In 2024, we covered both Minnesota’s and Rhode Island’s Data Privacy Acts. While Rhode Island’s law will not go into effect until 2026, Minnesota’s Consumer Data Privacy Act (MCDPA) has been in effect since July 31, 2025. Now that businesses are subject to following the new MCDPA guidelines, we want to cover the law in more detail to help employers in Minnesota ensure they are prepared.
On May 8, 2025, Governor Greg Gianforte signed Senate Bill 297 (SB 297) into law, revising the existing privacy act. The 2025 revisions will take effect on October 1, 2025. Below is an overview of the amendments to the law that employers operating in Montana or dealing with consumer data in the state need to know.
Employer obligations broken down
The MCDPA applies to organizations that conduct business in Minnesota or target Minnesota consumers and meet one of the following thresholds in the previous calendar year:
- Controlled or processed personal data of 100,000 or more Minnesota consumers, or
- Derived 25% or more of gross revenue from selling personal data and processed/controlled data of at least 25,000 Minnesota consumers.
The MCDPA defines two basic categories the law applies to: processors and controllers.
Data controllers
Employers directly collecting consumer data, either for their own purposes or for sale to processors, are typically categorized in the controller category. Businesses in this category that fall under the thresholds listed above are required to:
- Provide a transparent privacy notice in clear and up-to-date language.
- Explicit opt-in for sensitive data processing, including but not necessarily exclusive to religious beliefs, sexual orientation, race, ethnic origin, biometric data, genetic data, and specific geolocation.
- Follow universal opt-out mechanisms (UOOMs), allowing consumers to opt out of data processing across platforms. These options must be clearly labeled and prominently displayed.
- Maintain an inventory of personal data to make sure data processing aligns with legal obligations.
- Document and maintain compliance regulations, including how controller duties are fulfilled and contact information for the designated responsible individual in charge of overseeing compliance with the regulations. Contact details and information for the designated individual in charge of overseeing and documenting the process must be available for review.
- Timely and accurate fulfillment of consumer rights to access, contest, and opt out (more details for consumer rights listed below).
- Limit data collection to what is “relevant, adequate, and reasonably necessary” for the disclosed purpose.
Data processors
Processors are defined as “an entity which processes personal data on behalf of a controller.” Businesses falling under the processor category that meet the thresholds listed above are required to:
- Uphold data processing guidelines by conducting data protection assessments and responding to consumer rights requests (under “Consumer rights” below).
- Maintain appropriate measures to protect data, specific to the sensitivity of data being processed.
- Remain mindful of agreements with data controllers by entering into clear contracts that define the intended use of processing activities, obligations, and the details of the data involved.
The obligations above are a high-level overview of MCDPA. For the full details, obligations, and privacy notice details, please review the full text of the law here.
Consumer rights
The MCDPA grants Minnesota residents several new rights regarding their personal data:
- Right to access and confirm: Consumers have the right to know data is being used, confirm whether a business is processing their personal data, and access that data.
- Right to correct, question profiling, and delete: Subject to certain exceptions, individuals may correct inaccurate personal data and request deletion.
- Right to know about third-party sharing: Consumers can request a list of third parties that have received their data.
- Opt-out rights:
- Targeted advertising
- Sale of personal data
- Automated profiling that produces legal or similarly significant effects
Enforcement and compliance
Consumers are not granted a private right of action, meaning they cannot sue directly under MCDPA. The Minnesota Attorney General’s Office is solely responsible for enforcing the MCDPA. Civil penalties can reach up to $7,500 per violation. Businesses have until January 31, 2026, to cure violations before penalties are imposed.
How do I know if MCDPA applies to me?
It’s important for organizations to understand that this does not apply only to businesses operating in Minnesota but also directly applies to data collected from consumers in Minnesota outside of the state. Businesses that operate outside of Minnesota can still be subject to MCDPA regulations.
Certain businesses that meet the threshold listed may potentially be exempt from MCDPA, but the exemption can vary based on business category and other nuanced details. Businesses should consult their legal counsel to determine whether MCDPA regulations apply to them.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.
