New Minnesota Data Privacy Law: What You Need to Know

June 11, 2024
By Cornerstone Staff

As the digital landscape evolves, Minnesota makes significant legislative advancements to protect consumer rights and ensure the secure handling of personal data. With the enactment of new privacy legislation, a spotlight shines on the obligations of financial services businesses, lenders, and debt collectors, underscoring the importance of compliance with these new MN laws. This pivotal move aligns with the increasing demand for transparency in data processing and sets a benchmark for sensitive data protection in Minnesota.

Key Provisions of the Minnesota Consumer Data Privacy Act

Scope and Applicability

The Minnesota Consumer Data Privacy Act (MCDPA) applies to entities that conduct business in Minnesota or offer products and services to Minnesota residents. It sets thresholds based on the entity’s involvement with personal data of consumers, specifically targeting those that either control or process the personal data of at least 100,000 Minnesota residents or derive over 25% of gross revenue from the sale of personal data.

Consumer Rights

Under the MCDPA, Minnesota residents are granted extensive rights concerning their personal data. These rights include the ability to access, correct, delete, and obtain copies of their personal data. Consumers can also opt out of the processing of their data for targeted advertising, the sale of personal data, or profiling that has significant consequences.

Controller and Processor Obligations

Controllers, who determine the purposes and means of processing personal data, and processors, who process data on behalf of controllers, are required to adhere to specific obligations. These include providing clear privacy notices, maintaining data inventories, and implementing robust data security practices. They must also ensure that personal data is collected and processed only as necessary for disclosed purposes.

Exemptions and Special Considerations

The MCDPA includes exemptions for certain entities and types of data. Governmental bodies, small businesses as defined by the U.S. Small Business Administration, and data already covered by federal privacy regulations are generally exempt. Additionally, the act provides unique rights to question profiling decisions and requires controllers to recognize universal opt-out mechanisms.

Comparing MCDPA with Other State Privacy Laws

The MCDPA shares several commonalities with privacy laws in Colorado, Connecticut, Iowa, and Virginia, particularly in terms of consumer rights and business obligations. These similarities ensure a foundational consistency across state lines, aiding businesses in developing comprehensive compliance strategies that address multiple jurisdictions.

Distinctively, the MCDPA introduces unique provisions such as exemptions for small businesses and specific rights allowing consumers to question profiling decisions. This act also mandates that controllers maintain data inventories, a requirement not commonly found in other state laws.

The Expanded Definition of ‘Sale’

Expanding on the traditional notion of ‘sale,’ the MCDPA encompasses any exchange of personal data for valuable consideration, aligning with broader definitions similar to those in California and Connecticut. This broad scope aims to provide consumers with greater control over their personal data, ensuring they can opt out of data transactions that do not involve direct monetary exchange.

Compliance Challenges and Strategies


Businesses subject to MCDPA must ensure compliance by July 31, 2025. This deadline provides organizations with over a year to prepare, updating privacy notices and aligning with new consumer rights and risk assessment requirements.

Creating a Comprehensive Privacy Program

The MCDPA mandates the establishment of a formal privacy program. Controllers are required to document policies and procedures that reflect MCDPA’s requirements, including transparency in data use, limiting data collection to necessary purposes, and ensuring data protection through robust security practices.

Conducting Data Privacy and Protection Assessments

Controllers must perform data privacy and protection assessments for activities like targeted advertising, selling personal data, and processing sensitive data. These assessments should weigh the benefits of processing against potential risks to consumer rights. Documentation of these assessments must be maintained and made available to the Minnesota Attorney General upon request.


Through the lens of the MCDPA, businesses operating in Minnesota must put processes in place to align with the state’s stringent privacy regulations. The new regulations emphasize not only the necessity of evolving compliance strategies but also highlight the foundational changes required in the processing, handling, and safeguarding of consumer data to adhere to these new legal standards.

As this legal landscape continues to evolve, staying informed and adaptable is crucial for businesses to navigate the complexities of data privacy law successfully and to leverage these changes as a competitive advantage in the digital age.



Cornerstone Staff

| Cornerstone
Free Yourself from the Burden of Licensing