Minnesota Consumer Data Privacy Act (MCDPA)

• Signed into law: May 24, 2024
• Effective date: July 31, 2025

MCDPA applies to entities that:

• Conduct business in Minnesota or target its residents, and
• Annually control or process:
  • Personal data of 100,000+ consumers, or
  • Personal data of 25,000+ consumers and derive over 25% of gross revenue from selling personal data

• Governmental entities
• Nonprofits and higher education institutions
• Financial institutions (GLBA)
• Health care providers and data (HIPAA)
• Employee and business-to-business data
• De-identified or publicly available data

• Transparency: Provide detailed and accessible privacy notices
• Data minimization: Collect only necessary and relevant data
• Purpose limitation: Use data only for disclosed purposes
• Security: Implement safeguards to protect data
• Consent: Obtain opt-in consent for processing sensitive data
• Data protection assessments: Required for high-risk processing

• Publish privacy notices with required disclosures
• Enable consumers to exercise their rights via clear mechanisms
• Include opt-out links for:
  • Sale of personal data
  • Targeted advertising
  • Profiling in furtherance of decisions that produce legal or similarly significant effects

• Maintain contracts with processors outlining responsibilities
• Provide employee training on data privacy
• Maintain records of data processing activities
• Honor browser-based opt-out signals

Consumers may:

• Access their personal data
• Correct inaccuracies
• Delete personal data
• Obtain a copy in a portable format
• Opt out of data sales, targeted advertising, and profiling

• Enforcing Authority: Minnesota Attorney General
• Penalties: Up to $7,500 per violation
• Private Right of Action: Not granted
• Cure Period: No cure period—Attorney General has discretion