Minnesota Data Privacy Laws: Consumer Rights Guide (2026)

Minnesota has established one of the most comprehensive data privacy frameworks in the United States. The state combines a broad consumer data protection statute, strict data breach notification requirements, a longstanding government data practices law, and aggressive enforcement through the Attorney General's office.

This guide covers every major Minnesota data privacy law, the rights you have as a consumer, the obligations businesses must meet, and the penalties for noncompliance.

Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act, codified as Chapter 325M of Minnesota Statutes, was enacted through House File 2309 during the 93rd Minnesota Legislative Session. Governor Tim Walz signed the bill into law in May 2024, and it took effect on July 31, 2025.

The MCDPA is Minnesota's comprehensive consumer data protection law. It regulates how businesses collect, use, process, store, sell, share, and analyze personal data belonging to Minnesota consumers. The law is widely regarded as one of the strongest state privacy statutes in the country due to its unique profiling protections, data inventory requirements, and the absence of a permanent cure period for violators.

Who the MCDPA Applies To

The MCDPA applies to legal entities that conduct business in Minnesota or produce products or services targeted to Minnesota residents, and that meet at least one of two thresholds during a calendar year under Section 325M.12:

• Control or process the personal data of at least 100,000 Minnesota consumers, excluding data processed solely for completing payment transactions, OR
• Derive over 25% of gross revenue from the sale of personal data AND process the personal data of at least 25,000 consumers

The 100,000-consumer threshold covers approximately 1.75% of Minnesota's 5.7 million residents. This means most mid-size and large businesses that serve Minnesota customers will fall under the law.

Exempt Entities

The MCDPA exempts several categories of entities from its requirements under Section 325M.12:

• State and local government entities
• Federally recognized Indian tribes
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
• Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
• Federal credit reporting agencies operating under the Fair Credit Reporting Act (FCRA)
• Educational institutions governed by the Family Educational Rights and Privacy Act (FERPA)
• Insurance companies regulated under Minnesota law
• Air carriers regulated under the Airline Deregulation Act
• Nonprofit organizations established to detect and prevent insurance fraud
• Small businesses as defined by the U.S. Small Business Administration (with an important exception for sensitive data)

Nonprofit corporations and postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029.

The small business exemption has a significant limitation. Under Section 325M.17, even small businesses that are otherwise exempt from the MCDPA cannot sell a consumer's sensitive data without first obtaining the consumer's consent. Violations of this requirement carry the same penalties as other MCDPA violations.

Consumer Rights Under the MCDPA

The MCDPA grants Minnesota consumers seven core privacy rights under Section 325M.14. These rights are among the broadest of any state data privacy law in the country.

Right to Confirm and Access

Consumers can confirm whether a business is processing their personal data and access the specific categories of personal data being collected and used. This allows consumers to understand exactly what information a company holds about them.

Right to Correct

Consumers can request that a business correct inaccurate personal data. The business must take into account the nature of the personal data and the purposes of processing when evaluating the correction request.

Right to Delete

Consumers can request that a business delete the personal data the business has collected about them. Businesses must comply unless an exception applies, such as legal obligations to retain the data.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format that allows transmission to another controller. This right helps consumers switch between service providers without losing their data.

Right to Opt Out

Consumers can opt out of three types of data processing:

• Targeted advertising based on personal data collected from the consumer's activities across nonaffiliated websites or online applications
• Sale of personal data to third parties for monetary or other valuable consideration
• Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Right to Question Profiling Decisions

This is one of the MCDPA's most distinctive provisions. When a consumer has been subject to profiling that produces legal or similarly significant effects, the consumer has the right to:

• Question the result of the profiling decision
• Learn the reason that the profiling resulted in the particular decision
• Understand what actions the consumer could have taken to produce a different decision
• Request reevaluation if the profiling decision was based on inaccurate personal data

This provision is specifically designed to protect Minnesota residents from harmful AI-driven decisions affecting access to jobs, housing, insurance, and other critical services. Minnesota is one of the first states to create these rights, ensuring that automated systems cannot deprive residents of important opportunities without explanation or recourse.

