consent.
This requirement ensures that data collected for one purpose isn't repurposed without the consumer's knowledge or permission.
Heightened obligations for businesses when processing sensitive data
Under the MNCDPA, sensitive data is subject to heightened protections and may not be processed without a consumer's consent. The categories of data considered to be sensitive typically include personal data that reveals:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnoses
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data processed for identification purposes
- Personal data from a known child
- Precise geolocation data
Another category of data subject to heightened restrictions is children’s data. Specifically, the Minnesota law requires companies to obtain opt-in consent from consumers aged 13 to 16 before selling or sharing their personal data for targeted advertising. For children under 13, parental consent requirements under COPPA continue to apply.
Looking for more info about underage privacy regulations? Check out our deep dive:
{{children-data-privacy}}
Security requirements to protect personal data
In addition to stricter processing protocols for sensitive data and adhering to both data minimization and purpose limitation principles, Minnesota businesses must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
The appropriate level of security depends on factors such as the volume and nature of the personal data, the size and complexity of business operations, and the cost of available tools.
Assessments necessary for certain types of data processing
Businesses subject to the MNCDPA must also conduct data protection assessments for certain high-risk processing activities. These assessments help identify and mitigate privacy risks before they materialize into actual harm.
Data protection assessments are typically required for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, the sale of personal data, profiling that may result in unfair or deceptive treatment, processing sensitive data, or processing personal data that could result in a reasonably foreseeable risk of harm to consumers.
These assessments should identify and weigh the benefits of the processing against potential risks to consumer privacy, and consider safeguards that can mitigate such risks. Businesses must make these assessments available to the attorney general upon request, ensuring regulatory oversight of high-risk activities.
Data processing agreements required when third-party processors handle personal data
The MNCPA contains provisions that address relationships between businesses and third parties that process personal data on their behalf. Specifically, companies must enter into contracts with data processors, which are considered entities that process data on behalf of business (also known as a controller under the law).
These data processing contracts must clearly set out the following:
- Instructions for processing data
- The nature and purpose of processing
- The type of data subject to processing
- The duration of processing
- The rights and obligations of both parties.
In addition, processors must assist companies in meeting their statutory obligations under the Minnesota law.
Statutory rights afforded to Minnesota consumers under the MNCDPA
The MNCDPA grants Minnesota residents several statutory rights regarding their personal data. These rights empower consumers to make informed decisions about how their information is used and to take action to limit data processing. Under the Minnesota data privacy law, consumers have the following data subject rights:
Right to know and right to access your data
The right to know whether a business is processing their personal data and to access that data. This transparency right allows individuals to understand what information companies hold about them.
Right to get a copy of your personal data
The right to obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
Right to deletion
The right to deletion enables consumers to request that businesses delete their personal data, subject to certain exceptions. Businesses must honor these requests unless they need to retain the data for specific legitimate purposes, such as completing transactions, detecting security incidents, complying with legal obligations, or exercising free speech rights.
Right to correct inaccurate info
The right to correct inaccuracies in their personal data. This ensures businesses maintain accurate information, benefiting both consumers and businesses by improving data quality and decision-making.
Right to opt out
The right to opt out of certain data processing activities is particularly significant. Consumers can opt out of the sale of their personal data, the processing of personal data for targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects. These opt-out rights give consumers meaningful control over how their data is used for commercial purposes.
Risks and penalties for not complying with the MNCDPA
Enforcement of the MNCDPA is conducted exclusively by the Minnesota Attorney General's Office, with no private right of action for consumers. This means the AG’s Office is responsible for investigating violations and bringing enforcement actions.
Sizable civil penalties
The AG’s office may bring an enforcement action for civil penalties of up to $7,500 per violation and reasonable attorney's fees. In addition, they can pursue injunctive relief for any identified violations.
Cure period expired
A brief cure period was available to businesses, but it expired on January 31, 2026. This means the attorney general can bring an enforcement action against a Minnesota business without providing notice or affording the business an opportunity to remedy the alleged compliance violation.
How can Didomi help companies comply with the Minnesota Consumer Data Privacy Act?
The Minnesota Consumer Data Privacy Act adds another layer of complexity for businesses to navigate the state-level data privacy landscape. By granting consumers meaningful rights over their personal data and imposing corresponding obligations on businesses, the MNCDPA seeks to establish a more balanced and transparent data ecosystem.
Businesses operating in Minnesota or serving Minnesota residents must carefully assess their data practices, implement necessary changes, and maintain ongoing compliance with the law’s requirements.
Keeping up with the pace and scope of these new data privacy regulations adds compliance complexity and risk to your business operations. By taking a proactive approach to compliance with Didomi, businesses can help avoid penalties and build trust with Minnesota consumers through transparent data practices. Discuss your challenges with one of our experts, or discover more about data privacy in the United States in our comprehensive guide:
{{us-map-link}}
Frequently Asked Questions (FAQs)
How is personal data defined under the Minnesota law?
Personal data generally refers to information that is linked or reasonably linkable to an identified or identifiable individual. This broad definition encompasses a wide range of information, from names and contact details to browsing history and location data.
How is data processing defined under the Minnesota law?
Processing includes operations performed on personal data, such as collection, use, storage, disclosure, analysis, deletion, or modification.
How is the sale of personal data defined under the Minnesota law?
The sale of personal data, a particularly regulated activity under the Act, involves the exchange of personal data for monetary or other valuable consideration.
Are businesses required to respond to opt-out requests sent via Universal Opt Out Mechanisms (UOOMs)?
Yes. The MNCDPA requires companies to respond to requests to opt out of sales or targeted advertising made via UOOMs. In addition, the law requires that the UOOM not unfairly disadvantage another company or make use of a default setting. Also, the UOOM must:
- Be easy to use by the average consumer
- Be as consistent as possible with other similar mechanisms required by other laws
- Enable the company to accurately determine whether the consumer is a Minnesota resident.
How long do businesses have to respond to a data subject request?
Companies subject to the MNCDPA must respond to a data subject request within 45 days of receipt (with a 45-day extension).
Does a business have to disclose all responsive data to a consumer request?
Not necessarily. A notable provision of the MNCDPA is the express prohibition on companies disclosing certain sensitive information, such as Social Security numbers, driver's license numbers, health insurance account numbers, financial account numbers, biometric data, and account passwords or security questions and answers, in response to a data subject request. Instead, companies are only required to inform the consumer "with sufficient particularity" that they have collected that sensitive information
.avif)
.webp)
