Minnesota Consumer Data Privacy Act: A Practical Guide
Plain-English guide to the Minnesota MCDPA for small businesses. Learn thresholds, consumer rights, penalties, and how to comply before Jul 2025.
Last updated: 2026-02-08
Your SaaS platform has a growing customer base across the Midwest, and a chunk of those users are in Minnesota. Starting July 31, 2025, the Minnesota Consumer Data Privacy Act (MCDPA) gives those consumers a set of privacy rights that your business must respect -- or face enforcement by the Minnesota Attorney General. The MCDPA follows a familiar pattern set by states like Colorado and Virginia, but it adds several provisions that set it apart, including a right to question the results of profiling and one of the more detailed data protection assessment requirements in any state law. This guide walks through who the MCDPA covers, what it requires, and how to prepare before the deadline hits.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Minnesota Consumer Data Privacy Act (Minn. Stat. ch. 325O), as of the date of publication.
Does This Law Apply to Your Business?
The MCDPA applies to businesses that conduct business in Minnesota or produce products or services targeted at Minnesota residents, and that during a calendar year meet at least one of two thresholds.
The first threshold is straightforward: your business controls or processes the personal data of 100,000 or more Minnesota consumers, excluding data processed solely to complete a payment transaction. If you operate an e-commerce store with 120,000 unique Minnesota visitors who provide any personal data (including through cookies and tracking), you likely meet this number.
The second threshold is lower but has a revenue component: your business controls or processes the personal data of 25,000 or more Minnesota consumers and derives more than 25 percent of gross revenue from the sale of personal data. Note that Minnesota uses a 25 percent revenue figure, whereas most other state laws use 50 percent. This makes the MCDPA more likely to capture mid-size data brokers and marketing firms that sell consumer data as a significant -- but not primary -- line of business.
Several categories of entities are exempt. These include state and local government bodies, entities already regulated under HIPAA, financial institutions covered by the Gramm-Leach-Bliley Act (GLBA), nonprofits, higher education institutions, and entities subject to the Family Educational Rights and Privacy Act (FERPA). Data regulated under the Fair Credit Reporting Act (FCRA) and the Driver's Privacy Protection Act is also excluded.
If your business is a 30-person marketing agency based in Minneapolis with 28,000 Minnesota consumers in your CRM and 30 percent of your revenue coming from data-driven lead lists you sell to other companies, you are covered under the second threshold. If you are a SaaS tool with 110,000 Minnesota users, you are covered under the first.
What Rights Do Consumers Have?
The MCDPA grants Minnesota consumers a robust set of rights that your business must be prepared to honor within 45 days of receiving a request (with a possible 45-day extension if reasonably necessary).
Right to Access. Consumers can request confirmation of whether your business is processing their personal data and can obtain a copy of that data. This is the foundational DSAR right and requires your business to have systems in place to locate and retrieve personal data tied to a specific individual.
Right to Correction. Consumers can ask you to correct inaccurate personal data. Your business must take commercially reasonable steps to fix the data and, if applicable, instruct your processors to do the same.
Right to Deletion. Consumers can request that you delete the personal data you hold about them. You must also notify your processors to delete it. Standard exceptions apply for legal obligations, fraud detection, and completing transactions.
Right to Portability. When a consumer requests access, you must provide the data in a portable, readily usable format that allows them to transmit it to another entity without hindrance.
Right to Opt Out. Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Right to Question Profiling. This is where Minnesota stands apart. The MCDPA gives consumers the right to question the result of profiling and to be informed of the reason that the profiling produced a particular result. This is a more granular transparency requirement than most state laws provide and reflects growing concern about automated decision-making.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Must confirm processing and provide a copy of data |
| Correction | ✅ | Commercially reasonable efforts to correct inaccuracies |
| Deletion | ✅ | Must delete and instruct processors to delete |
| Portability | ✅ | Data provided in portable, machine-readable format |
| Opt out of sale | ✅ | Consumers can stop sale of their personal data |
| Opt out of targeted ads | ✅ | Must honor opt-out requests for ad targeting |
| Opt out of profiling | ✅ | Includes right to question profiling results |
What Your Business Must Do
Your first obligation is transparency. The MCDPA requires a clear, accessible privacy notice that discloses the categories of personal data you process, the purposes for processing, the categories of data shared with third parties, and how consumers can exercise their rights. If you sell personal data or use it for targeted advertising, you must disclose that fact. The privacy notice should also explain how consumers can appeal a decision your business makes regarding their request.
When a consumer submits a request, you have 45 calendar days to respond. You can extend this by an additional 45 days when reasonably necessary, but you must notify the consumer of the extension and explain why. Identity verification is required before fulfilling a request, but the law does not prescribe a specific method -- your approach should be proportionate to the sensitivity of the data and the risk of unauthorized disclosure.
For sensitive data -- which includes racial or ethnic origin, religious beliefs, health data, biometric data, precise geolocation, and data from a known child -- you must obtain opt-in consent before processing. This is not a checkbox buried in a terms-of-service page. It must be a clear, affirmative act.
The MCDPA requires data protection assessments for processing activities that present a heightened risk of harm to consumers. This includes targeted advertising, selling personal data, processing sensitive data, and profiling. These assessments must weigh the benefits of the processing against the potential risks to consumers. The Minnesota law is notably detailed on this point, requiring that these assessments be made available to the Attorney General upon request.
Contracts with your data processors must include clear instructions on the scope and purposes of processing, confidentiality obligations, and a requirement that the processor assist you in fulfilling consumer requests. If you use a third-party analytics provider, email marketing service, or CRM, your agreements with those vendors need to meet these requirements.
How Is It Enforced?
The MCDPA is enforced exclusively by the Minnesota Attorney General. There is no private right of action, meaning individual consumers cannot sue your business directly for violations of this law.
The Attorney General can seek penalties of up to $7,500 per violation. Because violations are counted per consumer per incident, a data handling practice affecting thousands of consumers could result in substantial aggregate fines.
The law includes a 30-day cure period for the first year after the law takes effect (until July 31, 2026). During this window, if the Attorney General notifies your business of a violation, you have 30 days to cure it before enforcement proceeds. After July 31, 2026, the cure period expires and the Attorney General can pursue enforcement immediately. This sunset provision mirrors the approach taken in Colorado and Virginia, where cure periods were designed to give businesses time to adjust but not to serve as permanent shields.
Because the MCDPA only recently took effect, there are no public enforcement actions yet. However, the Minnesota AG's office has a history of aggressive consumer protection enforcement, and businesses should not assume a relaxed posture.
How This Compares to Other State Laws
Minnesota's law sits comfortably in the second wave of state privacy legislation, borrowing heavily from Colorado and Virginia while adding its own twists. Here is how it compares to those laws and to California's CCPA/CPRA:
| Feature | MCDPA (MN) | CPA (CO) | VCDPA (VA) | CCPA/CPRA (CA) |
|---|---|---|---|---|
| Effective date | Jul 31, 2025 | Jul 1, 2023 | Jan 1, 2023 | Jan 1, 2020 |
| Consumer threshold | 100K | 100K | 100K | 100K |
| Revenue-from-sales threshold | 25% | Any revenue | 50% | 50% |
| Cure period | 30 days (sunsets 2026) | 60 days (sunset 2025) | 60 days (sunset 2025) | None |
| Right to question profiling | Yes | No | No | No |
| Private right of action | No | No | No | Yes (breaches only) |
| Sensitive data consent | Opt-in | Opt-in | Opt-in | Opt-out |
Minnesota's standout feature is the right to question profiling results, which goes beyond what Colorado and Virginia require. Its 25 percent revenue threshold (compared to 50 percent in Virginia and California) also casts a wider net over businesses that derive meaningful -- but not majority -- revenue from data sales. If your business already complies with the Colorado Privacy Act, you are in good shape for the MCDPA, but you will need to add the profiling transparency component and review whether the lower revenue threshold brings you into scope.
Action Checklist for Small Businesses
-
Check whether you meet the thresholds. Count your Minnesota consumers and assess whether you hit the 100,000 mark, or the 25,000 mark combined with 25 percent or more revenue from data sales.
-
Update your privacy notice. Add the required disclosures about data categories, processing purposes, third-party sharing, and how consumers can exercise their rights and appeal decisions.
-
Build a DSAR response process. Establish a workflow for receiving, verifying, processing, and responding to consumer requests within 45 days. Designate someone on your team as the point person.
-
Implement opt-in consent for sensitive data. If you process health data, biometric data, precise geolocation, or information about children, you need an affirmative consent mechanism in place.
-
Conduct data protection assessments. Document the risks and benefits for any processing activity involving targeted advertising, data sales, sensitive data, or profiling.
-
Update your vendor contracts. Make sure processor agreements include MCDPA-required provisions on scope, purpose, confidentiality, and consumer request assistance.
-
Train your team. Hold a brief training session so customer-facing staff can recognize a privacy request and route it correctly.
-
Set a calendar reminder for July 31, 2026. That is when the cure period expires and enforcement can proceed without a notice-and-cure window.
Key Dates
- May 24, 2024: Governor Tim Walz signed the MCDPA into law.
- July 31, 2025: MCDPA takes effect.
- July 31, 2026: 30-day cure period expires.
References
- Minnesota Consumer Data Privacy Act: Minn. Stat. ch. 325O (HF 2309). Full text on Minnesota Revisor of Statutes
- Minnesota Attorney General's Office: Consumer protection resources
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Ready to handle data subject requests from Minnesota consumers? Check out our DSAR Compliance Guide for a step-by-step framework your team can implement this week.