The Minnesota Consumer Data Privacy Act (MCDPA) is Minnesota’s first comprehensive privacy law, enacted in May 2024 and taking effect July 31, 2025 for most organizations. It establishes broad rights for Minnesota residents and significant compliance obligations for businesses that collect or process personal data.
Minnesota became the 18th state to enact a comprehensive privacy statute when Governor Tim Walz signed the Act on May 25, 2024 .
Effective Dates
- General effective date: July 31, 2025
- Postsecondary institutions regulated by the Office of Higher Education: compliance delayed until July 31, 2029
Scope and Applicability
The MCDPA applies to businesses that meet certain thresholds, including those that:
- Control or process personal data of 100,000+ consumers, or
- Derive 25% or more of gross revenue from the sale of personal data and process/control data of 25,000+ consumers
The law uses the familiar controller/processor model found in other state privacy laws.
Key Consumer Rights
Minnesota residents gain several GDPR‑style rights, including:
- Right to access personal data
- Right to delete personal data
- Right to correct inaccuracies
- Right to data portability
- Right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of decisions with legal or similarly significant effects
The Act is notable for providing broader rights for individuals subject to profiling, exceeding the protections in many other state laws .
Controller Obligations
Controllers must:
- Provide clear privacy notices
- Implement data‑minimization and purpose‑limitation practices
- Maintain reasonable security measures
- Conduct data protection assessments for high‑risk processing
- Enter into contracts with processors governing data handling
The Minnesota Attorney General enforces the Act and provides guidance for both consumers and businesses .
Exemptions
The MCDPA includes exemptions for:
- Small businesses (a unique feature compared to many other states)
- Data already regulated by federal laws such as HIPAA, GLBA, FERPA, and others
- Certain government entities
Enforcement
- Enforced exclusively by the Minnesota Attorney General
- No private right of action
- Cure periods may apply depending on the violation and enforcement posture
Why the Minnesota Law Matters
Minnesota’s law follows the general structure of modern state privacy laws but introduces notable innovations, including:
- Stronger protections around profiling and automated decision‑making
- A small‑business exemption
- A long runway for higher‑education institutions
It is now part of the rapidly expanding national patchwork of state privacy laws that organizations must navigate.