The Minnesota Privacy Act

On May 24, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (MCDPA) into law, marking a significant step in the state’s efforts to protect consumer data. Effective July 31, 2025, the MCDPA is one of the most robust state-level privacy laws in the United States, introducing stringent requirements for businesses handling personal data. Notably, it’s the first U.S. state law to explicitly mandate a data inventory, setting a new benchmark for transparency and accountability. With enforcement led by the Minnesota Attorney General and penalties up to $7,500 per violation, the MCDPA demands attention from businesses nationwide.

This comprehensive guide explores the MCDPA’s scope, consumer rights, enforcement mechanisms, and unique provisions, such as its data inventory requirement. It also compares the MCDPA to other U.S. state privacy laws and international frameworks like the EU’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), Singapore’s Personal Data Protection Act (PDPA), and Saudi Arabia’s Personal Data Protection Law (PDPL). By delving into these details, the Captain Compliance team provides a definitive resource for understanding and complying with Minnesota’s groundbreaking privacy law including a data inventory section that really complicates privacy matters.

MCDPA Scope and Applicability

The MCDPA applies to entities conducting business in Minnesota or targeting Minnesota residents with products or services, provided they meet specific thresholds. These thresholds align with other state privacy laws but include unique elements that broaden the law’s reach.

Who Is the Minnesota Privacy Law Applicable To?

The MCDPA applies to controllers (entities determining the purpose and means of data processing) and processors (entities processing data on behalf of controllers) that:

• Process personal data of 100,000 or more Minnesota consumers annually, or
• Derive over 25% of their gross annual revenue from selling personal data and process data of at least 25,000 Minnesota consumers.

Starting July 31, 2026, the first threshold lowers to 35,000 consumers, expanding the law’s applicability. Exemptions include nonprofit organizations, higher education institutions, government entities, and data subject to federal laws like HIPAA or the Gramm-Leach-Bliley Act. Small businesses as defined by the U.S. Small Business Administration are also exempt, though they must comply with certain data sale restrictions.

Selling Personal Data

The MCDPA defines “sale” broadly as the exchange of personal data for monetary or other valuable consideration. This includes sharing data for targeted advertising, a common practice that now requires explicit consumer consent. Businesses must provide clear opt-out mechanisms for data sales, and sensitive data (e.g., health, biometric, or precise geolocation data) cannot be sold without affirmative opt-in consent.

Consumer Rights and Requests

The MCDPA empowers Minnesota consumers with robust data privacy rights, aligning with other state laws but with distinct nuances. We detail these below and if you’re a business there are some differences that you’ll want to utilize our data privacy software tools to adhere to these more stringent regulations in Minnesota.

What Rights Does the Minnesota Act Give to Consumers?

Consumers have the following rights under the MCDPA:

• Right to Access: Confirm whether a controller processes their personal data and access that data.
• Right to Correction: Correct inaccuracies in their personal data.
• Right to Deletion: Request deletion of personal data, including data shared with third parties.
• Right to Data Portability: Obtain a portable, machine-readable copy of their personal data.
• Right to Opt-Out: Opt out of data sales, targeted advertising, or profiling with significant legal or similar effects.
• Right to Know: Understand how their data is processed through clear privacy notices.

Controllers must respond to consumer requests within 45 days, with a possible 45-day extension for complex requests. Requests must be verifiable, and controllers cannot charge fees unless requests are excessive or unfounded. The best way to track these requests is through a DSAR portal (Ask us for a demo).

Right to Appeal

If a controller denies a consumer request, the MCDPA mandates a clear appeal process. Consumers must be informed of the denial reason and given 60 days to appeal. Controllers must respond to appeals within 60 days, providing a written explanation if the appeal is denied. If the appeal is rejected, consumers can escalate the issue to the Minnesota Attorney General, adding an enforcement layer not seen in all state privacy laws.

MCDPA: Privacy Impact Assessments (PIAs)

The MCDPA requires controllers to conduct and document Privacy Impact Assessments (PIAs) for high-risk processing activities, including:

• Targeted advertising.
• Selling personal data.
• Profiling that poses a risk of unfair treatment, financial harm, or privacy intrusion.
• Processing sensitive data (e.g., racial, health, biometric, or children’s data).
• Any processing posing a “heightened risk of harm” to consumers.

PIAs must weigh the benefits of processing against potential risks, implement safeguards, and be available for review by the Attorney General upon request. This requirement aligns with GDPR’s Data Protection Impact Assessments but is tailored to Minnesota’s focus on consumer harm.

Enforcement and Penalties

The Minnesota Attorney General is the sole enforcer of the MCDPA, with no private right of action for consumers which differs from say California where a data breach triggers a private right of action. Violations carry civil penalties of up to $7,500 per violation, calculated per affected consumer or instance of non-compliance. Until January 31, 2026, a 30-day cure period allows businesses to fix violations without penalty, provided they act promptly. After this date, penalties apply immediately for unresolved issues.

Recent enforcement ranging from Honda’s $632,500 fine for non-compliance in California, HealthLine then got hit with a $1.55 million fine, and then The TicketNetwork case further illustrates the stakes. In July 2025, Connecticut’s Attorney General fined TicketNetwork $85,000 for violating the Connecticut Data Privacy Act (CTDPA) with an unreadable privacy notice and broken opt-out mechanisms. Minnesota’s MCDPA, with its lower penalty cap but broader applicability, could lead to similar enforcement actions for non-compliance, especially for businesses ignoring data inventory or PIA requirements.

Deidentified and Pseudonymous Data

The MCDPA exempts deidentified and pseudonymous data from many requirements, provided controllers:

• Ensure data cannot be re-identified.
• Contractually obligate recipients to maintain deidentification.
• Implement technical safeguards to prevent re-identification.

This aligns with other state laws but emphasizes accountability, requiring public commitments to deidentification practices. Businesses leveraging such data for analytics or AI training must ensure robust safeguards to avoid penalties.

Targeted Advertising

The MCDPA imposes strict rules on targeted advertising, defined as ads based on personal data from a consumer’s activities across non-affiliated websites. Consumers have a universal opt-out right for targeted advertising, and businesses must provide clear mechanisms (e.g., browser signals or global privacy controls) to honor these preferences. Sensitive data used for advertising requires explicit opt-in consent, aligning with growing consumer demand for control over personalized ads.

From the initial house research that was put out on March 7th of last year (see here) it has been a target to create a privacy framework that leaned on the success of GDPR in Europe and California’s privacy laws:

Controller and Processor Regime

The MCDPA establishes a clear controller-processor framework:

• Controllers determine the purpose and means of data processing and are responsible for compliance, including responding to consumer requests and conducting PIAs.
• Processors process data on behalf of controllers and must follow contractual obligations, including security measures and data deletion upon contract termination.

Contracts between controllers and processors must outline processing instructions, security requirements, and audit rights, ensuring accountability throughout the data supply chain.

Unique Privacy Policy Requirements

The MCDPA mandates detailed, accessible privacy notices that disclose:

• Categories of personal data collected and processed.
• Purposes for processing.
• Categories of third parties receiving data.
• Consumer rights and how to exercise them.
• Contact information for the controller’s chief privacy officer (or equivalent).
• Data retention policies and deidentification practices.

Unlike other state laws, the MCDPA requires businesses to document compliance policies and procedures, including a data inventory which we’ve covered in a separate piece. This emphasis on transparency and governance sets Minnesota apart.

What Obligations Does the Minnesota Act Impose on Controllers and Processors?

Controllers and processors face several obligations:

• Data Minimization: Collect only data necessary for the stated purpose.
• Security Practices: Implement reasonable administrative, technical, and physical safeguards, including a data inventory.
• Non-Discrimination: Avoid discriminating against consumers exercising their rights (e.g., denying services or charging higher prices).
• Consent for Sensitive Data: Obtain affirmative consent for processing sensitive data, such as health, biometric, or children’s data.
• Third-Party Accountability: Ensure third parties receiving data comply with MCDPA requirements via contracts.
• Response to Consumer Requests: Verify and respond to requests within 45 days, with a clear appeal process.

Failure to meet these obligations, as seen in cases like fines under the CCPA & CTDPA, could lead to significant penalties.

MCDPA’s Requirements for Data Inventories

Minnesota is the first U.S. state to explicitly require controllers to maintain a data inventory as part of their data security practices. The MCDPA states:

“A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.”

Key Details:

• Purpose: The data inventory ensures controllers understand the personal data they collect, process, and store, enabling compliance with consumer rights requests and PIAs.
• Scope: The inventory must cover all personal data managed by the controller, though the law doesn’t specify format or content details.
• Security Context: Framed as a security measure, the inventory supports data protection by mapping data flows, identifying risks, and ensuring accessibility for consumer requests.
• No Guidance: The lack of specific requirements means businesses must adopt best practices, such as those under GDPR, to create comprehensive inventories detailing data categories, purposes, and third-party recipients.
• Practical Steps: Businesses should use data mapping tools to automate inventory creation, integrate it into security programs, and update it regularly to reflect changes in data practices.

