The MCDPA applies to entities doing business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following threshold:

• During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

What is a “Controller” and What are a Controller’s Obligations?

A “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The MCDPA obligates controllers to provide consumers with a clear and accessible privacy notice that sets forth the categories of personal data being processed and the purposes for that the data will be processed for. The privacy notice must also set forth the categories of personal data sold or shared with third-parties, identify the third-parties, explain how consumers may exercise their privacy rights, set forth the controller’s contact information, and describe the controller’s personal data retention policy. Notably, controllers are expressly restricted to the collection of personal data that is “adequate, relevant, and reasonably necessary” for its intended processing.

How does the MCDPA Require Controllers to Protect Personal Data? 

According to the MCDPA, controllers are obligated to establish and maintain administrative, technical and physical data security practices that reasonably ensure the “confidentiality, integrity, and accessibility” of personal data. Records reflecting a detailed inventory of the data being managed must be maintained. A privacy or legal regulatory compliance officer must also be appointed.

What Rights do Minnesota Consumers Possess Under the Minnesota Consumer Data Privacy Act?

The MCDPA provides Minnesota consumers with the right to access, correct, delete and obtain copies of their personal data. Minnesota consumers are also provided the right to opt-out of data sales and targeted advertising. Minnesota consumers are also required to affirmatively “opt-in” to the processing of their sensitive data.

Not unlike other states’ data privacy legislation, Minnesota consumers are also afforded the right to demand the specific third-parties their data has been sold or shared to, and to seek information regarding profiling.

The MCDPA also provides Minnesota consumers with forty-five (45) days to receive a response to data privacy related requests and are also provided with the right to appeal decisions.

Who Can Enforce the Minnesota Consumer Data Privacy Act?

The Minnesota Attorney General is vested with enforcement of the MDCPA. There is not a private right of action under the MDCPA.

Until January 31, 2026, prior to commencing a regulatory actions controllers must be sent a warning letter and has thirty (30) days to cure an alleged violation. In the event of an enforcement proceeding, civil penalties of up to $7,500 per violation are available.