Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act (MNCDPA) joins the chorus of states passing consumer privacy laws following the Washington Privacy Act model. For most organizations, the MNCDPA effective date is July 31, 2025, though postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029. With requirements for organizations to maintain a data inventory and a description of their compliance program, plus heightened access rights for consumers, MNCDPA may mean operational challenges for organizations.

Book a Free Consultation

What you need to know about the MNCDPA:

To Whom Does MNCDPA Apply?

MNCDPA applies to entities that are not small businesses as defined by the United States Small Business Administration and that:

  1. Conduct business in Minnesota or produce products or services targeted to residents of Minnesota (consumers), and 
  2. Annually (during a calendar year) control or process the PI of either:
    1. At least 100,000 consumers, excluding personal information used solely for completing payment transactions; or
    2. At least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal information.

Note: Under the MNCDPA small businesses may not sell sensitive PI without consent.

When Does MNCDPA NOT Apply?

Exempt Entities: Minnesota offers limited entity-level exemptions, including:

  • State government entities;
  • Federally recognized Native American tribes;
  • A state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities;
  • Certain insurers;
  • Small businesses, as defined by the United States Small Business Administration so long as they do not engage in the sale of sensitive PI without the consumer’s consent;
  • Nonprofits who detect and prevent insurance fraud;
  • Certain air-carriers

Exempt Data: Minnesota also offers limited data-level exemptions, including:

  • Protected health information covered under HIPAA and processed by a covered entity or business associate;
  • GLBA-covered data;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: MNCDPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Processing PI for emergency contact purposes; and
  • Processing PI of another individual in relation to the provision of benefits.

In addition, MNCDPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of MNCDPA

What Constitutes Personal Information under MNCDPA?

The MNCDPA covers “personal data,” also called personal information or PI, which is defined as “any information that is linked or reasonably linkable to an identified or identifiable person.”

The definition exempts de-identified and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI?

Minnesota’s definition of sensitive PI consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data; or
  • Genetic or biometric data processed for identification purposes.

While not technically sensitive data, Minnesota includes a unique anti-discrimination provision mandating that a controller shall not process PI on the basis of a variety of characteristics about a consumer such that it would discriminate in the availability of housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.

Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, Minnesota requires it to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with the MNCDPA.

Minnesota also exempts pseudonymous data from access, correction, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separately and subject to technical and organizational controls that prevent its use for re-identification.

Is Consent Needed to Process Sensitive Data?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to collect and process PI from a known child (under 13) in accordance with COPPA. Consent of minors between 13 and 16 is required for the sale of their PI and to use it for targeted advertising.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

What Needs to Be Included in the Privacy Notice?

The notice must be conspicuous and when posted online on the homepage of the company’s website (where applicable) with a hyperlinked “Privacy.” The notice must be provided in all languages in which an organization provides a product or service and be reasonably accessible to individuals with disabilities.

 

A privacy notice must include:

  • Categories of PI processed;
  • Purpose for processing PI;
  • Consumer rights including methods to exercise privacy rights and appeal a rights decision;
  • Categories of PI sold or shared with third parties;
  • Categories of third parties with which PI is sold or shared;
  • Controller’s contact information;
  • A description of the controller’s retention policies for PI;
  • Provide a clear and conspicuous method to effectuate opt-out request;
  • The date the notice was last updated.

Somewhat unique to Minnesota, when a controller makes a material change to their privacy notice or practices, they must notify affected consumers about the changes and provide an opportunity to withdraw consent for further use of their data. Controllers must take reasonable electronic measures to ensure notification reaches the affected consumers.

What Constitutes Sale of PI?

Minnesota defines “sale” to include exchange for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger.

How Will the MNCDPA be enforced?

The Attorney General (AG) has sole enforcement authority. The AG may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s); the cure period ends January 31, 2026. Penalties may include injunctive relief (the company must immediately stop certain behaviors) and/or fines of up to $7,500.

Privacy Rights

 

Privacy rights under the MNCDPA generally align with those provided under other state laws. Note that Minnesota joins Oregon in providing a more detailed right to know. If MNCDPA applies to your business, you must provide the following privacy rights to consumers:

  • Right to know whether a business is processing your PI;
    • A consumer can request a list of third parties who have received their PI from the controller. If specific consumer-level data isn’t maintained, a general list of third parties who have received any consumer’s PI can be provided instead.
  • Right to access PI;
  • Right to correct inaccuracies in PI;
  • Right to delete PI about them;
  • Right to obtain a copy of PI (data portability) previously provided to the controller; and
  • Right to opt out of the sale of PI, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.
    • Additionally: A consumer has the right to question and understand decisions made through data profiling that affect them legally or significantly. They can review the data used, have it corrected if inaccurate, and get the decision reevaluated based on the corrected data.

Minnesota requires that businesses respond to privacy rights requests within 45 days of receipt, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge twice a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.

The appeals process must be conspicuously available to consumers and similar to the process for submitting an initial privacy rights request. Businesses must respond to appeals within 45 days of receipt, with a 60-day extension when necessary available; if denying an appeal, must provide or specify information that enables the consumer to contact the AG.

Universal Opt Out

 

Minnesota requires that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their PI, to websites through their web browser or other technologies.

Privacy Impact Assessments

 

MNCDPA requires that regulated businesses conduct data protection or privacy impact assessments.

Minnesota requires assessments for certain activities, specifically including:

  • Processing for targeted advertising;
  • Processing sensitive PI;
  • Selling PI;
  • Any processing that presents a heightened risk of harm to consumers;
  • Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of:
  • Unfair or deceptive treatment or unlawful disparate impact on consumers;
  • Financial, or physical injury to consumers;
  • Physical or other intrusion on the solitude or seclusion, or private affairs orconcerns, which would be offensive to a reasonable person; or
  • Other substantial injury.

Unique to Minnesota, A controller must document and maintain a description of their policies and procedures to comply with data privacy laws. This includes:

  • Contact information for the chief privacy officer or privacy leader.
  • A description of data privacy policies and procedures designed to meet obligations under the law, including:
    • Providing PI to consumers as required;
    • Appropriate data security;
    • Maintaining a data inventory;
    • Data minimization; and
    • Identifying and addressing violations of the law.

Vendor Contracts

 

MNCDPA requires that organizations have a contract with vendors that dictates obligations regarding processing PI. Contracts must include:

  • Instructions for processing PI;
  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • The duration of processing;
  • A duty of confidentiality for individuals who process the PI;
  • Compliance with audits by the controller or independent auditor;
  • Grant controller opportunity to object to sub-processor;
  • Processor must pass along obligations to any subcontractor in a written contract.
  • Security obligations;
  • Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law; and
  • Make available all information necessary to demonstrate the processor’s compliance with its obligations.

Data Minimization

 

Minnesota limits the collection of PI “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” Where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing. Additionally, controllers may not retain PI that is no longer relevant and necessary for the purposes it was collected.

Note: Minnesota is the first state to require companies to maintain a data inventory.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S. might seem like a daunting task. But just because the task appears daunting doesn’t mean it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation