Skip to content

Compliance

New Minnesota Data Privacy Law: What You Need to Know

Minnesota has taken major steps to protect consumer rights and secure the handling of personal data. New privacy legislation puts a spotlight on the duties of financial services businesses, lenders, and debt collectors. It underscores how important compliance with these new Minnesota laws has become and sets a benchmark for protecting sensitive data.

← All articles
Filed under Compliance

As the digital world grows, Minnesota has taken major steps to protect consumer rights and secure the handling of personal data. New privacy legislation puts a spotlight on the duties of financial services businesses, lenders, and debt collectors. It underscores how important compliance with these new Minnesota laws has become. The move matches rising demand for transparency in data processing. It also sets a benchmark for protecting sensitive data in Minnesota.

Key Provisions of the Minnesota Consumer Data Privacy Act

Scope and Applicability

The Minnesota Consumer Data Privacy Act (MCDPA) applies to entities that do business in Minnesota or offer products and services to Minnesota residents. It sets thresholds based on how much personal data an entity handles. It covers those that control or process the personal data of at least 100,000 Minnesota residents. It also covers those that earn more than 25% of gross revenue from the sale of personal data.

Consumer Rights

The MCDPA gives Minnesota residents broad rights over their personal data. They can access, correct, delete, and obtain copies of that data. They can also opt out of processing for targeted advertising, the sale of personal data, and profiling that carries significant consequences.

Controller and Processor Obligations

Controllers decide the purposes and means of processing personal data. Processors handle data on behalf of controllers. Both must meet specific obligations. They must provide clear privacy notices, maintain data inventories, and use strong data security practices. They must also collect and process personal data only as needed for disclosed purposes.

Exemptions and Special Considerations

The MCDPA exempts certain entities and types of data. Governmental bodies are generally exempt. So are small businesses as defined by the U.S. Small Business Administration and data already covered by federal privacy regulations. The act also gives consumers a unique right to question profiling decisions. It requires controllers to recognize universal opt-out mechanisms.

Comparing MCDPA with Other State Privacy Laws

The MCDPA shares much with privacy laws in Colorado, Connecticut, Iowa, and Virginia. The overlap is clearest in consumer rights and business obligations. That consistency across state lines helps businesses build compliance strategies that cover several jurisdictions.

The MCDPA also stands apart. It exempts small businesses. It gives consumers the right to question profiling decisions. It requires controllers to maintain data inventories, which most other state laws do not.

The Expanded Definition of 'Sale'

The MCDPA broadens the usual meaning of 'sale.' It covers any exchange of personal data for valuable consideration, similar to the definitions in California and Connecticut. This wide scope gives consumers more control over their personal data. It lets them opt out of data transactions even when no money changes hands.

Compliance Challenges and Strategies

Timeline

Businesses subject to the MCDPA must comply by July 31, 2025. That deadline gives organizations more than a year to prepare. They can update privacy notices and align with the new consumer rights and risk assessment requirements.

Creating a Comprehensive Privacy Program

The MCDPA requires a formal privacy program. Controllers must document policies and procedures that meet the law. That means transparency in data use, limiting data collection to necessary purposes, and protecting data with strong security practices.

Conducting Data Privacy and Protection Assessments

Controllers must run data privacy and protection assessments for certain activities. These include targeted advertising, selling personal data, and processing sensitive data. Each assessment must weigh the benefits of processing against the risks to consumer rights. Controllers must keep the documentation and share it with the Minnesota Attorney General on request.

Conclusion

Under the MCDPA, businesses operating in Minnesota must put processes in place to meet the state's strict privacy rules. The law calls for evolving compliance strategies. It also requires deeper changes in how companies process, handle, and safeguard consumer data.

This legal landscape keeps changing. Staying informed and adaptable is essential. Businesses that manage data privacy well can turn these changes into a competitive advantage in the digital age.

References

JDSupra on Minnesota's consumer data privacy law

Troutman insight on Minnesota's data privacy law

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

15 Licensing Application Process Facts That Delay Approvals

Compliance

15 Licensing Application Process Facts That Delay Approvals

Most licensing delays come from small misses. A payment method that does not work, a stale certificate, the wrong signature, a missing ownership detail. These are the things that slow down filings, trigger deficiencies, and force teams to redo work they thought was finished. We pulled these from the webinar because they came up naturally [...]

California Delete Act: DROP Deadline and Data Broker Rules

Compliance

California Delete Act: DROP Deadline and Data Broker Rules

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

The Changing Compliance Landscape for Consumer Lenders

Compliance

The Changing Compliance Landscape for Consumer Lenders

Explore evolving compliance rules for consumer lenders, CFPB updates, and strategies to stay compliant in 2025 and beyond.

New Money Transmitter Licensing Requirements Under the MTMA

Licensing

New Money Transmitter Licensing Requirements Under the MTMA

Recent updates under the Uniform Money Transmission Modernization Act (MTMA) mean several states have significantly revised their licensing requirements. If you operate in financial services or virtual currency, note that money transmitter licensing may now be required where it was not before. Many businesses will need to reassess their compliance strategies to meet the new standards.

Newsletter: February 2025

Newsletter

Newsletter: February 2025

INDUSTRY NEWS CFPB FEBRUARY SNAPSHOT If you haven't been keeping up with the constant stream of Consumer Financial Protection Bureau (CFPB) updates, here's a quick overview of the key developments this month. The CFPB saw major upheaval, with Director Rohit Chopra dismissed and Treasury Secretary Scott Bessent taking control, leading to an immediate freeze on [...]

March 2025

Newsletter

March 2025

INDUSTRY NEWS OFAC EXTENDS RECORDKEEPING REQUIREMENTS TO 10 YEARS Effective March 12, 2025, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) will require organizations to retain records of OFAC-related transactions for 10 years, doubling the previous 5-year requirement. The extended recordkeeping period applies to all transactions subject to OFAC regulations, including [...]

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.