The Minnesota Consumer Data Privacy Act: Everything Businesses Need to Know

At a glance: Minnesota Consumer Data Privacy Act

• Set to go into effect on July 31, 2025, the Minnesota Consumer Data Privacy Act (MCDPA) aims to enhance consumer privacy by establishing clear guidelines for how businesses can collect, process, and retain personal data from Minnesota residents.
• This guide covers who is subject to the MCDPA, compliance requirements for businesses, and how the law compares to other state privacy regulations.
• Keep reading until the end for a complete compliance checklist.

Who's subject to Minnesota's privacy law?

The first step in addressing the Minnesota Consumer Data Privacy Act (MCDPA) is to figure out whether or not your business falls under its scope, as not all organizations will be affected.

The MCDPA applies to businesses that:

• Conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota AND
• Control or process the personal data of at least 100,000 consumers OR
• Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

Certain exemptions apply, including government agencies and entities governed by specific federal regulations.

Compliance requirements under the Minnesota Consumer Data Privacy Act (MCDPA)

Minnesota’s privacy law outlines several compliance obligations for businesses. We cover the most significant below:

Fulfill consumer rights

Controllers must honor the following consumer rights:

• Right to access personal data
• Right to correct inaccurate personal data
• Right to delete personal data
• Right to data portability
• Right to opt-out of personal data processing for targeted advertising, sale of personal data, or profiling
• Right to appeal a controller's decision regarding a consumer request

Businesses subject to the law must implement processes that enable consumers to easily submit their requests. These mechanisms should also help the business respond to these requests quickly and efficiently.

Privacy solutions like Transcend DSR Automation can help.

Provide clear privacy notices

Businesses must provide a clear and accessible privacy notice that includes:

• Categories of personal data processed
• Purposes for processing
• How consumers can exercise their rights
• Categories of personal data sold/shared with third parties
• Categories of third parties data is shared with
• Controller contact information
• Data retention policies

This policy must be easy for a consumer to find and written in a way that’s easy to understand—no unnecessary jargon or legalese!

Enact reasonable data security measures

Businesses must implement reasonable administrative, technical, and physical security measures to protect consumers’ personal data. This means establishing policies and procedures to manage data handling, ensuring that technical safeguards like encryption and access controls are in place, and securing physical environments where data is stored.

Provide options for managing consent

Before processing sensitive personal data, organizations must obtain opt-in consent. Recognizing the need for extra protection for younger users, the MCDPA also requires that organizations get opt-in consent before selling or sharing for targeted advertising the data of consumers under 13.

Organizations are also obligated to provide a straightforward and accessible method for consumers to revoke their consent at any time. This empowers consumers to have greater control over their personal information, safeguarding their privacy and ensuring their preferences are respected.

Implement data processing agreements

Controllers are required to establish contracts with processors that detail several critical aspects of their working relationship. These contracts must clearly outline the instructions for processing data, ensuring that every step is understood and followed precisely. They also need to guarantee the confidentiality of the data being handled to better safeguard sensitive information against unauthorized access.

Conduct data protection assessments

Controllers are required to conduct thorough assessments for high-risk data processing activities. These activities include targeted advertising, the sale of personal data, and profiling activities that could have substantial effects on an individual’s life or livelihood.

Honor universal opt-out mechanisms

Under the Minnesota Consumer Data Privacy Act, businesses must honor universal opt-out mechanisms (UOOM) like the Global Privacy Control (GPC) browser signal. By accommodating these universal preferences, businesses demonstrate a commitment to upholding consumer privacy rights and ensuring compliance with the MCDPA.

How Minnesota’s privacy law compares with other state laws

Minnesota's Consumer Data Privacy Act (MCDPA) shares several similarities with other state privacy laws, but it also sports a few distinctive elements. Here are some of the key differences:

Right to question profiling results

The MCDPA grants consumers the unique right to challenge the outcomes of profiling. While other laws allow individuals to opt out of profiling for decisions that have significant impacts, Minnesota takes it a step further by allowing consumers to:

• Request an explanation of how profiling was applied
• Obtain a description of the potential outcomes had profiling not been utilized
• Opt out of decisions made based on profiling

This provision enhances consumer awareness and control over automated decision-making processes.