Right to a Third-Party Disclosure List

Consumers can obtain a list of the specific third parties to which a business has disclosed their personal data. This goes beyond what most state privacy laws require, which typically only mandate disclosure of third-party categories rather than specific company names.

How to Exercise Your Rights

Consumers may exercise any of these rights by submitting a request to a controller at any time. Parents or legal guardians may exercise rights on behalf of known children. Authorized agents may exercise opt-out rights on a consumer's behalf.

Businesses must respond to opt-out requests within 45 days or as soon as feasibly possible. For all other requests, businesses must respond within 45 days, with a possible one-time extension of an additional 45 days for complex requests.

Consumers are entitled to make these requests free of charge twice per year. Businesses may charge a reasonable fee for additional requests that are manifestly unfounded or excessive.

Universal Opt-Out Mechanism

The MCDPA requires businesses to honor universal opt-out preference signals from approved platforms and technologies. These signals, which can be activated through a web browser, allow consumers to opt out of targeted advertising and data sales across multiple websites without needing to submit individual requests to each business.

The opt-out mechanism must not unfairly disadvantage competitors, must require an affirmative consumer choice rather than relying on default settings, must be consumer-friendly, and must enable the controller to verify the consumer's Minnesota residency.

Appeal Process

Businesses must establish an accessible internal appeal process. If a consumer's rights request is denied, the business must provide a decision within 45 days of the appeal (extendable by 60 days for complex cases), along with clear instructions for filing a complaint with the Minnesota Attorney General.

Sensitive Data Protections

The MCDPA provides heightened protections for sensitive personal data under Section 325M.16. Businesses cannot process sensitive data without first obtaining the consumer's express consent, or in the case of children, parental consent in accordance with the federal Children's Online Privacy Protection Act (COPPA).

Categories of Sensitive Data

The MCDPA defines sensitive data to include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data processed for the purpose of uniquely identifying a specific individual
• Personal data of a known child under age 13
• Specific geolocation data (defined as coordinates with accuracy of more than three decimal degrees)

Biometric Data Protections

Minnesota defines biometric data as automatic measurements of biological characteristics, including fingerprints, voiceprints, iris or retina scans, and other biological patterns used to identify a specific individual. Digital or physical photographs and standard audio or video recordings are excluded from this definition unless they are specifically processed to generate an identifier for an individual.

Businesses must obtain express consent before collecting or processing biometric data. This requirement applies regardless of business size, meaning even small businesses that are otherwise exempt from the MCDPA must follow biometric data consent rules when selling such data.

Children's Data Protections

The MCDPA provides layered protections for children's data:

• Children under 13: Any personal data about a known child under 13 is automatically classified as sensitive data and requires parental consent under COPPA before processing
• Children ages 13 to 16: Businesses cannot process the personal data of consumers known to be between 13 and 16 years old for the purposes of targeted advertising or personal data sales without the consumer's express consent

These provisions work alongside federal protections to create a strong shield for minors' personal information in Minnesota.

Controller and Processor Obligations

Controller Responsibilities

Businesses acting as controllers must meet several obligations under Section 325M.16:

Privacy Notice: Controllers must provide a clear and accessible privacy notice that includes the categories of personal data processed, the purposes of processing, an explanation of consumer rights, categories of data sold or shared with third parties, contact information, data retention policies, and the date of the last update. The notice must be displayed as a conspicuous hyperlink using the word "privacy" on the homepage or application.

Data Minimization: Controllers may collect only personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes. They cannot process data for purposes that are not reasonably necessary or compatible with the originally disclosed purposes without obtaining additional consent.

Data Security: Controllers must establish and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data being processed.

Data Inventory: The MCDPA requires controllers to maintain an inventory of the data they process. This requirement is unique among state privacy laws and helps ensure that businesses have a clear understanding of what personal data they hold and how it is being used.

