Minnesota Privacy Law Overview
Minnesota's privacy law took effect July 31, 2025 and pushes consumer rights further than most. Beyond the standard rights, it gives Minnesotans meaningful control over profiling — including the right to be told why a profiling decision was made and to have it reviewed by a person — and the right to learn the specific third parties that received their data.
The Minnesota Consumer Data Privacy Act (MCDPA)
Minnesota's law provides comprehensive rights plus the strongest profiling protections in the nation: consumers can question the result of profiling, learn the reason for it, review the data used, and be re-evaluated. Minnesotans can also obtain a list of the specific third parties that received their data. Sensitive data requires opt-in consent.
MCDPA: Quick Overview
- Effective Date: July 31, 2025
- Citation: Minn. Stat. §§ 325O.01 et seq.
- Enforced By: Minnesota Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 30 days (expired January 31, 2026)
Who Must Comply
The MCDPA applies to businesses that meet Minnesota's applicability thresholds:
- Controls or processes the personal data of 100,000+ Minnesota consumers per year, or
- Processes data of 25,000+ consumers and derives over 25% of gross revenue from selling personal data
What makes Minnesota different: Minnesota offers the nation's strongest profiling rights — including human review of automated decisions — and named-third-party transparency.
Consumer Rights Under the MCDPA
Minnesota residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Minnesota
Minnesota requires notice to affected residents without unreasonable delay; a separate Attorney General notification is not generally required of private businesses.
- Deadline to notify residents: In the most expedient time possible without unreasonable delay
- Attorney General notice: Minnesota does not impose a separate Attorney General notice duty on most private businesses
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Minnesota
Even where Minnesota law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Minnesota Privacy Law FAQ
What profiling rights do Minnesotans have?
Can I find out who received my data in Minnesota?
How a Minnesota Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Minnesota Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Minnesota Privacy Attorney?
Whether you are a business working toward compliance or a Minnesota resident whose privacy has been violated, our network of Minnesota-licensed attorneys can help.
Find a Minnesota Privacy Attorney