PrivacyLawMap
MN

Minnesota Privacy Law

Minnesota Consumer Data Privacy Act

Effective: July 31, 2025Active

Overview

The Minnesota Consumer Data Privacy Act (MCDPA) was signed into law on May 24, 2024, and becomes effective on July 31, 2025. Minnesota's law is one of the more comprehensive state privacy laws, incorporating strong consumer protections and a requirement to honor universal opt-out mechanisms starting in 2026. The MCDPA provides Minnesota consumers with extensive privacy rights, including the right to access, correct, delete, and port personal data, as well as opt-out rights for data sales, targeted advertising, and profiling. The law includes a robust appeals process, requires data protection assessments, and mandates data minimization practices. Minnesota's law also includes provisions for algorithmic governance and transparency. The law applies to entities conducting business in Minnesota or targeting Minnesota consumers that control or process personal data of 100,000 or more consumers, or control or process personal data of 25,000 or more consumers while deriving more than 25% of gross revenue from the sale of personal data. The MCDPA includes a 30-day cure period and penalties of up to $7,500 per violation, enforced by the Minnesota Attorney General.

Applicability Thresholds

Conditions are joined by OR meeting ANY one triggers applicability.

100,000+
Minnesota consumers' data processed
25,000+ consumers
AND 25%+ revenue from data sales

Consumer Rights

Right to Access
Right to Delete
Right to Correct
Data Portability
Opt-Out of Sale
Opt-Out of Targeted Ads
Opt-Out of Profiling
Limit Sensitive Data Use
Right to Appeal
Private Right of Action

Key Changes in 2025-2026

  • Law becomes effective July 31, 2025 — businesses must prepare for compliance
  • Universal opt-out mechanism requirement takes effect January 1, 2026
  • Algorithmic governance and transparency provisions take effect
  • Minnesota AG expected to issue enforcement guidance and begin compliance monitoring

Enforcement Details

Enforced By
Minnesota Attorney General
Penalty Per Violation
$7,500
Cure Period
30 days
Private Right of Action
No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Starting January 1, 2026, businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opt-out of data sales and targeted advertising.

Effective: January 1, 2026

Minor / Child Protections

The MCDPA requires opt-in consent for processing personal data of known children under 13. For teens aged 13-17, the law includes enhanced protections restricting targeted advertising and data sales without consent.

Compliance Checklist

  1. 1Determine applicability based on Minnesota consumer data processing volumes and revenue thresholds
  2. 2Prepare to implement universal opt-out signal recognition by January 1, 2026
  3. 3Update privacy notices with all MCDPA-required disclosures including algorithmic decision-making
  4. 4Implement consumer rights request mechanisms with 45-day response period
  5. 5Obtain opt-in consent for processing sensitive personal data
  6. 6Conduct data protection assessments for high-risk processing activities
  7. 7Review data minimization practices to ensure compliance with MCDPA requirements

Minnesota Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.