The McDonald’s McHire breach, where a weak “123456” password exposed 64 million applicants’ data, underscores why data inventories matter. Knowing what data you hold and where it’s stored is critical to preventing such disasters.

Comparison with Other U.S. State Privacy Laws

The MCDPA shares similarities with other state privacy laws but stands out in key areas:

• California Consumer Privacy Act (CCPA): The CCPA, amended by the CPRA, applies to businesses with $25 million in revenue or processing data of 100,000+ consumers. It includes a private right of action for data breaches, unlike the MCDPA’s AG-only enforcement. California’s $1.55 million Healthline settlement in 2025 highlights aggressive enforcement, but the CCPA lacks a data inventory mandate.
• Connecticut Data Privacy Act (CTDPA): The CTDPA, enforced in the $85,000 TicketNetwork case, mirrors the MCDPA’s consumer rights and AG enforcement but doesn’t require a data inventory. Connecticut’s cure period expired in 2025, while Minnesota’s lasts until 2026.
• Colorado Privacy Act (CPA): The CPA requires PIAs and opt-out rights for targeted advertising but lacks a data inventory requirement. Its universal opt-out mechanism (UOOM) is more prescriptive than Minnesota’s.
• Virginia Consumer Data Protection Act (VCDPA): The VCDPA is similar in scope but excludes small businesses entirely, while Minnesota applies to small businesses selling data. Neither mandates a data inventory.
• Unique MCDPA Features: The data inventory requirement and lowered applicability threshold (35,000 consumers by 2026) make Minnesota stricter. Its emphasis on documented compliance policies also sets it apart.

MCDPA Comparison with International Privacy Laws

The MCDPA aligns with global privacy frameworks but differs in scope and enforcement:

• EU General Data Protection Regulation (GDPR): The GDPR, effective since 2018, is the global gold standard, with fines up to €20 million or 4% of annual revenue. It requires Data Protection Impact Assessments (similar to MCDPA’s PIAs) and data mapping as a best practice, but not explicitly as a legal mandate like Minnesota. The GDPR’s extraterritorial reach applies to Minnesota businesses targeting EU residents, as seen in Italy’s €20 million Clearview AI fine in 2022.
• Brazil’s Lei Geral de Proteção de Dados (LGPD): Effective since 2020, the LGPD mirrors GDPR’s consumer rights and requires data mapping for compliance. Fines are lower (2% of Brazil revenue, up to 50 million BRL), but enforcement is growing. Unlike the MCDPA, the LGPD applies to all businesses processing Brazilian data, regardless of size.
• Singapore’s Personal Data Protection Act (PDPA): The PDPA, in place since 2012, focuses on consent and accountability but doesn’t mandate data inventories. Fines are capped at SGD 1 million, lower than GDPR but comparable to MCDPA’s per-violation penalties. Singapore’s emphasis on cross-border data transfers contrasts with Minnesota’s state-specific focus.
• Saudi Arabia’s Personal Data Protection Law (PDPL): Implemented in 2023, the PDPL requires data inventories for high-risk processing and imposes fines up to 5 million SAR. Its focus on government oversight contrasts with Minnesota’s AG-led enforcement, but both emphasize transparency.

The MCDPA’s data inventory mandate aligns closely with GDPR and PDPL best practices, but its state-level scope and lack of private lawsuits make it less punitive than GDPR or LGPD.

Ready For Minnesota Consumer Data Privacy Act Compliance Software?

The Minnesota Consumer Data Privacy Act is a landmark law that strengthens consumer protections and sets a new standard for data governance in the U.S. Its unique data inventory requirement, coupled with robust consumer rights and strict enforcement, positions Minnesota as a leader in state-level privacy regulation. Businesses are already starting to get ready to comply and we’re here to help, especially given the lowered applicability threshold in 2026. The TicketNetwork and McDonald’s breaches highlight the risks of non-compliance, while comparisons with other state and international laws underscore the MCDPA’s forward-thinking approach. By prioritizing data inventories, transparency, and consumer empowerment, Minnesota is paving the way for a more secure data privacy framework. Businesses ignoring these rules do so at their peril—$7,500 per violation adds up fast.

To read the entire text direct from the Minnesota House of Representatives read the full PDF here or see our preview below: https://www.house.mn.gov/comm/docs/C6hTV3TEt0W2vuhEMtczrQ.pdf