Guides

Minnesota Consumer Data Privacy Act: 101 – What You Need to Know

Scott Dooley
4 min read · Jan 14, 2026 Last updated: January 1, 2026

Minnesota enacted its Consumer Data Privacy Act in May 2024, with the law taking effect on July 1 2025. The law includes several unique provisions, including a consumer right to question profiling decisions and a requirement to maintain a data inventory.

What Is the Minnesota CDPA?

The Minnesota Consumer Data Privacy Act (MCDPA) grants Minnesota residents rights over their personal data and establishes obligations for businesses that collect and process that data. The law includes unique requirements not found in other state privacy laws.

Enforcement is handled by the Minnesota Attorney General. There is no private right of action.

Does It Apply to Your Business?

The Minnesota CDPA applies to businesses that conduct business in Minnesota or produce products or services targeted to Minnesota residents. To be covered, a business must also meet at least one of two thresholds during a calendar year:

Threshold 1: Control or process personal data of 100,000 or more Minnesota consumers. Data processed solely to complete payment transactions is excluded.

Threshold 2: Derive 25% or more of gross revenue from selling personal data AND control or process data of 25,000 or more Minnesota consumers.

Small Business Exemption

Minnesota is one of the few states (along with Texas and Nebraska) that exempts small businesses as defined by the US Small Business Administration. However, even small businesses cannot sell sensitive consumer data without consent.

Higher Education

Unlike most state laws, Minnesota does not exempt institutions of higher education. However, certain post-secondary institutions have an extended compliance deadline until July 1 2029.

Key Consumer Rights

Minnesota residents have the following rights:

  • Right to confirm whether a business is processing their personal data
  • Right to access their personal data
  • Right to correct inaccuracies
  • Right to delete their personal data
  • Right to obtain a portable copy of their data
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for automated decisions with significant effects
  • Right to question profiling results (unique to Minnesota)

The profiling question right is unique. Consumers can request to be informed of the reason a profiling decision produced a specific result, and what actions they can take to secure a different result.

Business Obligations

Covered entities must:

  • Limit data collection to what is adequate, relevant, and reasonably necessary
  • Implement reasonable data security measures
  • Obtain consent before processing sensitive data
  • Obtain opt-in consent from consumers aged 13-16 before selling or sharing data for targeted advertising
  • Respond to universal opt-out mechanisms (UOOMs) like Global Privacy Control
  • Respond to consumer requests within 45 days
  • Maintain a data inventory (unique requirement)

The data inventory requirement means businesses must document what personal data they collect and process.

Sensitive Data

The MCDPA requires consent before processing sensitive data, which includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health conditions
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic data
  • Biometric data
  • Personal data of known children
  • Precise geolocation data

Enforcement and Penalties

The Minnesota Attorney General has exclusive enforcement authority.

The law includes a 30-day cure period until July 1 2026 (one year after the law takes effect). After that date, the cure period sunsets.

Penalties can reach up to $7,500 per violation. The Attorney General can also seek injunctive relief.

Key Dates

  • May 24 2024: Minnesota CDPA signed into law
  • July 1 2025: Law took effect
  • July 1 2026: 30-day cure period expires

Where to Find Official Resources

Getting Started

Minnesota’s unique requirements warrant specific attention. The data inventory requirement means documenting your data collection and processing activities. The profiling question right requires mechanisms for consumers to receive explanations of automated decisions.

Implement Global Privacy Control support for the universal opt-out requirement, and review your practices for processing teenager data (ages 13-16).

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Virginia Consumer Data Protection Act: 101 – What You Need to Know
  2. Connecticut Data Privacy Act: 101 – What You Need to Know
  3. California CCPA/CPRA: 101 – What You Need to Know
  4. Indiana Consumer Data Protection Act: 101 – What You Need to Know
  5. Rhode Island Data Transparency and Privacy Protection Act: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR