Minnesota
What Is the Minnesota Consumer Data Privacy Act (MCDPA)?
The Minnesota Consumer Data Privacy Act (MCDPA), codified at Minnesota Statutes Chapter 325M, took effect July 31, 2025 for most controllers, with a delayed compliance date of July 31, 2029 for postsecondary institutions regulated by the Office of Higher Education and nonprofit corporations governed by Chapter 317A. Enacted in 2024 as part of an omnibus measure (HF 4757) and signed by Governor Tim Walz, it gives Minnesota residents a full slate of data rights plus two features that set it apart nationally: the right to obtain a list of the specific third parties that received their data, and the right to question the result of an automated profiling decision.
As of 2026, the Minnesota Attorney General holds exclusive enforcement authority and may seek civil penalties of up to $7,500 per violation under Minn. Stat. 325M.20. The 30-day right to cure that controllers relied on through 2025 sunset January 31, 2026, so a business can no longer count on a guaranteed grace period before the state acts.
Jurisdiction scope: This covers Minnesota's Consumer Data Privacy Act (Minn. Stat. ch. 325M). It is general legal information, not legal advice.
What the MCDPA is: statute, enactment, and effective dates
The Minnesota Consumer Data Privacy Act is Minnesota's first comprehensive consumer data privacy law. It is codified at Minnesota Statutes Chapter 325M, running from Section 325M.10 through Section 325M.21, and was passed in the 2024 legislative session as part of a large omnibus measure, House File 4757. Governor Tim Walz signed it into law, and most of its substantive obligations took effect July 31, 2025.
The law uses a delayed compliance date for one category of organization. Under the act's effective-date provision, postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029. Every other covered controller has been subject to the MCDPA since July 31, 2025.
As of 2026, the MCDPA places Minnesota among the roughly twenty states that have enacted comprehensive consumer privacy statutes. What makes Minnesota stand out is not the breadth of its rights, which track the now-common Virginia model, but two distinctive additions: a specific-third-party list right and a one-of-a-kind right to question automated profiling decisions.
For the full controller and processor obligations, privacy notice content rules, and data protection assessment requirements, see the Minnesota data privacy laws parent page.
Who the MCDPA covers: applicability thresholds
The MCDPA's applicability test lives in Minn. Stat. 325M.12. The law applies to a person that conducts business in Minnesota, or that produces products or services targeted to residents of Minnesota, and that during a calendar year meets one of two data-volume tests.
The first trigger is controlling or processing the personal data of 100,000 or more consumers. Data processed solely to complete a payment transaction does not count toward this figure, so a retailer is not pushed over the threshold by single-purchase card data alone.
The second trigger is controlling or processing the personal data of 25,000 or more consumers while deriving over 25 percent of gross revenue from the sale of personal data. This lower headcount captures data-driven businesses whose model depends on selling personal information.
Minnesota also exempts small businesses as defined by the United States Small Business Administration, although even an exempt small business may not sell a consumer's sensitive data without first obtaining consent. The MCDPA additionally carries the familiar entity-level and data-level exemptions for data and entities regulated under the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, among others.
The specific third-party list right
The MCDPA's first headline feature is the ability to learn exactly which third parties received a consumer's data. Under Minn. Stat. 325M.14, a Minnesota consumer may obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data, or, at the controller's option, any personal data.
This is meaningfully different from the disclosure most state privacy laws require. Under the more common model, a consumer can learn only the categories of third parties, such as "advertising partners" or "analytics vendors." Minnesota, like Oregon, goes further and lets the consumer ask for the named, specific entities.
For businesses, the specific-third-party list right is one of the harder MCDPA obligations to engineer, because it requires tracking disclosures at the level of named recipients rather than broad categories. For consumers, it offers far more transparency about where their data actually traveled. The Minnesota MCDPA consumer rights guide covers this right and the response procedure in depth.
The right to question a profiling result: Minnesota's unique feature
The MCDPA's most distinctive right has no parallel in any other state privacy law as of 2026. When a consumer is subject to profiling in furtherance of decisions that produce legal or similarly significant effects, Minn. Stat. 325M.14 gives the consumer four interlocking rights tied to that profiling.
The consumer may question the result of the profiling. The consumer may be informed of the reason that the profiling resulted in the decision, and, if feasible, be informed of what actions the consumer might take to secure a different decision in the future. The consumer may review the personal data used in the profiling, and may have that data corrected and the decision reevaluated if it was based on inaccurate data.
No other state gives a consumer an affirmative right to challenge the outcome of an automated decision and demand the reasoning behind it. Most comprehensive state laws stop at letting a consumer opt out of profiling. Minnesota goes further, letting a consumer who has already been profiled push back on the result itself. This is the centerpiece distinction of the MCDPA and a meaningful preview of where automated-decision regulation may head nationally.
The data inventory duty: an uncommon affirmative obligation
The MCDPA also imposes a documentation duty that few other state privacy laws require. Under Minn. Stat. 325M.18, a controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices, and as part of that program must maintain an inventory of the personal data it must manage to carry out its obligations.
Controllers must also document and maintain a description of the policies and procedures the controller has adopted to comply with the act, including a description of data minimization and retention practices and the name and contact information for the controller's chief privacy officer or other responsible individual. This is sometimes described as the first state requirement to mandate a documented data inventory of this kind, an obligation long familiar under the European Union's General Data Protection Regulation.
The practical consequence is that a Minnesota controller cannot treat privacy as a set of one-off responses to consumer requests. It must build and document an ongoing governance program. The Minnesota MCDPA compliance checklist walks through building that inventory and program.
MCDPA vs. CCPA: the key differences
Minnesota's MCDPA and California's CCPA are often compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between the MCDPA and California's CCPA stand out.
| Feature | Minnesota MCDPA | California CCPA/CPRA |
|---|---|---|
| Coverage threshold | 100,000 consumers, or 25,000 plus over 25% of revenue from data sales; SBA small businesses exempt | $25M revenue, 100,000 consumers, or 50% revenue from data sales |
| Question a profiling result | Yes (Minn. Stat. 325M.14), unique nationally | No |
| Third-party disclosure right | Specific named third parties (Minn. Stat. 325M.14) | Categories of third parties |
| Data inventory duty | Required (Minn. Stat. 325M.18) | Not required as a standalone duty |
| Sensitive data | Opt-in consent required | Right to limit use; opt-out model |
| Private right of action | None | Limited, for certain data breaches |
The most consequential differences are the profiling-question right and the third-party list right, neither of which the CCPA provides, and the affirmative data inventory duty. The two laws also differ on sensitive data: California uses an opt-out "right to limit," while Minnesota requires opt-in consent before sensitive data may be processed at all.
Related guides
- Minnesota data privacy laws parent hub
- Minnesota MCDPA consumer rights
- Minnesota MCDPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Minnesota Statutes Chapter 325M: Consumer Data Privacy Act (Full Chapter)(revisor.mn.gov).gov
- Minn. Stat. 325M.12: Scope; Exclusions (Applicability Thresholds)(revisor.mn.gov).gov
- Minn. Stat. 325M.14: Consumer Personal Data Rights(revisor.mn.gov).gov
- Minn. Stat. 325M.18: Controller Duties, Data Inventory, and Security(revisor.mn.gov).gov
- Minn. Stat. 325M.20: Enforcement and Civil Penalties(revisor.mn.gov).gov
- Minnesota Attorney General: Consumer Data Privacy(ag.state.mn.us).gov
- HF 4757 (2024 Regular Session): Omnibus Enacting Measure(revisor.mn.gov).gov
- Minnesota Attorney General: MCDPA Business Enforcement Overview(ag.state.mn.us).gov