Consent Revocation: Controllers must provide a mechanism for consumers to revoke consent that is at least as easy as the mechanism used to grant consent. Once revoked, the controller must cease processing within 15 days.

Nondiscrimination: Controllers cannot use personal data to unlawfully discriminate based on race, color, ethnicity, religion, national origin, sex, gender identity, sexual orientation, familial status, source of income, or disability. Controllers also cannot discriminate against consumers for exercising their data privacy rights by denying goods or services, charging different prices, or providing a lower quality of service.

Waiver Prohibition: Any contractual provision requiring a consumer to waive their rights under the MCDPA is void and unenforceable.

Processor Obligations

Processors must adhere to the controller's instructions, assist with consumer rights requests, provide data security information, engage subcontractors only with the controller's approval and a written contract, and allow the controller to perform assessments and inspections.

The relationship between controllers and processors must be governed by a binding agreement specifying the nature and purpose of the processing, the type of data involved, the duration of processing, and the obligations and rights of both parties.

Data Protection Assessments

The MCDPA requires controllers to conduct data privacy and protection assessments under Section 325M.18 for several types of high-risk data processing activities:

Activity Requiring Assessment	Key Considerations
Targeted advertising	Type and sensitivity of data, consumer expectations
Sale of personal data	Benefits to controller vs. risks to consumer rights
Processing sensitive data	Context of processing, deidentification measures used
Processing presenting heightened risk of harm	Nature of relationship between controller and consumer
Profiling with risk of unfair treatment	Potential for financial, physical, or reputational injury

Each assessment must document the chief privacy officer's name and contact information, privacy policies, design practices integrating privacy, data identification procedures, security practices, collection limitation procedures, retention policies, and violation remediation procedures.

The Minnesota Attorney General may request these assessments through a civil investigative demand. However, the assessments are classified as nonpublic data, and disclosing them to the Attorney General does not waive attorney-client privilege.

Enforcement and Penalties

Attorney General Authority

The Minnesota Attorney General has exclusive enforcement authority over the MCDPA under Section 325M.20. There is no private right of action, meaning individual consumers cannot sue businesses directly for MCDPA violations. Instead, consumers who believe their rights have been violated should file a complaint with the Minnesota Attorney General's office.

Cure Period (Expired)

From July 31, 2025 through January 31, 2026, the MCDPA required the Attorney General to issue a written warning identifying specific alleged violations and provide the business a 30-day cure period before taking enforcement action. This cure period was intentionally designed as a temporary measure.

As of January 31, 2026, the cure period has expired. The Minnesota Attorney General is no longer required to provide a warning letter or an opportunity to cure before pursuing enforcement action. This makes Minnesota's MCDPA one of the strictest state privacy laws in the country in terms of enforcement, as most other states maintain a permanent or longer cure period.

Penalties

Violation Type	Maximum Penalty
Each MCDPA violation	Up to $7,500 per violation
Injunctive relief	Court order to stop violations
Litigation expenses	Reasonable costs recovered by the state

The Attorney General can bring enforcement actions under Minnesota Statute 8.31 and seek civil penalties, injunctive relief, and reasonable litigation expenses. Given that penalties are assessed per violation, a company that engages in widespread noncompliant practices across many consumers could face substantial total penalties.

No Private Right of Action

Consumers cannot file private lawsuits under the MCDPA. This approach is consistent with most other state data privacy laws, which reserve enforcement power for the state attorney general. If you believe a business has violated your data privacy rights, you should file a complaint with the Minnesota Attorney General.

Data Breach Notification Law

Minnesota's data breach notification law, Minnesota Statutes Section 325E.61, requires businesses to notify consumers when their personal information has been compromised. This law works alongside the MCDPA to create a comprehensive privacy protection framework.

Who Must Notify

Any person or business that conducts business in Minnesota and owns or licenses data containing personal information must disclose a breach of the security system to any Minnesota resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Entities that maintain personal information on behalf of another business but do not own the data must notify the data owner or licensee immediately upon discovering the breach.

