Minnesota MCDPA Compliance Checklist (Minn. Stat. 325M)

Complying with the Minnesota Consumer Data Privacy Act (MCDPA), codified at Minn. Stat. ch. 325M, means more than answering consumer requests. A covered controller must build and document a privacy governance program, including a data inventory that few other state laws require, and be ready to recognize universal opt-out signals, obtain opt-in consent for sensitive data, and answer a consumer's questions about an automated profiling decision.

The MCDPA took effect July 31, 2025 for most controllers, with a delayed July 31, 2029 date for postsecondary institutions regulated by the Office of Higher Education. As of 2026, the Minnesota Attorney General enforces the law under Minn. Stat. 325M.20, the 30-day cure period has sunset, and penalties run up to $7,500 per violation.

Jurisdiction scope: This covers Minnesota's Consumer Data Privacy Act (Minn. Stat. ch. 325M). It is general legal information, not legal advice.

Step 1: Determine whether the MCDPA applies to you

Start with the applicability test in Minn. Stat. 325M.12. The MCDPA reaches a controller that conducts business in Minnesota, or produces products or services targeted to Minnesota residents, and that during a calendar year meets one of two thresholds.

The first threshold is controlling or processing the personal data of 100,000 or more consumers, not counting data processed solely to complete a payment transaction. The second is controlling or processing the data of 25,000 or more consumers while deriving over 25 percent of gross revenue from the sale of personal data.

Minnesota also exempts small businesses as defined by the United States Small Business Administration, although an exempt small business still may not sell a consumer's sensitive data without consent. Map your entity and data sets against the act's exemptions, including the GLBA and HIPAA carve-outs, before concluding you are out of scope.

Step 2: Build a data inventory and governance program

This is the MCDPA's signature compliance burden. Under Minn. Stat. 325M.18, a controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices, and as part of that program must maintain an inventory of the personal data it manages.

The controller must also document and maintain a description of the policies and procedures it has adopted to comply with the act. That documentation must address data minimization and retention practices and include the name and contact information for the controller's chief privacy officer or other individual with primary responsibility for data privacy.

Few other state privacy laws require a documented data inventory of this kind, so a controller cannot simply copy a Virginia-style program. The inventory is also the foundation for satisfying the specific-third-party list right, because you cannot tell a consumer which named recipients got their data unless you have mapped your data flows. Build this first; the rest of the program depends on it.

Step 3: Update your privacy notice

Under the MCDPA, a controller must provide consumers a reasonably accessible, clear, and meaningful privacy notice. The notice should describe the categories of personal data processed, the purposes for processing, the categories of personal data shared with third parties, and the categories of third parties involved.

The notice must also explain how consumers may exercise their rights and appeal a controller's decision, and it must disclose if the controller sells personal data or processes it for targeted advertising or profiling, along with how to opt out. Because Minnesota requires recognition of universal opt-out signals, the notice should explain that the controller honors such signals.

Step 4: Handle sensitive data and universal opt-out

Two consent and signal duties sit at the heart of MCDPA processing. First, a controller must obtain opt-in consent before processing sensitive data, which includes data revealing racial or ethnic origin, religion, a health condition or diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and a known child's data. Consent must be a clear affirmative act; it cannot be buried or inferred from inaction.

Second, the controller must recognize a universal opt-out mechanism, such as the Global Privacy Control, that lets a consumer opt out of sale and targeted advertising through a single browser or device signal. Configure your systems to detect and honor those signals, not just opt-out requests filed one by one.

Step 5: Stand up request handling, the 45-day clock, and appeals

Set up a process for consumers to submit verified rights requests through methods you describe in your privacy notice. The controller generally must respond within 45 days, with one 45-day extension when reasonably necessary and disclosed to the consumer.

You must also offer an appeals process for any refusal. The appeals process must be conspicuous and easy to use, and when an appeal is denied you must give the consumer a method to contact the Minnesota Attorney General. Free responses are generally required once per consumer per year, with reasonable fees allowed only for repeat or manifestly excessive requests.

Step 6: Build a profiling-result answer mechanism

Minnesota is the only state, as of 2026, that requires a controller to answer a consumer's questions about an automated profiling decision, so most off-the-shelf compliance programs will not cover it. If you use profiling in furtherance of decisions that produce legal or similarly significant effects, you need an operational way to respond.

Under Minn. Stat. 325M.14, a consumer may question the result of the profiling. You must be able to inform the consumer of the reason the profiling resulted in the decision and, if feasible, what the consumer might do to secure a different decision in the future. You must also let the consumer review the personal data used, correct it, and have the decision reevaluated if it relied on inaccurate data. Document how your models reach decisions well enough to explain them, because you cannot answer these questions about a model you cannot interpret.

Step 7: Assessments, processor contracts, and enforcement reality

Conduct and document data protection assessments for higher-risk processing, including the sale of personal data, processing for targeted advertising, certain profiling, and the processing of sensitive data. The Attorney General may require a controller to disclose a relevant assessment in connection with an investigation, so keep them retrievable.

Put written contracts in place with every processor. Those contracts must set out processing instructions and require the processor to maintain confidentiality, delete or return data, support the controller's obligations, and submit to audits, consistent with the controller-processor duties in the act.

Finally, budget for the enforcement reality. The Minnesota Attorney General is the sole enforcer under Minn. Stat. 325M.20, civil penalties run up to $7,500 per violation, and there is no private right of action. The 30-day right to cure sunset January 31, 2026, so as of 2026 a cure opportunity is discretionary rather than guaranteed. The safer posture is to be compliant before a complaint arrives, not to rely on fixing problems after the fact.

Related guides

• Minnesota data privacy laws parent hub
• What is the Minnesota MCDPA?
• Minnesota MCDPA consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources