The Minnesota Consumer Data Privacy Act took effect on July 1 2025. The law includes unique requirements like the right to question profiling decisions and a mandatory data inventory, creating compliance considerations not found in other states.
How Minnesota CDPA Enforcement Works
The Minnesota Attorney General has exclusive enforcement authority. Consumers cannot bring private lawsuits for violations.
The law includes a 30-day cure period until July 1 2026. After that date, the Attorney General can pursue enforcement immediately without offering a cure opportunity.
Penalties can reach up to $7,500 per violation. The Attorney General can also seek injunctive relief.
Enforcement Status
As of January 2026, the Minnesota Attorney General has not publicly announced enforcement actions under the MCDPA. The law has been in effect for approximately six months, with the cure period still active.
The 30-day cure period means many potential violations are likely resolved through notice and remediation rather than formal proceedings.
Unique Enforcement Considerations
Minnesota’s distinctive provisions create specific enforcement targets:
Profiling question right. Minnesota is the only state granting consumers the right to question profiling decisions. Businesses that cannot explain why profiling produced a specific result, or what consumers can do to change the outcome, may face enforcement.
Data inventory requirement. Minnesota uniquely requires businesses to maintain a data inventory. Failure to document data collection and processing activities is a potential violation.
Teenager opt-in consent. The law requires opt-in consent before selling or sharing data of consumers aged 13-16 for targeted advertising. Processing teenager data without consent creates enforcement risk.
Universal opt-out mechanisms. Controllers must respond to signals like Global Privacy Control. Non-compliance with UOOMs is easily verifiable.
Expected Focus Areas
Based on Minnesota’s unique requirements and patterns in other states:
Profiling explanations. The profiling question right is untested territory. Businesses using automated decision-making should prepare to explain how their systems work.
Data inventory gaps. The inventory requirement means businesses must document their data practices. Missing or incomplete inventories may attract enforcement.
Higher education compliance. Unlike most states, Minnesota covers higher education institutions. Universities and colleges may be less prepared for privacy compliance.
Small business sensitive data sales. While small businesses are generally exempt, they cannot sell sensitive data without consent. Small businesses engaged in data sales face specific obligations.
What This Means for Your Organization
Minnesota’s unique provisions require specific compliance measures beyond what other state laws demand.
Businesses should:
- Create and maintain a documented data inventory
- Develop processes to explain profiling decisions to consumers
- Implement opt-in consent for processing data of consumers aged 13-16
- Enable Global Privacy Control support
- Prepare for the cure period expiration in July 2026
The profiling question right is unprecedented. Businesses using algorithms for decisions affecting consumers should be prepared to provide meaningful explanations of how those systems operate.
