<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Minnesota Consumer Data Privacy Act (MCDPA)

US consumer privacy number twenty

Book a Demo

Find out your compliance score for free!

Data Privacy Scanner Results Home Screen

 

What is the Minnesota Consumer Data Privacy Act (MCDPA)?

The Minnesota Consumer Data Privacy Act (MCDPA) is data privacy law number nineteen to be passed and enacted in the United States, followed closely by Rhode Island which brought the count up to twenty so far. 

The MCDPA was passed on May 24, 2024, setting guidelines for how businesses should collect, use, store, and share personal information, same as the other US consumer privacy laws in force, aiming to give consumers more control over their personal data, ensuring that their privacy is respected and safeguarded by businesses operating in or targeting Minnesota.

The effective date for the Minnesota privacy act is July 31, 2025, with the exception of postsecondary institutions regulated by the Office of Higher Education which are not required to comply until July 31, 2029.

How does the Minnesota Consumer Data Privacy Act (MCDPA) define Personal Information and what are other key definitions?

Under the Minnesota Act, ‘personal data’ means “any information that is linked or reasonably linkable to an identified or identifiable natural person” which excludes deidentified data or publicly available information, which is understood to mean “information that (1) is lawfully made available from federal, state, or local government records or widely distributed media, or (2) a controller has a reasonable basis to believe has lawfully been made available to the general public.”

In addition to this, under Minnesota’s MCDPA, ‘sensitive data’ is also a form of personal data and it includes “(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of biometric data or genetic information for the purpose of uniquely identifying an individual; (3) the personal data of a known child; or (4) specific geolocation data.”

According to the text of the Minnesota Privacy Act, ‘biometric data’ is “ data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual,” excluding “a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless the data is generated to identify a specific individual.”

A ‘child’ has the same meaning here as it does in the COPPA, namely an individual under the age of 13, and ‘consent’ is “any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer” which does not include acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information, hovering over, muting, pausing, or closing a given piece of content, or instance where the consumer's indication has been obtained by a dark pattern. 

Just like with other US consumer privacy laws, Minnesota’s privacy law offers a definition for ‘controller’ “the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data” and ‘processor’ “a natural or legal person who processes personal data on behalf of a controller” and defines the ‘consumer’ as “a natural person who is a Minnesota resident acting only in an individual or household context,” which excludes “a natural person acting in a commercial or employment context.”

Finally, the ‘sale’ of personal data is, similar to several other US consumer privacy laws, “the exchange of personal data for monetary or other valuable consideration by the controller to a third party,” which does not include:

  • “the disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • the disclosure or transfer of personal data to an affiliate of the controller;
  • the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
  • the disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
  • the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer's agents.”

 

Who does the Minnesota Consumer Data Privacy Act (MCDPA) apply to?

The Minnesota Consumer Data Privacy Act applies to “legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

  1. during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.”

Talk to one of our experts today about your compliance needs! Speak to an Expert →

Who does the Minnesota Consumer Data Privacy Act (MCDPA) exempt?

Minnesota’s consumer privacy law exempts certain entities and types of data as follows: 

  • Government Agencies;
  • Non-Profit Organizations;
  • Healthcare Providers covered by the Health Insurance Portability and Accountability Act (HIPAA);
  • Financial Institutions governed by the Gramm-Leach-Bliley Act (GLBA);
  • Educational Institutions covered by the Family Educational Rights and Privacy Act (FERPA);
  • Data regulated under the Children's Online Privacy Protection Act (COPPA);
  • Employment Data;
  • De-identified Data;
  • Research Data

USA Data Privacy Landscape

a map of the world on a blue green background
What are the requirements for businesses under the Minnesota Consumer Data Privacy Act (MCDPA)?

Under the Minnesota Consumer Data Privacy Act processors have to do the following: 

  • follow the instructions provided by the controller regarding how to handle personal data;
  • help controllers meet their legal obligations under the MCDPA;
  • have a contract that governs the processing activity done on behalf of the controller which has to outline: 
    • instructions for data processing;
    • the nature and purpose of processing;
    • types of data involved;
    • duration of processing;
    • rights and obligations of both parties.

As far as controllers are concerned, their responsibilities under Minnesota’s privacy law are as follows: 

  • Provide a clear and accessible privacy notice that includes:
    • The types of personal data collected
    • The purpose of data processing
    • Consumers’ rights and how they can exercise them
    • Any data shared with third parties
    • The controller’s contact information
    • The data retention policies
    • The date of the last update of the privacy notice
  • Disclose any data sales, targeted advertising, or profiling and provide a clear opt-out method.
  • Ensure the privacy notice is available in all languages used by the business and accessible to individuals with disabilities.
  • Notify consumers of material changes to the privacy notice and allow them to withdraw consent if needed.
  • Post the privacy notice online with a prominent link, and make it accessible through the mobile app or other regular communication channels.
  • Limit data collection to what is necessary and relevant for the disclosed purposes.
  • Obtain consumer consent for processing data beyond the initially stated purposes.
  • Implement and maintain reasonable security practices to protect personal data.
  • Obtain consent for processing sensitive data or data from children under the age of 13, following COPPA guidelines.
  • Provide a simple way for consumers to revoke consent, and cease processing the data within 15 days of the request.
  • Do not process personal data for targeted advertising or sell data of consumers aged 13-16 without their consent.
  • Do not retain personal data longer than necessary unless required by law.
  • Do not process personal data in a discriminatory manner based on race, color, ethnicity, religion, national origin, sex, gender, sexual orientation, familial status, income source, or disability.
  • Do not discriminate against consumers for exercising their privacy rights, including denying services, charging different prices, or providing different quality of services.
  • Conduct and document a data privacy and protection assessment for:
    • Targeted advertising;
    • Data sales;
    • Sensitive data processing;
    • Activities with a high risk of harm to consumers;
    • Profiling that poses risks like unfair treatment or significant consumer harm.

Minnesota Consumer Data Privacy Act

See how Clym facilitates compliance: 

Book a Demo

What are the consumer rights under the Minnesota Consumer Data Privacy Act (MCDPA)?

Consumers have the following rights under the MCDPA:

  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt-Out
  • Right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data.

As regards the right to opt-out, Minnesota’s privacy law states that “a consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale on the consumer's behalf by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing” and the controller will have to “comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.” 

The law specifically mentions universal opt-out mechanisms (UOOMs) and mandates that “a controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale.” 

How to respond to consumer requests under the Minnesota Consumer Data Privacy Act (MCDPA)?

Unless certain exceptions apply, controllers have to comply with a consumer request and have to “provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights” which “must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests.”

Controllers have to respond to consumer requests “as soon as feasibly possible, but no later than 45 days of receipt of the request” and “must inform a consumer of any action taken on a request without undue delay and in any event within 45 days of receipt of the request,” which “may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests” but the controller has an obligation to “inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay.”

data subject request response times

 

It is not permitted for controllers to require consumers to create a new account in order to exercise a right, but a controller is allowed to require a consumer to use an existing account to exercise their consumer's rights.

If they do not take action on a consumer request, controllers have to inform the consumer “without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision.”

Information provided to consumers has to be “free of charge up to twice annually to the consumer,” however in cases where requests from a consumer are “manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request” but the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

If they are unable to authenticate the request “using commercially reasonable efforts,” controllers are not required to comply with the request. In such cases, controllers may request for additional information which is reasonably necessary to authenticate the request. 

In the case of opt-out requests, a controller is not required to authenticate an opt-out request, but they may deny an opt-out request if they have “a good faith, reasonable, and documented belief that the request is fraudulent” in which case they have to notify the person who made the request that the request was denied due to the belief that the request was fraudulent and they have to state their basis for that belief.

Controllers have to “establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise” their consumer rights “within a reasonable period of time after the consumer's receipt of the notice sent by the controller. The appeal process has to be conspicuously available and has to be as easy to use as submitting requests. Controller have 45 days from receipt of an appeal to inform the consumer of any action taken or not taken and this period can be extended by an additional 60 days “where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal,” but the controller has to “inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay.”

When informing a consumer of any action taken or not taken in response to an appeal, controllers have to also provide a written explanation of the reasons for their decision and have to provide the consumer with information about how to file a complaint with the Office of the Attorney General. 

A record of all appeals and responses to these has to be maintained “for at least 24 months and shall, upon written request by the Attorney General as part of an investigation, compile and provide a copy of the records to the Attorney General.”

Manage Your DSARs Easily!

data subject access request clym

Minnesota Consumer Data Privacy Act (MCDPA) enforcement and penalties

The Attorney General has enforcement authority of the Minnesota Consumer Data Privacy Act. Prior to any enforcement action, the Attorney General will provide controllers or processors with a warning letter informing them of the violations along with a 30 day cure period. This cure period will sunset on January 31, 2026. 

There is no private right of action under Minnesota’s MCDPA and penalties for each violation can go up to no more than $7,500 each.

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 50+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

 

See Clym in action today!

FAQs about the Minnesota Consumer Data Privacy Act (MCDPA)

What does the Minnesota Consumer Data Privacy Act (MCDPA) apply to?

The Minnesota Consumer Data Privacy Act applies to “legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

  1. during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.”
What is exempt under the Minnesota Consumer Data Privacy Act (MCDPA)?

Minnesota’s consumer privacy law exempts certain entities and types of data as follows: 

  • Government Agencies;
  • Non-Profit Organizations;
  • Healthcare Providers covered by the Health Insurance Portability and Accountability Act (HIPAA);
  • Financial Institutions governed by the Gramm-Leach-Bliley Act (GLBA);
  • Educational Institutions covered by the Family Educational Rights and Privacy Act (FERPA);
  • Data regulated under the Children's Online Privacy Protection Act (COPPA);
  • Employment Data;
  • De-identified Data;
  • Research Data.
What consumer rights does the Minnesota Consumer Data Privacy Act (MCDPA) grant Minnesota residents?

Consumers have the following rights under the MCDPA:

    • Right to Access
    • Right to Correct
    • Right to Delete
    • Right to Data Portability
    • Right to Opt-Out
    • Right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data.
What are the penalties for non-compliance with the Minnesota Consumer Data Privacy Act (MCDPA)?

Violations of the Minnesota Consumer Data Privacy Act can go up to no more than $7,500 each.

illustration of means of contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596