Data inventory requirement

Minnesota is the first state to mandate that covered entities create and maintain a data inventory. Although data mapping is regarded as a best practice in other jurisdictions, the MCDPA establishes it as a legal requirement, necessitating companies to keep "an inventory of data that must be managed to exercise these responsibilities."

Identification of specific third parties

In contrast to most state laws, the MCDPA allows consumers to request the identities of specific third parties to whom their personal data has been shared. If this isn’t feasible, controllers must provide a list of specific third parties to whom any consumer's data has been disclosed.

Expanded nondiscrimination protections

The MCDPA takes anti-discrimination efforts a step further by explicitly banning the processing of personal data based on protected characteristics—such as race, gender, or religion—in ways that unlawfully discriminate in important areas like housing, employment, credit, education, or public accommodations.

Unique age-related provisions

Minnesota’s privacy law specifically prohibits processing personal data for targeted advertising when the controller knows that the consumer is aged between 13 and 16 years, unless opt-in consent is obtained.

Data security and documentation requirements

The MCDPA introduces specific data security obligations, including:

• Maintaining data inventories
• Documenting and upholding policies and procedures for compliance
• Providing details about the chief privacy officer or the individual responsible for data privacy

Exemptions

Unlike many other state privacy laws, the MCDPA includes an exemption for small businesses as defined by the U.S. Small Business Administration.

The law also features much narrower exemptions for nonprofits compared to other state privacy laws, potentially making many nonprofit organizations subject to its requirements.

Minnesota Consumer Data Privacy Act compliance checklist

To prepare for compliance with the Minnesota Consumer Data Privacy Act, businesses can take several key steps:

1. Determine applicability

To determine if your organization falls under the MCDPA’s scope, evaluate whether you control or process the personal data of 100,000 or more Minnesota consumers annually, or if you generate over 25% of your gross revenue from selling personal data while processing data for at least 25,000 Minnesota consumers

2. Establish a data inventory

Create a comprehensive inventory of all personal data collected, detailing categories of data and their purposes for collection. Additionally, mapping data flows will help you understand how personal data moves through your data ecosystem, providing better insights on your data handling practices.

Learn more: Transcend Data Inventory and Structured Discovery

3. Implement consent management mechanisms

Implement mechanisms to obtain consent for processing sensitive data, ensuring that consent is freely given, specific, informed, and unambiguous. It’s also important to provide clear and accessible opt-out options for data sales and targeted advertising.

Learn more: Transcend Consent Management

4. Set up privacy request mechanisms

Establish processes to promptly fulfill consumer data requests. This includes requests to access personal data, correct inaccuracies, delete personal data, and obtain a list of third parties that have received their data.

Additionally, consumers should be able to opt out of personal data sales, targeted advertising, and profiling for decisions that have legal or significant impacts. You’ll also need to create an appeals process for any denied consumer requests.

Learn more: Transcend DSR Automation

5. Develop clear privacy notices

Your privacy policy should clearly outline several key aspects, including the categories of personal data processed, the purposes for processing each category, and an explanation of consumer privacy rights along with instructions on how individuals can exercise these rights.

It should also specify the categories of personal data sold or shared with third parties, the types of third parties involved, the organization's contact information, data retention policies, the date of the last update, and whether data is sold or processed for targeted advertising or profiling.

6. Conduct data protection assessments

Conduct and document assessments related to data protection for various activities, including targeted advertising, the sale of personal data, processing of sensitive data, and any processing activities that pose heightened risks to consumers, including profiling.

Learn more: Transcend Assessments

7. Implement security measures

Your organization should establish and maintain reasonable administrative, technical, and physical security practices to protect personal data. Designating a chief privacy officer or an individual responsible for overseeing data protection will help ensure compliance and accountability.

8. Establish processor agreements

Review and update contracts with data processors to include the necessary provisions mandated by the MCDPA. It’s crucial you make sure that processors adhere to your instructions and maintain confidentiality in their handling of personal data.

9. Honor universal opt-out mechanisms

To prevent unauthorized data processing, set up systems that recognize and respect universal opt-out signals like the Global Privacy Control. Make sure these mechanisms proliferate consumer preferences across your tech stack.

About Transcend

Transcend is the next-generation platform privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Minnesota's data privacy law.

From Consent Management to DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.