Minnesota Consumer Data Privacy Law Goes into Effect in July 2025
Li v. Merck & Co. (N.D. Cal. Feb. 7, 2025)
Why This Alert Is Important
Minnesota’s new privacy law gives residents more control over their personal data and adds new responsibilities for businesses. It sets stricter rules around profiling, sensitive data, and consent. If you work with Minnesota citizens’ data, you’ll need to adjust your policies and processes to comply with the law.
Overview
Minnesota passed the Consumer Data Privacy Act (MCDPA) in May 2024. It went into effect on July 31, 2025. The law applies to companies that collect personal information from at least 100,000 Minnesotans per year, or 25,000 if they make over 25% of their revenue from selling data. Small businesses are mostly exempt unless they sell sensitive data.
When the MCDPA goes into effect, Minnesotans will have the right to access, correct, delete, and download their personal data. They can also opt out of targeted advertising, data sales, and decisions made through automated systems. If a company uses profiling to decide things like pricing or eligibility, people can ask for explanations and challenge the results.
The law requires businesses to share more details in their privacy notices—what data they collect, why they collect it, and who they share it with. These notices must be easy to understand, offered in the languages used by the business, and accessible for people with disabilities.
Companies that collect sensitive data (like race, health, location, sexual orientation, or data about children) must get clear consent before doing so. There’s also a strong focus on data minimization—collecting only what’s needed for a clear business purpose.
The Minnesota Attorney General is in charge of enforcement. There’s a 6-month grace period with a 30-day “cure window” for violations. After that, businesses could face fines of up to $7,500 per violation.
What it Covers
Key Implications of the MCDPA
Minnesota is the first state to require controllers to maintain data inventories. Unlike many other state privacy laws, the MCDPA explicitly requires controllers to maintain an inventory of personal data. This inventory supports accountability and helps ensure that the data processing aligns with legal obligations and internal privacy policies.
Controllers may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected. Also, the law requires a controller to document and maintain a description of the policies and procedures that controller has adopted to comply with the bill. This description is required to include the name and contact information for the controller’s Chief Privacy Officer.
In addition to the above requirements, the law also requires controllers to limit data collection to only what is necessary, give clear privacy notice to consumers (including an explanation of their rights and opt-out options), obtain explicit consent while processing sensitive data, and conduct DPIAs for high-risk processing.
While the MCDPA shares similarities with other comprehensive state privacy laws, it has several unique provisions that deserve attention. Chief among those, as noted above, is the MCDPA’s requirement for controllers to maintain data inventories as part of their data security practices. In addition, unlike many other laws, the MCDPA does not contain an exemption for non-profit entities and, consequently, non-profits operating in Minnesota must assess the MCDPA’s applicability. Finally, the MCDPA provides an expanded right with respect to “profiling.” Like other states, the MCDPA allows consumers to opt-out of “profiling.” But it goes further, permitting consumers to (1) be informed of the reason for any decisions resulting from profiling and what the consumers could have done to secure a different decision, (2) review the personal data used in the profiling, and (3) in certain circumstances, have their profiling decision reevaluated after correcting their personal data.Sten-Erik Hoidal, CIPP, Shareholder & Chair, Data Privacy and Security, Fredrikson & Byron, P.A.
Data Privacy Tip
With the patchwork quilt of US state privacy laws constantly evolving, it can be difficult to keep up with all the requirements that apply. Gain an understanding of the new privacy laws coming into effect with Exterro’s 2025 edition of the US State Privacy Compliance Checklist.
