Until recently, Minnesota businesses navigating data privacy obligations were operating under a patchwork of statutes instead of a single, cohesive law. The Minnesota Consumer Data Privacy Act (MCDPA), Minn. Stat. § 325M.01 et seq., is set to take effect on July 31, 2025, and it marks a major shift by creating a unified framework for how businesses handle personal data belonging to Minnesota residents.
Data Privacy in Minnesota Prior to the MCDPA
Under the current legal structure, privacy obligations for Minnesota businesses are spread across various statutes, each focused on specific data types, industries, or uses. For example:
- The Minnesota Government Data Practices Act (MGDPA), Minn. Stat. § 13, applies primarily to public entities and not private companies.
- The Data Breach Notification Law, Minn. Stat. § 325E.61, requires businesses to notify affected individuals in the event of a security breach involving unencrypted personal information.
- Minnesota’s Fair Credit Reporting statutes, Minn. Stat. §§ 13C.01 to 13C.016, and Social Security Number protections, Minn. Stat. § 325E.59, offer targeted protections for categories of sensitive information.
- The Minnesota Health Records Act, Minn. Stat. § 144.291 et seq., governs access to patient records in the healthcare context.
- More generally, the Minnesota Prevention of Consumer Fraud Act, Minn. Stat. §§ 325F.68–.70, can apply to misleading practices involving data use or disclosures, but it lacks clear guidance on what specific data-handling practices are permitted or prohibited.
In short, while Minnesota has long taken consumer protection seriously, there has never been a single law providing residents with comprehensive data rights or imposing broad compliance duties on private companies, until now.
What Companies are Impacted by the MCDPA?
The MCDPA applies to “Controllers” and “Processors,” which are businesses that either:
- control or process personal data of 100,000 Minnesota consumers or more during a calendar year, excluding personal data controlled or processed solely for payment transaction purposes;
- derive over 25 percent of their gross revenue from selling personal data and also control or process the personal data of 25,000 or more Minnesota consumers; or
- act as an educational technology provider under certain circumstances.
The MCDPA exempts small businesses (as defined by the U.S. Small Business Administration) but still requires them to obtain informed consent from consumers before selling a consumer’s sensitive data, which is data related to race, religion, health condition or diagnosis, sexual orientation, citizenship, biometrics, geolocation, or children under 13.
The MCDPA expands the traditional definition of “sales” to include any exchange of personal data for something of value, not just money. For example, a data sharing agreement in a marketing or analytics context may constitute a “sale.”
New Consumer Rights Under the MCDPA
For the first time, Minnesota consumers will have consistent rights concerning their personal data. Companies covered by the MCDPA must provide consumers with the ability to:
- opt out of any personal data collection, targeted advertising, the sale of personal data, and automated profiling based on the collection and analysis of their data;
- confirm whether the business is processing the consumer’s personal data;
- determine what type of personal data the business is processing;
- delete their own personal data;
- review and obtain the personal data the business is using; and
- obtain a list of the third parties to which the personal data was disclosed.
New Obligations for Businesses
For businesses, the law introduces new responsibilities around data minimization, transparency, and consent. It requires covered businesses to:
- limit data collection to only what is necessary;
- provide clear, detailed privacy notices;
- respond securely and timely to consumer requests to exercise data privacy-related rights;
- provide consumer-friendly mechanisms to opt-out of covered data practices;
- ensure third parties comply with data privacy obligations when processing consumers’ data; and
- obtain explicit consent from consumers before processing sensitive data.
Coordinating Compliance with Other Privacy Regulations
Despite its breadth, MCDPA compliance will not automatically satisfy all other data-related obligations. Businesses will still need to observe other state and federal privacy laws that operate outside the MCDPA’s scope. These include but are not limited to:
- Health Insurance Portability and Accountability Act (HIPAA)
- Minnesota Health Records Act
- Children’s Online Privacy Protection Act (COPPA)
- Gramm-Leach-Bliley Act (GLBA)
- Fair Credit Reporting Act (FCRA)
- CAN-SPAM Act
- Minnesota’s existing Data Breach Notification Law
Many other states have their own version of the MCDPA as well. Companies handling consumer data on a national basis therefore need to comply with the laws of each state where their consumers reside.
In other words, while the MCDPA introduces welcome clarity in many areas, it does not eliminate the need for a multi-layered approach to compliance. For most businesses, meeting the MCDPA’s standards will significantly raise the baseline, but industry-specific federal laws and laws of other states may still require additional steps.
Penalties for Breach
The Minnesota Attorney General has authority over enforcement of the MCDPA and may impose civil penalties up to $7,500 per violation. Businesses will receive warnings before enforcement actions begin in early 2026. There is no private right of action, meaning consumers cannot bring their own lawsuit against a business that is not in compliance.
How to Prepare
Businesses subject to the MCDPA should take proactive steps to ensure compliance before July 31, 2025. Some steps to consider:
- Conduct a data inventory to identify and document all personal data collecting, controlling, and processing activities.
- Update notices, agreements, privacy policies, to clearly communicate your data practices and set compliant terms with vendors.
- Implement processes and procedures to adhere to the MCDPA’s requirements for consumer consent, opt-out, and other protocols for exercising consumer data privacy rights.
- Review any automated data processing systems to ensure transparency and consumer control.
- Prepare for opt-outs by making sure your technologies can comply with consumer requests.
Companies already compliant with other state privacy laws might only require targeted adjustments, but all businesses subject to the MCDPA should begin preparing now. Understanding how this law aligns with broader regulatory frameworks will help your business maintain compliance, reduce risk, and build trust with consumers.
FMJ’s business attorneys can audit your organization’s policies, practices, and procedures, and we can help make sure you are taking the right steps to comply with these new consumer data protection standards. Please reach out to Attorneys Pat Shriver or Morgan Zuehlke to get started with these issues or any other legal questions your organization may have in the data and technology space.
Related Attorneys
