← Back to Blog

Minnesota Consumer Data Privacy Act: What Online Businesses Need to Know

Minnesota's privacy law takes effect in 2025 with strong data inventory and profiling requirements. Here's what it means for your business.

2026-03-03

The Minnesota Consumer Data Privacy Act (MCDPA) took effect on July 31, 2025, making Minnesota one of the more recent states to join the comprehensive privacy law landscape. Minnesota's law includes some notable provisions around data inventories and profiling transparency that go beyond what most states require.

Who Does Minnesota's Law Apply To?

The MCDPA applies to businesses that conduct business in Minnesota or target Minnesota residents and meet either threshold:

  • Control or process personal data of at least 100,000 Minnesota consumers per year, OR
  • Control or process personal data of at least 25,000 Minnesota consumers and derive more than 25% of gross revenue from selling personal data

Government entities, nonprofits, HIPAA-covered entities, and financial institutions under GLBA are exempt.

Key Features

Data Inventory Requirement

Minnesota requires businesses to maintain a data inventory — a documented record of:

  • Categories of personal data collected
  • Purpose for each category
  • Categories of third parties with whom data is shared
  • Approximate timeframes for data retention

This goes beyond simply having a privacy policy — you need an internal document that maps your actual data practices.

Profiling Transparency

If you use profiling that produces legal or similarly significant effects on consumers, you must:

  • Provide notice that profiling is occurring
  • Explain the logic involved
  • Describe the likely outcome
  • Allow consumers to opt out

Consumer Rights

Minnesota consumers can:

  • Access their personal data, including a list of specific third parties to whom data has been disclosed
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale, targeted advertising, and profiling
  • Question profiling results — challenge the outcome of automated decisions

The right to question profiling results is uncommon among state privacy laws.

Sensitive Data and Consent

Opt-in consent required before processing sensitive data, with the standard categories plus:

  • Precise geolocation within 1,750 feet
  • Biometric and genetic data
  • Children's data

Enforcement

Enforced by the Minnesota Attorney General. No private right of action. Minnesota includes a 30-day cure period for the first year, which is set to expire.

Minnesota Compliance Checklist

  • Privacy policy with all disclosures including specific third-party recipients
  • Data inventory — internal documentation of all data processing activities
  • Cookie consent banner with opt-out
  • Profiling transparency — notice and opt-out for automated decisions
  • Consumer request process — including right to question profiling
  • Sensitive data consent — opt-in
  • Data protection assessments for high-risk processing

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including Minnesota's requirements.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free