Minnesota’s Consumer Data Privacy Act: An Overview

Twenty-nine years after Prince warned us about the dangers of the Internet, his home state has taken action to protect consumers who use it.[1] On July 31, 2025, Minnesota joined the roughly twenty states that have adopted comprehensive privacy statutes. The new law, the Minnesota Consumer Data Privacy Act (MCDPA), grants the state’s residents new rights and requires businesses to honor them. This article gives a high-level summary of the new landscape.

To Whom Does the Minnesota Consumer Data Privacy Act Apply?

The MCDPA does not apply to every company doing business in Minnesota, and it also applies to many that have no operations in the state at all. The law applies if a company does business in Minnesota and meets one of two other tests. It applies where a company controls or processes personal data of 100,000 or more Minnesota consumers in a given year (with some exceptions). It also applies if a company controls or processes the personal data of 25,000 or more Minnesota consumers in a year, and if that company derives more than 25% of its gross revenue from selling personal data. Unlike some states, Minnesota’s privacy law does not consider a company’s income when determining its status.

The MCDPA’s Structure and Key Concepts

The MCDPA’s structure is broadly familiar to companies that have sought to comply with similar state laws in recent years.

• Personal data means virtually any information that links to – or can reasonably be linked to – an identified or identifiable person. This includes names, contact information, photographs, fingerprints, and other biometric data. It also includes many data types that people often are not aware they’re providing, such as the IP addresses of their devices when navigating the Internet.
• Profiling means any type of automated processing of personal data that is done to analyze or predict a person’s health, personal preferences, economic situation, movements, behavior, reliability, or certain other traits.
• To process personal data means to do nearly anything with it: to actively gather it, to passively receive it, to store it, to copy it, or to provide it to a third party.
• To sell personal data generally means exchanging it for any valuable consideration – a “sale” can occur even where no money changes hands.
• A controller is a company or individual who determines the purposes and means of processing personal data.
• A processor is a company or person who processes personal data on behalf of a controller. A common example of a controller-processor relationship is a company (the controller) that hires a vendor (the processor) to whom it provides personal data as part of the vendor’s work. (For example, a retailer providing customer data to its advertising firm for outbound email campaigns). As with most privacy laws, in Minnesota, a processor can inadvertently become a controller if it is not careful. One scenario that can produce this result is where a processor fails to adhere to processing instructions provided by its controller. In that case, the processor is making its determination as to the means and purpose of the processing—precisely what the law deems controller conduct.

In short: like most modern state privacy laws, the policy of the MCDPA is that certain types of actors (controllers) make significant decisions regarding people’s identifying data and should carry heavy regulatory obligations to protect it; other actors that work on controllers’ behalf (processors) are less burdened by compliance, but still have duties reflecting their access to this valuable data.

New Rights for Minnesota Consumers

The MCDPA provides Minnesota consumers with significant new rights. They include:

• Right to Access: Consumers can ask controllers whether they are processing data about them and learn high-level information about what that data consists of.
• Rights to Correction and Deletion: Consumers can ask controllers to correct or delete personal data that the controllers maintain about them.
• Right to Data Portability: Consumers can demand that controllers provide them copies of personal data that the consumers have provided them in a format making it easy to transfer to other controllers.
• Right to Transparency: Consumers are entitled to detailed new types of privacy notices and can request a list of third parties with whom their data has been shared.
• Opt-Out Rights: Consumers can demand that their personal data not be used for targeted ads or sold to third parties. They can also demand that their data not be used for profiling in furtherance of automated decisions that produce specific, significant effects for them.
• Robust Profiling-Related Rights. Consumers are entitled to question the results of profiling that involves them and to be informed of the reasons behind the decision made. Where feasible, consumers must also be informed about the actions they could have taken to achieve a different result from the profiling.

The profiling-related rights in the final bullet above are somewhat unique to Minnesota. Implementing them can also pose significant challenges for companies that have not yet developed processes for them. For example, companies using Artificial Intelligence (AI) in profiling may find it challenging to explain to consumers exactly why their AI models produced the results that they did.

What Does the Minnesota Consumer Data Privacy Act Mean for Controllers?

Companies that qualify as “controllers” under the MCDPA have a host of new compliance obligations. These include:

• Complying with consumers’ rights. Controllers must design and implement website features and take other steps to enable consumers to exercise their rights described above, as well as others provided by the MCDPA.
• Rigorous Privacy Notice Rules: Controllers must maintain privacy notices that describe the types of personal data collected and the reasons for its collection, that advise consumers of their opt-out rights, and more. The requirements for these notices differ from those in other states, and they must be published in every language in which the controller does business. They must also be published in a format accessible to individuals with visual impairments or other disabilities.
• Limits on data collection, processing, and retention: Controllers must collect personal data only to the extent that it is relevant and reasonably necessary for the purposes for which the data are processed—which must be disclosed to consumers. Except with a consumer’s consent, a controller generally cannot process their personal data in ways that have not been disclosed to the consumer. Controllers must generally delete personal data that they no longer need for processing purposes that have been disclosed to consumers.
• Internal Assessments. Controllers must periodically conduct rigorous assessments of their personal data-related practices and document them in reports that the Minnesota Attorney General can review.
• Contracts with Processors. Controllers cannot share personal data with processors except under written contracts that contain specific provisions. These contracts are often referred to as data processing agreements or data processing addenda attached to other agreements. Whatever their name, they must bind the processor to a duty of confidentiality, allow the controller to audit the processor for privacy compliance, and provide a detailed description of the personal data to be processed. The contract must also prohibit the processor from using its subcontractors in connection with the personal data without providing the controller with prior notice and an opportunity to object, among other provisions.

What Does the Minnesota Consumer Data Privacy Act Mean for Processors?

While the MCDPA regulates controllers more heavily than processors, the latter do not escape regulation completely. A processor must follow the processing instructions set out in its data processing agreement with its controller. The processor must assist the controller in meeting the controller’s obligations under the statute, including taking action in response to security breaches and incidents. Additionally, the processor must follow the controller’s directions regarding the deletion or return of personal data at various times. And processors must comply with the audit and assessment processes that the MCDPA requires controllers to demand from processors.

How the MCDPA is Enforced

The Minnesota statute does not permit injured consumers to bring their own private lawsuits against controllers or processors. Instead, it empowers the state Attorney General to bring civil actions against both controllers and processors to enforce the law. A violation of the MCDPA can result in a penalty of up to $7,500 per occurrence. It can also entitle the state to recover its litigation expenses, which could exceed the statutory fees. While the law took effect in July 2025, controllers and processors have a somewhat softened enforcement environment until January 31, 2026. Before that date, the Minnesota Attorney General must provide written notice of noncompliance to violators of the MCDPA, along with 30 days to cure.

Practical Guidance for Companies

Companies can take steps now to ensure their compliance with the MCDPA. These include:

1. Determine whether you’re a Minnesota controller or processor, or neither (or both). Bear in mind that a company can be a processor for some purposes but a controller for others.
2. As a controller or a processor, update your data processing agreements as necessary for Minnesota. Many data processing agreements written today were first drafted after the GDPR and the California privacy statute took effect in 2018, and many of them still reference these two laws, while overlooking more recent state laws. Many states, including Minnesota, add their own quirks to privacy compliance. Contrary to a widely-held misunderstanding, complying with California law does not automatically mean a controller or processor complies with Minnesota or any other state.
3. If you are new to privacy compliance, take action now. Many Minnesota-based companies may have reasonably taken the position in recent years that they did not have to comply with other state privacy laws because they did not conduct enough business in those states to trigger the laws. If you now conclude that you must comply with the MCDPA and have not tackled compliance with similar laws to date, the rigor that compliance requires may surprise you. Updating website language is only the beginning, and sometimes the easiest part. Designing practices across an organization to minimize data retention, respond to consumer opt-out requests, and manage vendor contracts takes considerable time and attention.

[1] “I scan my computer, looking for a site / Make believe it’s a better world, sunny and bright.” Prince, My Computer (Emancipation, NPG Records, 1996).