Definition of Personal Information

Under Section 325E.61, personal information means an individual's first name or first initial and last name combined with one or more of the following data elements when not encrypted:

• Social Security number
• Driver's license number or Minnesota identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the account

Notification Timing

Businesses must provide notification in the most expedient time possible and without unreasonable delay. The notification may be delayed if law enforcement determines that it would impede a criminal investigation, but must be provided once law enforcement approves.

Methods of Notification

Businesses may notify affected consumers through:

• Written notice mailed to the most recent address on file
• Electronic notice if electronic communication is the primary method of contact or if it complies with federal electronic records laws
• Substitute notice when costs exceed $250,000, more than 500,000 people are affected, or the business lacks sufficient contact information. Substitute notice requires a combination of email notification, website posting, and notification to major statewide media outlets.

Consumer Reporting Agency Notification

If a breach affects 500 or more people at one time, the business must notify all nationwide consumer reporting agencies within 48 hours regarding the timing, distribution, and content of the breach notices sent to consumers.

Exemptions

Financial institutions as defined under federal law (15 U.S.C. Section 6809(3)) that maintain their own notification procedures consistent with the timing requirements of Section 325E.61 are exempt from the state notification requirements.

Minnesota Government Data Practices Act

Minnesota also has the Government Data Practices Act (Minnesota Statutes Chapter 13), one of the oldest and most comprehensive government transparency laws in the United States. While it primarily governs how state and local government agencies handle data, it provides important rights for Minnesota residents.

Key Provisions

The Government Data Practices Act establishes a presumption that government data are public and accessible for inspection and copying unless classified as private or nonpublic by state or federal law. Key provisions include:

• Right to access: Any person can see and copy data classified as public
• Right to explanation: If access is denied, the government must explain why
• Right to contest: Data subjects may contest the accuracy or completeness of their data in writing
• Remedies: Willful violations carry penalties of $1,000 to $15,000 per violation, plus actual damages, costs, and attorney fees

The Act applies to state agencies, counties, cities, school districts, and certain metropolitan-area townships, but does not apply to the legislature or judiciary.

What Makes Minnesota's Privacy Laws Unique

Minnesota's data privacy framework stands out from other states in several important ways:

Right to Question AI Decisions: Minnesota is one of the first states to grant consumers a specific right to question the results of automated profiling decisions that affect access to jobs, housing, insurance, and other critical services. Consumers can demand an explanation of the reasoning behind the decision and learn what they could have done differently.

Data Inventory Requirement: Minnesota is the only state to require controllers to maintain a formal inventory of personal data they process. This obligation helps ensure businesses know exactly what data they hold and where it is stored.

No Permanent Cure Period: Unlike most state privacy laws that give businesses a permanent opportunity to fix violations before facing penalties, Minnesota's 30-day cure period expired on January 31, 2026. The Attorney General can now take immediate enforcement action without prior warning.

Specific Geolocation Definition: Minnesota defines specific geolocation data as coordinates with accuracy of more than three decimal degrees, providing a clear technical standard that other states lack.

Third-Party Disclosure List: While most states only require businesses to disclose categories of third parties that receive consumer data, Minnesota requires disclosure of the specific third parties by name.

Universal Opt-Out Requirement: Minnesota requires businesses to honor universal opt-out preference signals, allowing consumers to exercise their opt-out rights automatically through browser settings.

More Minnesota Laws

Looking for information on other Minnesota laws? Visit our Data Privacy Laws by State hub to compare Minnesota with other states. You can also explore related topics:

• Minnesota Recording Laws for consent rules on recording conversations
• Minnesota Background Check Laws for employer screening requirements
• Minnesota Surveillance Camera Laws for video monitoring regulations
• [Minnesota Medical Records Retention Laws for healthcare data storage rules

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Minnesota for advice about your specific situation. Last reviewed: March 2026.