Minnesota MCDPA Consumer Rights (Minn. Stat. 325M.14)

The Minnesota Consumer Data Privacy Act (MCDPA), codified at Minn. Stat. 325M.14, gives Minnesota residents the rights to access, correct, delete, and port their personal data, plus the right to opt out of targeted advertising, the sale of their data, and profiling. Two rights go further than almost any other state: the right to obtain a list of the specific third parties that received their data, and a right found in no other state law, the right to question the result of an automated profiling decision.

A controller generally must respond to a consumer rights request within 45 days, and consumers may appeal a refusal. As of 2026, the Minnesota Attorney General enforces these rights under Minn. Stat. 325M.20, with civil penalties up to $7,500 per violation and no private right of action.

Jurisdiction scope: This covers Minnesota's Consumer Data Privacy Act (Minn. Stat. ch. 325M). It is general legal information, not legal advice.

The core MCDPA consumer rights

Minnesota consumers hold a familiar set of core rights under Minn. Stat. 325M.14, the same baseline found in most comprehensive state privacy laws. The first is the right to confirm whether a controller is processing the consumer's personal data and to access that data.

The second is the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the data and the purposes of processing. The third is the right to delete personal data concerning the consumer.

The fourth is the right to data portability: to obtain a copy of the personal data the consumer previously provided, in a portable and, to the extent technically feasible, readily usable format that lets the consumer transmit the data to another controller without hindrance. These four rights form the backbone of a Minnesota data request, but the MCDPA adds rights that most states do not.

The right to a list of specific third parties

One of the two features that set Minnesota apart is the ability to learn exactly which third parties received a consumer's data. Under Minn. Stat. 325M.14, a Minnesota consumer may obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data.

At the controller's option, the controller may instead provide a list of the specific third parties to which it has disclosed any personal data. Either way, the disclosure identifies named recipients rather than broad groups.

This goes well beyond the more common model. Most state privacy laws let a consumer learn only the categories of third parties, such as "advertising networks" or "service providers." Minnesota, like Oregon, requires named entities. For consumers, that is a far more meaningful window into where their data actually traveled. For controllers, it is one of the harder rights to satisfy, because it requires tracking disclosures at the recipient level.

The right to question a profiling result: unique to Minnesota

The MCDPA's headline right has no equivalent in any other state privacy law as of 2026. It applies when a consumer is subject to profiling in furtherance of decisions that produce legal effects concerning the consumer or similarly significant effects, such as decisions about credit, housing, insurance, education, or employment.

In that situation, Minn. Stat. 325M.14 gives the consumer the right to question the result of the profiling. The consumer also has the right to be informed of the reason that the profiling resulted in the decision, including, if feasible, the type of data used and how it was relevant.

Minnesota goes further still. The consumer has the right, if feasible, to be informed of what actions the consumer might have taken to secure a different decision, and what actions the consumer might take to secure a different decision in the future. And the consumer has the right to review the personal data used in the profiling, to correct that data, and to have the decision reevaluated if it was based on inaccurate data.

Most state laws stop at letting a consumer opt out of profiling before it happens. Minnesota uniquely lets a consumer who has already been profiled challenge the outcome itself and demand the reasoning. This is the most distinctive consumer right in any U.S. state privacy law and the practical centerpiece of the MCDPA.

The opt-out rights and universal opt-out mechanism

Beyond access-style rights, Minnesota consumers may opt out of three specific processing activities under Minn. Stat. 325M.14: targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

To make these opt-outs usable at scale, the MCDPA requires controllers to recognize a universal opt-out mechanism, sometimes called an opt-out preference signal, such as the Global Privacy Control. A consumer who configures a browser or device signal can communicate an opt-out of sale and targeted advertising without filing a separate request with every controller. This requirement applies as part of the act's obligations that took effect with the law.

Processing sensitive data carries a higher bar. Sensitive data, which includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and the personal data of a known child, may not be processed without the consumer's opt-in consent. A controller cannot simply offer an opt-out for sensitive data; it must obtain affirmative permission first.

How to exercise your rights and the 45-day clock

A Minnesota consumer exercises these rights by submitting a request to the controller through a method the controller designates, which the controller must describe in its privacy notice. A controller may need to verify the consumer's identity before acting.

The controller generally must respond within 45 days of receiving the request. When reasonably necessary, the controller may extend that period once by an additional 45 days, as long as it informs the consumer of the extension and the reason for it within the first 45 days. Information must generally be provided free of charge once per consumer per year, though a controller may charge a reasonable fee for a second request within that period or refuse to act on manifestly unfounded or excessive requests.

If a controller declines to act on a request, it must inform the consumer without undue delay and explain the reason. The consumer then has the right to appeal.

Appeals and getting the Attorney General involved

The MCDPA gives consumers an appeal path when a controller refuses to act. A controller must establish a process for a consumer to appeal the controller's refusal to take action on a request, and that process must be conspicuously available and similar to the process for submitting the original request.

Within a set period after receiving an appeal, the controller must respond in writing, explaining the action taken or not taken and the reasons. If the controller denies the appeal, it must provide the consumer with a method to contact the Minnesota Attorney General to submit a complaint.

That referral matters because the Attorney General is the sole enforcer of the MCDPA under Minn. Stat. 325M.20. There is no private right of action, so a consumer cannot personally sue a controller for an MCDPA violation. Civil penalties of up to $7,500 per violation are available to the state. The 30-day right to cure that controllers relied on through 2025 sunset January 31, 2026, so a controller can no longer count on a guaranteed grace period.

Related guides

• Minnesota data privacy laws parent hub
• What is the Minnesota MCDPA?
• Minnesota MCDPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources