Minnesota Data Privacy Laws: Consumer Rights Guide (2026)

The Minnesota Consumer Data Privacy Act, Minn. Stat. sections 325M.10 to 325M.21, took effect July 31, 2025, and gives consumers rights to access, correct, delete, and port their personal data, opt out of targeted advertising and data sales, and challenge automated profiling decisions that affect jobs, housing, or insurance.

Minnesota has built one of the most comprehensive data privacy frameworks in the United States. The state layers a broad consumer data protection statute, strict health records privacy rules, robust data breach notification requirements, a longstanding government data transparency law, and active enforcement through the Attorney General's office.

This guide covers every major Minnesota data privacy law, the specific rights you have as a consumer, the obligations businesses must meet starting July 31, 2025, and what enforcement has looked like since the MCDPA took effect.

This article addresses Minnesota state data privacy law and the federal laws that apply to Minnesota residents and businesses. It does not cover the data privacy laws of other states.

Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act, codified as Minn. Stat. sections 325M.10 to 325M.21, was enacted through House File 2309 during the 93rd Minnesota Legislative Session. Governor Tim Walz signed the bill into law in May 2024. It took effect on July 31, 2025.

The MCDPA regulates how businesses collect, use, process, store, sell, share, and analyze personal data belonging to Minnesota consumers. The law is widely regarded as one of the strongest state privacy statutes in the country because of its unique profiling protections, data inventory requirements, and the expiration of its cure period after just six months.

Who the MCDPA Applies To

The MCDPA applies to legal entities that conduct business in Minnesota or produce products or services targeted to Minnesota residents, and that meet at least one of two thresholds during a calendar year under Section 325M.12:

• Control or process the personal data of at least 100,000 Minnesota consumers annually, excluding data processed solely for completing payment transactions, OR
• Derive over 25% of gross revenue from the sale of personal data AND process the personal data of at least 25,000 consumers

The 100,000-consumer threshold covers approximately 1.75% of Minnesota's 5.7 million residents. Most mid-size and large businesses that serve Minnesota customers will fall under the law.

Exempt Entities

The MCDPA exempts several categories of entities from its requirements under Section 325M.12:

• State and local government entities
• Federally recognized Indian tribes
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
• Entities covered by HIPAA
• Federal credit reporting agencies operating under the Fair Credit Reporting Act (FCRA)
• Educational institutions governed by the Family Educational Rights and Privacy Act (FERPA)
• Insurance companies regulated under Minnesota law
• Air carriers regulated under the Airline Deregulation Act
• Nonprofit organizations established to detect and prevent insurance fraud
• Small businesses as defined by the U.S. Small Business Administration (with an important exception for sensitive data)

Nonprofit corporations and postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029.

The small business exemption has a significant limitation. Under Section 325M.17, even small businesses otherwise exempt from the MCDPA cannot sell a consumer's sensitive data without first obtaining the consumer's consent. Violations of this requirement carry the same penalties as other MCDPA violations.

Consumer Rights Under the MCDPA

The MCDPA grants Minnesota consumers seven core privacy rights under Section 325M.14. These rights are among the broadest of any state data privacy law in the country.

Right to Confirm and Access

Consumers can confirm whether a business is processing their personal data and access the specific categories of personal data being collected and used. This allows consumers to understand exactly what information a company holds about them.

Right to Correct

Consumers can request that a business correct inaccurate personal data. The business must take into account the nature of the personal data and the purposes of processing when evaluating the correction request.

Right to Delete

Consumers can request that a business delete the personal data the business has collected about them. Businesses must comply unless an exception applies, such as a legal obligation to retain the data. The right to delete was among the most commonly invoked rights during the law's first six months of enforcement.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format that allows transmission to another controller. This right helps consumers switch between service providers without losing their data.

Right to Opt Out

Consumers can opt out of three types of data processing:

• Targeted advertising based on personal data collected from the consumer's activities across nonaffiliated websites or online applications
• Sale of personal data to third parties for monetary or other valuable consideration
• Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Right to Question Profiling Decisions

This is one of the MCDPA's most distinctive provisions. When a consumer has been subject to profiling that produces legal or similarly significant effects, the consumer has the right to:

• Question the result of the profiling decision
• Learn the reason that the profiling resulted in the particular decision
• Understand what actions the consumer could have taken to produce a different decision
• Request reevaluation if the profiling decision was based on inaccurate personal data

This provision is specifically designed to protect Minnesota residents from harmful AI-driven decisions affecting access to jobs, housing, insurance, and other critical services. Minnesota is one of the first states to create these rights, ensuring that automated systems cannot deprive residents of important opportunities without explanation or recourse.

Right to a Third-Party Disclosure List

Consumers can obtain a list of the specific third parties to which a business has disclosed their personal data. This goes beyond what most state privacy laws require, which typically only mandate disclosure of third-party categories rather than specific company names.

How to Exercise Your Rights

Consumers may exercise any of these rights by submitting a request to a controller at any time. Parents or legal guardians may exercise rights on behalf of known children. Authorized agents may exercise opt-out rights on a consumer's behalf.

Businesses must respond to opt-out requests within 45 days or as soon as feasibly possible. For all other requests, businesses must respond within 45 days, with a possible one-time extension of an additional 45 days for complex requests.

Consumers are entitled to make these requests free of charge twice per year. Businesses may charge a reasonable fee for additional requests that are manifestly unfounded or excessive.

Universal Opt-Out Mechanism

The MCDPA requires businesses to honor universal opt-out preference signals from approved platforms and technologies. These signals, which can be activated through a web browser, allow consumers to opt out of targeted advertising and data sales across multiple websites without submitting individual requests to each business.

The opt-out mechanism must not unfairly disadvantage competitors, must require an affirmative consumer choice rather than relying on default settings, must be consumer-friendly, and must enable the controller to verify the consumer's Minnesota residency.

Appeal Process

Businesses must establish an accessible internal appeal process. If a consumer's rights request is denied, the business must provide a decision within 45 days of the appeal (extendable by 60 days for complex cases), along with clear instructions for filing a complaint with the Minnesota Attorney General.

Sensitive Data Protections

The MCDPA provides heightened protections for sensitive personal data under Section 325M.16. Businesses cannot process sensitive data without first obtaining the consumer's express consent, or in the case of children, parental consent in accordance with COPPA.

Categories of Sensitive Data

The MCDPA defines sensitive data to include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health conditions or diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data processed for the purpose of uniquely identifying a specific individual
• Personal data of a known child under age 13
• Specific geolocation data (defined as coordinates with accuracy of more than three decimal degrees)

Biometric Data Protections

Minnesota defines biometric data as automatic measurements of biological characteristics, including fingerprints, voiceprints, iris or retina scans, and other biological patterns used to identify a specific individual. Digital or physical photographs and standard audio or video recordings are excluded from this definition unless specifically processed to generate an identifier for an individual.

Businesses must obtain express consent before collecting or processing biometric data. This requirement applies regardless of business size, meaning even small businesses otherwise exempt from the MCDPA must follow biometric data consent rules when selling such data.

Children's Data Protections

The MCDPA provides layered protections for children's data:

• Children under 13: Any personal data about a known child under 13 is automatically classified as sensitive data and requires parental consent under COPPA before processing
• Children ages 13 to 16: Businesses cannot process the personal data of consumers known to be between 13 and 16 years old for the purposes of targeted advertising or personal data sales without the consumer's express consent

These provisions work alongside federal COPPA protections to create a strong shield for minors' personal information in Minnesota.

Controller and Processor Obligations

Controller Responsibilities

Businesses acting as controllers must meet several obligations under Section 325M.16:

Privacy Notice: Controllers must provide a clear and accessible privacy notice that includes the categories of personal data processed, the purposes of processing, an explanation of consumer rights, categories of data sold or shared with third parties, contact information, data retention policies, and the date of the last update. The notice must appear as a conspicuous hyperlink using the word "privacy" on the homepage or application.

Data Minimization: Controllers may collect only personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes.

Data Security: Controllers must establish and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data being processed.

Data Inventory: The MCDPA requires controllers to maintain an inventory of the data they process. This is unique among state privacy laws and helps ensure businesses know what personal data they hold and how it is being used.

Consent Revocation: Controllers must provide a mechanism for consumers to revoke consent that is at least as easy as the mechanism used to grant consent. Once revoked, the controller must cease processing within 15 days.

Nondiscrimination: Controllers cannot use personal data to unlawfully discriminate based on race, color, ethnicity, religion, national origin, sex, gender identity, sexual orientation, familial status, source of income, or disability. Controllers also cannot discriminate against consumers for exercising their data privacy rights by denying goods or services, charging different prices, or providing a lower quality of service.

Waiver Prohibition: Any contractual provision requiring a consumer to waive their rights under the MCDPA is void and unenforceable.

Processor Obligations

Processors must adhere to the controller's instructions, assist with consumer rights requests, provide data security information, engage subcontractors only with the controller's approval and a written contract, and allow the controller to perform assessments and inspections.

The relationship between controllers and processors must be governed by a binding agreement specifying the nature and purpose of the processing, the type of data involved, the duration of processing, and the obligations and rights of both parties.

Data Protection Assessments

The MCDPA requires controllers to conduct data privacy and protection assessments under Section 325M.18 for several types of high-risk data processing activities:

Each assessment must document the chief privacy officer's name and contact information, privacy policies, design practices integrating privacy, data identification procedures, security practices, collection limitation procedures, retention policies, and violation remediation procedures.

The Minnesota Attorney General may request these assessments through a civil investigative demand. However, the assessments are classified as nonpublic data, and disclosing them to the Attorney General does not waive attorney-client privilege.

Enforcement and Penalties

Attorney General Authority

The Minnesota Attorney General has exclusive enforcement authority over the MCDPA under Section 325M.20. There is no private right of action, meaning individual consumers cannot sue businesses directly for MCDPA violations. Consumers who believe their rights have been violated should file a complaint with the Minnesota Attorney General's office or through the state's consumer privacy portal at privacymn.com.

Cure Period Status: Expired

From July 31, 2025 through January 31, 2026, the MCDPA required the Attorney General to issue a written warning identifying specific alleged violations and give the business a 30-day cure period before taking enforcement action. This cure period was intentionally designed as a temporary measure.

As of January 31, 2026, the cure period has expired. The Minnesota Attorney General is no longer required to provide a warning letter or an opportunity to cure before pursuing enforcement action.

Early Enforcement Activity

On February 5, 2026, Attorney General Keith Ellison announced the MCDPA's full enforcement phase. The AG's office reported that from July 31, 2025 through February 2026:

• The office received more than 200 consumer complaints related to MCDPA violations
• Many complaints involved consumers trying to exercise the right to delete their personal data
• The office sent dozens of warning letters to companies with problems related to privacy policies, procedures for honoring consumer rights requests, consent mechanisms for collecting sensitive data, and failures to honor universal opt-out signals
• Company responses were generally productive, with most businesses correcting identified issues quickly

The AG's office emphasized that as of February 2026, enforcement can proceed without prior notice. The privacymn.com portal provides template forms consumers can use to exercise their rights and file complaints.

Penalties

Given that penalties are assessed per violation, a company engaging in widespread noncompliant practices across many consumers could face substantial total penalties. The Attorney General can bring enforcement actions under Minnesota Statute 8.31 and seek civil penalties, injunctive relief, and reasonable litigation expenses.

Data Breach Notification Law

Minnesota's data breach notification law, Minn. Stat. section 325E.61, requires businesses to notify consumers when their personal information has been compromised. This law works alongside the MCDPA to create a comprehensive privacy protection framework.

Who Must Notify

Any person or business that conducts business in Minnesota and owns or licenses data containing personal information must disclose a breach of the security system to any Minnesota resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Entities that maintain personal information on behalf of another business but do not own the data must notify the data owner or licensee immediately upon discovering the breach.

Definition of Personal Information

Under section 325E.61, personal information means an individual's first name or first initial and last name combined with one or more of the following data elements when not encrypted:

• Social Security number
• Driver's license number or Minnesota identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the account

Notification Timing

Businesses must provide notification in the most expedient time possible and without unreasonable delay. The notification may be delayed if law enforcement determines that it would impede a criminal investigation, but must be provided once law enforcement approves.

Methods of Notification

Businesses may notify affected consumers through:

• Written notice mailed to the most recent address on file
• Electronic notice if electronic communication is the primary method of contact or if it complies with federal electronic records laws
• Substitute notice when costs exceed $250,000, more than 500,000 people are affected, or the business lacks sufficient contact information. Substitute notice requires a combination of email notification, website posting, and notification to major statewide media outlets.

Consumer Reporting Agency Notification

If a breach affects 500 or more people at one time, the business must notify all nationwide consumer reporting agencies within 48 hours regarding the timing, distribution, and content of the breach notices sent to consumers.

Exemptions

Financial institutions as defined under federal law (15 U.S.C. section 6809(3)) that maintain their own notification procedures consistent with the timing requirements of section 325E.61 are exempt from the state notification requirements.

Minnesota Health Records Act

The Minnesota Health Records Act (MHRA), codified at Minn. Stat. sections 144.291 to 144.298, establishes a comprehensive framework for protecting the confidentiality of patient health information in Minnesota. The MHRA must be construed to protect patient health records in a more stringent manner than the federal HIPAA security and privacy rules.

Key Distinctions from HIPAA

The MHRA goes further than HIPAA in several important ways:

• Written consent required for treatment referrals: A Minnesota physician must obtain a patient's written consent before sending records to a specialist, even for treatment purposes. Under HIPAA, a primary care doctor may share records with a specialist without the patient's written consent.
• Covers alternative medicine practitioners: The MHRA applies to chiropractors, acupuncturists, massage therapists, and naturopaths even when they cannot bill insurance electronically. HIPAA does not automatically apply to such practitioners.
• Private right of action: Minnesota patients have a private right of action for violations of the MHRA. HIPAA provides no private right of action, leaving federal enforcement solely to the Department of Health and Human Services.

Patient Rights Under the MHRA

Under Minn. Stat. section 144.292, patients in Minnesota have the right to:

• Request and receive a complete copy of their health record
• Know the identity of individuals who have access to their records
• Consent in writing before their records are released
• Inspect and copy records within a reasonable time
• Contest the accuracy or completeness of their health record

Healthcare providers must generally respond to requests for records within 30 days.

Consent Requirements

Section 144.293 requires explicit written consent for most disclosures of patient health records, including for treatment referrals between providers. The written consent must identify the person authorized to disclose the records, the person authorized to receive them, the records to be disclosed, the purpose of the disclosure, and the expiration date of the consent. The 2025 legislative session amended consent duration and documentation requirements under 2025 c 20 s 118.

Minnesota Government Data Practices Act

Minnesota also has the Government Data Practices Act (Minn. Stat. Chapter 13), one of the oldest and most comprehensive government transparency laws in the United States. While it primarily governs how state and local government agencies handle data, it provides important rights for Minnesota residents seeking access to or correction of government-held records.

Key Provisions

The Government Data Practices Act establishes a presumption that government data are public and accessible for inspection and copying unless classified as private or nonpublic by state or federal law. Key provisions include:

• Right to access: Any person can see and copy data classified as public
• Right to explanation: If access is denied, the government must explain why
• Right to contest: Data subjects may contest the accuracy or completeness of their data in writing
• Remedies: Willful violations carry penalties of $1,000 to $15,000 per violation, plus actual damages, costs, and attorney fees

The Act applies to state agencies, counties, cities, school districts, and certain metropolitan-area townships, but does not apply to the legislature or judiciary. The Minnesota Data Practices Office administers the Act and handles data practice complaints. The 2025 legislative session made technical amendments to several subdivisions in Chapter 13 relating to data classifications and retention.

Federal Privacy Laws That Apply in Minnesota

Several federal laws create a privacy framework that applies to Minnesota residents regardless of whether a covered entity is subject to the MCDPA.

TAKE IT DOWN Act (2025)

Congress enacted the TAKE IT DOWN Act (Pub. L. 119-12) in April 2025. President Trump signed it into law on May 19, 2025. The law:

• Criminalizes the publication of nonconsensual intimate visual depictions (NCII), including AI-generated deepfakes, with penalties of up to two years imprisonment (higher for content involving minors)
• Requires covered platforms to implement a notice-and-removal process for NCII takedown requests within 48 hours
• Platforms had until May 19, 2026 to implement the notice-and-removal process

The Federal Trade Commission enforces the platform takedown obligations. Criminal provisions took effect immediately on signing.

HIPAA

The Health Insurance Portability and Accountability Act applies to covered entities (health plans, healthcare providers, and healthcare clearinghouses) and their business associates in Minnesota. HIPAA sets minimum standards for the protection of protected health information. The MCDPA expressly exempts entities already covered by HIPAA, but the Minnesota Health Records Act applies an additional layer of protection to healthcare records even for HIPAA-covered providers.

GLBA

The Gramm-Leach-Bliley Act applies to financial institutions in Minnesota and requires them to explain their information-sharing practices to customers and protect sensitive consumer financial data. Financial institutions subject to GLBA are exempt from the MCDPA, but remain subject to GLBA's safeguards and notification rules.

FCRA and FACTA

The Fair Credit Reporting Act regulates consumer reporting agencies and the use of consumer reports in Minnesota. Entities acting as consumer reporting agencies are exempt from the MCDPA but remain subject to FCRA's accuracy, access, and dispute requirements.

COPPA

The Children's Online Privacy Protection Act requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent before collecting personal information. The MCDPA builds on COPPA's foundation for younger users and extends additional protections to consumers ages 13 to 16.

FTC Act Section 5

The Federal Trade Commission Act section 5 prohibits unfair or deceptive acts or practices in commerce. The FTC applies this authority against companies that misrepresent their data privacy practices or fail to implement adequate data security. This authority applies to most Minnesota businesses regardless of whether they are subject to the MCDPA.

APRA 2.0 (Pending)

The American Privacy Rights Act (APRA) was a 2024 bicameral federal draft that did not pass. A revised version referred to as APRA 2.0 was introduced in the 2025 session. As of May 2026, APRA 2.0 has not been enacted into law. Minnesota businesses and consumers should not assume a federal comprehensive privacy law is in effect.

What Makes Minnesota's Privacy Laws Unique

Minnesota's data privacy framework stands out from other states in several important ways.

Right to Question AI Decisions: Minnesota is one of the first states to grant consumers a specific right to question the results of automated profiling decisions that affect access to jobs, housing, insurance, and other critical services. Consumers can demand an explanation of the reasoning behind the decision and learn what they could have done differently.

Data Inventory Requirement: Minnesota requires controllers to maintain a formal inventory of personal data they process. No other state has imposed this obligation. It helps ensure businesses know exactly what data they hold, where it is stored, and for what purpose.

No Permanent Cure Period: Unlike most state privacy laws that give businesses a permanent opportunity to fix violations before facing penalties, Minnesota's 30-day cure period expired on January 31, 2026. The Attorney General can now take immediate enforcement action without prior warning.

Specific Geolocation Definition: Minnesota defines specific geolocation data as coordinates with accuracy of more than three decimal degrees, providing a clear technical standard that other states lack.

Third-Party Disclosure List: While most states only require businesses to disclose categories of third parties that receive consumer data, Minnesota requires disclosure of the specific third parties by name.

Universal Opt-Out Requirement: Minnesota requires businesses to honor universal opt-out preference signals, allowing consumers to exercise their opt-out rights automatically through browser settings.

Health Records Private Right of Action: Unlike HIPAA, the Minnesota Health Records Act gives patients a private right of action for violations, allowing individuals to sue for unauthorized disclosure of their medical records.

Practical Compliance Steps for Minnesota Businesses

Businesses subject to the MCDPA should take the following steps to achieve and maintain compliance:

1. Determine applicability: Evaluate whether you meet either threshold (100,000 consumers annually or 25,000 consumers plus 25% of revenue from data sales). Note that the payment-transaction exclusion for the first threshold is narrow.

2. Build and maintain a data inventory: Document every category of personal data you collect, why you collect it, how long you retain it, and which processors or third parties receive it. This is a statutory requirement unique to Minnesota.

3. Update your privacy notice: The notice must include data retention periods, specific categories of data sold or shared with third parties, and information about how consumers can exercise their rights.

4. Establish a consumer rights intake process: Create a mechanism for receiving and responding to access, correction, deletion, portability, and opt-out requests. Set up internal tracking to meet the 45-day response deadline.

5. Honor universal opt-out signals: Configure your website and data systems to recognize and act on Global Privacy Control or other approved opt-out signals.

6. Obtain consent for sensitive data: Implement a consent workflow before collecting or processing data in any of the nine sensitive categories, and a separate parental consent flow for data of children under 13.

7. Complete data protection assessments: Conduct written assessments for all five categories of high-risk processing listed in Section 325M.18 before beginning or continuing such activities.

8. Review processor contracts: Ensure all data processing agreements with vendors include the required terms under Section 325M.19.

9. Check your consent revocation mechanism: The mechanism for revoking consent must be at least as easy to use as the mechanism for giving consent. Once revoked, you must cease processing within 15 days.

10. Review small business exemption limits: Even if you qualify as a small business under SBA definitions, you cannot sell sensitive data without consumer consent.

How Minnesota Residents Can Exercise Their Data Rights

Minnesota residents can take the following steps to exercise their rights under the MCDPA:

1. Identify who holds your data: Start with companies whose products or services you use. Check whether the company's privacy notice mentions Minnesota or MCDPA compliance.

2. Submit a rights request directly to the business: Send a written request by email or through the company's privacy request portal. Specify whether you are requesting access, correction, deletion, data portability, or opt-out of targeted advertising or data sales.

3. Use the AG's resources: Visit privacymn.com for template forms you can use to send rights requests to businesses.

4. File a complaint with the AG: If a business refuses your request or fails to respond within 45 days, file a complaint with the Minnesota Attorney General's office. Privacy attorneys in the AG's office review each complaint.

5. For health records: Contact your healthcare provider directly under the Minnesota Health Records Act. If the provider refuses, file a complaint with the Minnesota Department of Health or consult a private attorney (the MHRA provides a private right of action).

6. For government records: Submit a data request to the relevant state or local government agency under Chapter 13. Contact the Minnesota Data Practices Office if access is denied without adequate explanation.

More Minnesota Laws

Looking for information on other Minnesota laws? Visit our Data Privacy Laws by State hub to compare Minnesota with other states. You can also explore related topics:

• Minnesota AI Meeting Recording Laws
• Minnesota Alimony Laws
• Minnesota At-Will Employment Laws
• Minnesota Car Accident Laws
• Minnesota Car Seat Laws
• Minnesota Child Custody Laws
• Minnesota Child Support Laws
• Minnesota Common Law Marriage Laws
• Minnesota Deepfake Laws
• Minnesota Divorce Laws
• Minnesota Dog Bite Laws
• Minnesota Emancipation Laws
• Minnesota Expungement Laws
• Minnesota Hit and Run Laws
• Minnesota Landlord-Tenant Laws
• Minnesota Lemon Laws

In-depth guides

• What Is the MCDPA? Minnesota Consumer Data Privacy Act
• MCDPA Consumer Rights: Your Data Privacy Rights
• MCDPA Compliance Checklist for Businesses (2026)