On this pageDoes the Minnesota Consumer Data Privacy Act apply to your business?
State Law Practice Note

Minnesota Consumer Privacy Law (MCDPA)

The Minnesota Consumer Data Privacy Act gives Minnesota consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds. Built on the Virginia model but distinctively stricter — it lets consumers demand a list of the specific third parties their data was disclosed to, grants profiling-reevaluation rights, has no general nonprofit exemption, and its right to cure has already sunset. Enforced exclusively by the Attorney General with no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawMinn. Stat. § 325M.12; Minn. Stat. § 325M.17; Minn. Stat. § 325M.16; Minn. Stat. § 325M.18; Minn. Stat. § 325M.13; Minn. Stat. § 325M.11; Minn. Stat. § 325M.20

Does the Minnesota Consumer Data Privacy Act apply to your business?

It turns on how much consumer data you handle. The MCDPA applies to entities that do business in Minnesota or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers (excluding data used only to complete a payment), or at least 25,000 consumers while deriving over 25% of gross revenue from selling personal data . A consumer means a Minnesota resident acting in an individual or household context, not someone acting in a commercial or employment role.

Minnesota followed the Virginia template that much of the country copied, but it diverges in ways that matter for triage. There is no general carve-out for nonprofit organizations — most peer states exempt them outright, but here the only nonprofit relief is for organizations established to detect and prevent insurance fraud. Small businesses are excluded from the general framework, yet they remain on the hook for one rule: they may not sell a consumer's sensitive data without prior consent . The exclusion list otherwise tracks the familiar pattern — government entities, federally recognized tribes, HIPAA, GLBA, FCRA, and FERPA data among them.

Sources for this answer

Primary law

A.1 Minn. Stat. § 325M.12

The MCDPA applies to entities doing business in Minnesota or targeting its residents that control or process the data of at least 100,000 consumers (excluding payment-only data), or 25,000+ while deriving over 25% of gross revenue from selling personal data.

Sections 325M.10 to 325M.21 apply to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds: (1) during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

See Minn. Stat. § 325M.12, subd. 1(a).

Primary law

A.2 Minn. Stat. § 325M.17

A small business that is otherwise exempt must still not sell a consumer's sensitive data without the consumer's prior consent.

A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent.

See Minn. Stat. § 325M.17(a).

What must your Minnesota privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purposes for processing, how consumers exercise and appeal their rights, the categories of data sold or shared and the categories of third parties involved, the controller's contact information, its retention policies, and the date the notice was last updated . Minnesota also makes you document your compliance program internally — including naming a privacy lead and keeping a data inventory .

For a template privacy policy, section 325M.16 is the content checklist, and it is more prescriptive than many peer laws — note the explicit retention-policy and last-updated-date line items. If you sell personal data, run targeted advertising, or profile in ways that produce legal or significant effects, you must disclose that and provide a clear opt-out method outside the notice itself. Separately, section 325M.18 adds an internal-governance layer most states leave implicit: you must document the policies and procedures you adopted to comply, identify who is responsible, and conduct data privacy and protection assessments for higher-risk processing. The notice the policy presents should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 Minn. Stat. § 325M.16

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed and the purposes for processing, among other required disclosures.

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller; (2) the purposes for which the categories of personal data are processed;

See Minn. Stat. § 325M.16, subd. 1(a).

Primary law

B.2 Minn. Stat. § 325M.18

A controller must document and maintain a description of the policies and procedures it has adopted to comply with the Act, including who is responsible for compliance.

A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with sections 325M.10 to 325M.21 .

See Minn. Stat. § 325M.18(a).

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice . That contract has to be binding and spell out the processing instructions, the nature and purpose of processing, the type of data, the duration, and each side's rights and obligations.

Section 325M.13 then specifies the required terms: a duty of confidentiality for everyone handling the data, subcontractor flow-down only after the controller has a chance to object, deletion or return of data at the end of the engagement, the information needed to demonstrate compliance, and cooperation with assessments and inspections. As an alternative to direct inspections, a processor may arrange its own qualified independent assessor at least annually and at its own expense. A compliant template DPA tracks each of these, and no contract can sign away a party's statutory liability.

Sources for this answer

Primary law

C.1 Minn. Stat. § 325M.13

A contract between a controller and a processor must govern the processor's data processing performed on behalf of the controller, and must require a duty of confidentiality.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

See Minn. Stat. § 325M.13(c).

Do you need consent to process sensitive data?

Yes. Except as the Act otherwise allows, a controller may not process a consumer's sensitive data without obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act . Sensitive data includes personal data revealing race or ethnicity, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; biometric or genetic information used to uniquely identify someone; the data of a known child; and specific geolocation data .

This is the opt-in model shared by most of the newer state laws — sensitive data is walled off until the consumer affirmatively agrees, and consent obtained through a dark pattern does not count. Minnesota also requires an easy way to revoke consent, with processing stopping within 15 days, and it bars selling or running targeted advertising on the data of consumers the controller knows to be between 13 and 16 without consent. A multi-state template generally has to support universal opt-out signals to stay compliant across jurisdictions, and Minnesota recognizes those signals too.

Sources for this answer

Primary law

D.2 Minn. Stat. § 325M.11

Sensitive data includes personal data revealing race or ethnicity, religious beliefs, health condition or diagnosis, sexual orientation, or citizenship or immigration status; biometric or genetic data used for identification; a known child's data; and specific geolocation data.

Sensitive data is a form of personal data. “Sensitive data” means: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of biometric data or genetic information for the purpose of uniquely identifying an individual; (3) the personal data of a known child; or (4) specific geolocation data.

See Minn. Stat. § 325M.11(v).

Can a consumer sue your business under the MCDPA?

No. Nothing in the MCDPA creates a private right of action, so consumers cannot sue under it — the Minnesota Attorney General enforces the law . And unlike several peer states, Minnesota's right to cure was time-limited: the warning-letter-and-30-day-cure provision expired January 31, 2026, so the Attorney General can now bring an enforcement action without first offering a window to fix the problem .

This makes Minnesota's posture stricter than the states whose cure periods are permanent. An uncured violation exposes a controller or processor to an injunction and a civil penalty of up to $7,500 per violation, and the state may also recover its litigation expenses. Because the grace period is gone, the practical move is to stand up the notice, consent, and contracting controls before the Attorney General comes calling rather than counting on a chance to remediate after a complaint.

Sources for this answer

Primary law

E.1 Minn. Stat. § 325M.20

Nothing in the MCDPA establishes a private right of action; enforcement rests with the Attorney General.

Nothing in sections 325M.10 to 325M.21 establishes a private right of action, including under section 8.31, subdivision 3a , for a violation of sections 325M.10 to 325M.21 or any other law.

See Minn. Stat. § 325M.20(d).

Primary law

E.2 Minn. Stat. § 325M.20

The Attorney General's obligation to issue a warning letter and allow a 30-day cure before filing an enforcement action expired January 31, 2026.

If, after 30 days of issuance of the warning letter, the attorney general believes the controller or processor has failed to cure any alleged violation, the attorney general may bring an enforcement action under paragraph (b). This paragraph expires January 31, 2026.

See Minn. Stat. § 325M.20(a).

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer