Minnesota’s comprehensive consumer data privacy law — the Minnesota Consumer Data Privacy Act (MCDPA) — has been in force since 31 July 2025. The Attorney General’s mandatory cure period expired on 31 January 2026, meaning full enforcement is now underway with no statutory grace period available.
Organisations that process the personal data of Minnesota residents and have not yet achieved compliance are exposed to civil penalties of up to $7,500 per violation, with no guaranteed opportunity to cure before enforcement action is taken.
This guide covers what the law requires, who must comply, how it compares to other state privacy laws, and the actions HR, senior leadership, and marketing teams need to take to close any remaining compliance gaps.
Overview of the Law
The Minnesota Consumer Data Privacy Act (MCDPA) was signed into law by Governor Tim Walz in May 2024 and took effect on 31 July 2025. It follows the Virginia CDPA model that has become the template for the second wave of US state privacy legislation.
The MCDPA defines personal data broadly as any information that is linked or reasonably linkable to an identified or identifiable natural person. It distinguishes between controllers (entities that determine the purpose and means of processing personal data) and processors (entities that process personal data on behalf of a controller), imposing specific obligations on each.
The law is enforced by the Minnesota Attorney General, who has exclusive enforcement authority. There is no private right of action — individuals cannot sue companies directly under the MCDPA. However, the Attorney General can seek civil penalties of up to $7,500 per violation.
Key Provisions
Consumer Rights
The MCDPA grants Minnesota residents the following rights over their personal data:
- Right to access — to confirm whether a controller is processing their personal data and to access that data
- Right to correction — to correct inaccuracies in their personal data
- Right to deletion — to delete personal data provided or obtained about them
- Right to portability — to obtain a copy of their personal data in a portable format
- Right to opt out — specifically of:
- Targeted advertising
- Sale of personal data
- Profiling for decisions that produce legal or similarly significant effects
Sensitive Data
The MCDPA introduces specific rules for sensitive data, which requires opt-in consent before processing. Sensitive categories include:
- Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship/immigration status
- Genetic or biometric data processed to uniquely identify an individual
- Personal data of a known child (under 13)
- Precise geolocation data
This opt-in requirement for sensitive data is a significant compliance point for HR teams managing health, disability, or religious accommodation data — and for marketing teams using location-based targeting.
Controller Obligations
Controllers must:
- Provide a clear and accessible privacy notice specifying categories of personal data processed, purposes of processing, how to exercise rights, and categories of third parties with whom data is shared
- Maintain a data processing agreement with each processor that limits processing to specified purposes
- Conduct and document data protection assessments for high-risk processing activities, including targeted advertising, sale of personal data, profiling, and processing of sensitive data
- Recognise and respond to universal opt-out signals (such as the Global Privacy Control) for targeted advertising and sale
Who Must Comply
The MCDPA applies to controllers that, during a calendar year, either:
- Control or process the personal data of 100,000 or more Minnesota consumers, or
- Derive more than 25% of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Minnesota consumers
Key exemptions include:
- State and local government entities
- Non-profit organisations (a notable exemption compared to some other states)
- Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates under HIPAA
- Higher education institutions
HR data (data processed purely in the context of employment) is excluded from the definition of “consumer” — meaning employee personal data in an employment context is generally not covered by the MCDPA. However, this does not exempt employers from all obligations, and HR teams should review whether any employee data processing falls outside the strict employment context.
Effective Date & Enforcement Timeline
| Milestone | Date |
|---|---|
| Law signed by Governor Walz | May 2024 |
| Effective date (general) | 31 July 2025 |
| Mandatory 30-day cure period expires | 31 January 2026 |
| Full enforcement by Minnesota AG (no cure period) | 1 February 2026 onwards |
Important: The MCDPA provided a mandatory 30-day cure period for the first six months after the law took effect (31 July 2025 – 31 January 2026). The Attorney General was required to give notice and allow time to cure during this window. That period has now expired. Since 1 February 2026, there is no statutory right to a cure period — the AG may initiate enforcement immediately upon finding a violation.
Comparison with Other State Privacy Laws
| Feature | MN MCDPA | VA CDPA | CO CPA | CT CTDPA | IN CDPA |
|---|---|---|---|---|---|
| Threshold | 100k consumers OR 25k + 25% revenue from data sale | 100k consumers OR 25k + 50% revenue | 100k consumers OR 25k + significant revenue | 100k consumers OR 25k + 25% revenue | 100k consumers OR 25k + 50% revenue |
| Sensitive data consent | Opt-in | Opt-in | Opt-in | Opt-in | Opt-in |
| Universal opt-out | Required (GPC) | Not required | Required (GPC) | Required (GPC) | Not required |
| Non-profit exemption | Yes | No | Partial | No | No |
| Private right of action | No | No | No | No | No |
| AG enforcement | Yes | Yes | Yes | Yes | Yes |
| Effective date | Jul 2025 | Jan 2023 | Jul 2023 | Jul 2023 | Jan 2026 |
| Cure period | 30 days (expired Jan 2026) | 30 days | 60 days (until Jan 2025) | 60 days | 30 days |
The MCDPA aligns closely with the Virginia CDPA model but notably introduces the universal opt-out signal requirement (aligned with Colorado and Connecticut) and a broader exemption for non-profits.
What Managers Need to Do Now
The law is in force. Organisations that are not yet compliant must act immediately.
HR Teams
- Review HR data processing activities against the MCDPA’s employment context exclusion. Data processed in the employment context (hiring, payroll, benefits) is generally excluded, but data collected for non-employment purposes (marketing to employees, wellness programmes, consumer loyalty schemes that employees participate in) may be in scope.
- Audit sensitive data processing. If your organisation processes health conditions, mental health data, religious accommodations, or biometric data for employee authentication, confirm whether the employment exclusion applies and whether separate consent or documentation is needed.
- Update training programmes. Employees who handle consumer personal data — customer service, sales, HR professionals managing contractor data — need to understand MCDPA consumer rights and how to handle rights requests.
- Document data protection assessments for any high-risk processing involving employee or consumer personal data.
Senior Leadership
- Determine whether your organisation meets the compliance threshold. Many mid-sized organisations are surprised to find they process data for more than 100,000 Minnesota residents across digital products, e-commerce, and third-party integrations. A data mapping exercise is essential to confirm scope.
- Commission a MCDPA gap assessment immediately. With full enforcement now underway, organisations that have not yet completed compliance work need to prioritise urgently. A gap assessment identifies the delta between current practices and legal requirements.
- Confirm your data processing agreements with vendors are MCDPA-compliant. Any vendor or SaaS provider that processes Minnesota resident data on your behalf is a processor under the MCDPA. Your DPAs must meet the Act’s specific requirements.
- Appoint ownership for MCDPA compliance. Whether that sits with legal, privacy, or operations, someone must own rights request fulfilment, opt-out signal recognition, and consumer response timelines.
Marketing
- Enable Global Privacy Control (GPC) recognition. The MCDPA requires controllers engaged in targeted advertising or data sale to recognise and honour universal opt-out signals, including GPC. Your web infrastructure must be able to detect and act on the GPC signal for Minnesota visitors.
- Audit your targeted advertising activities. If your organisation uses personal data to serve targeted ads to Minnesota consumers, this is a core regulated activity under the MCDPA. Ensure your privacy notice discloses this, and that opt-out mechanisms are in place.
- Review data sharing with ad tech vendors. Whether data sharing with advertising platforms constitutes a “sale” under the MCDPA depends on whether you receive valuable consideration — a question that requires legal analysis of your specific arrangements.
- Update your privacy notice to reflect MCDPA-required disclosures: categories of personal data processed, purposes, third-party sharing, and how consumers can exercise their rights.
Resources & Further Reading
- Minnesota Legislature — Consumer Data Privacy Act — official legislative text and bill tracking
Threshold figures and effective dates are based on the enacted text of the MCDPA. The cure period noted above expired 31 January 2026; organisations should not rely on a grace period being available after that date. Organisations with questions about their specific compliance obligations should seek qualified US privacy law counsel. This article does not constitute legal advice.
