
US
Minnesota Consumer Data Privacy Act (MCDPA)
Overview
The Minnesota Consumer Data Privacy Act (MCDPA) was signed into law on May 24, 2024, and takes effect on July 31, 2025. It establishes comprehensive data protection rights for Minnesota residents and sets responsibilities for businesses processing personal data. MCDPA mirrors frameworks like the Colorado and Connecticut privacy laws and emphasizes transparency, consumer choice, and strong enforcement mechanisms.
Regulation Summary
- Signed into law: May 24, 2024
- Effective date: July 31, 2025
MCDPA applies to entities that:
- Conduct business in Minnesota or target its residents, and
- Annually control or process:
- Personal data of 100,000+ consumers, or
- Personal data of 25,000+ consumers and derive over 25% of gross revenue from selling personal data
- Governmental entities
- Nonprofits and higher education institutions
- Financial institutions (GLBA)
- Health care providers and data (HIPAA)
- Employee and business-to-business data
- De-identified or publicly available data
- Transparency: Provide detailed and accessible privacy notices
- Data minimization: Collect only necessary and relevant data
- Purpose limitation: Use data only for disclosed purposes
- Security: Implement safeguards to protect data
- Consent: Obtain opt-in consent for processing sensitive data
- Data protection assessments: Required for high-risk processing
- Publish privacy notices with required disclosures
- Enable consumers to exercise their rights via clear mechanisms
- Include opt-out links for:
- Sale of personal data
- Targeted advertising
- Profiling in furtherance of decisions that produce legal or similarly significant effects
- Maintain contracts with processors outlining responsibilities
- Provide employee training on data privacy
- Maintain records of data processing activities
- Honor browser-based opt-out signals
Consumers may:
- Access their personal data
- Correct inaccuracies
- Delete personal data
- Obtain a copy in a portable format
- Opt out of data sales, targeted advertising, and profiling
- Enforcing Authority: Minnesota Attorney General
- Penalties: Up to $7,500 per violation
- Private Right of Action: Not granted
- Cure Period: No cure period—Attorney General has discretion