216.696.8700

Overview:

Minnesota Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (HF 4757 / SF 4782), (the “Minnesota Data Privacy Act” or “MCPA”) into law on May 24, 2024. The MCPA’s main provisions become effective on July 31, 2025.

The Minnesota law creates obligations on “controllers” and “processors” of personal data; defined as a natural or legal person who, alone or jointly with others, determines the purposes and means for processing personal data, and the natural or legal person who processes personal data on behalf of a controller, respectively.

Controllers and processors subject to the MCPA are any persons who conduct business in Minnesota, or who produce a product or offer a service to Minnesota residents, and satisfies one or more of the following: (1) controls or processes personal data of 100,000 or more “consumers” (defined as Minnesota residents acting only in an individual or household context) in a calendar year, excluding personal data processed solely for the purpose of completing a payment transaction; or (2) derives over 25% of gross revenue from th sale of personal data and processes or controls personal data of 25,000 or more consumers.

Information and data exempt from the MCPA include, among other types, personal data subject to regulation under the FCRA, HIPAA, and GLBA.  

Controllers have the following obligations under the MCPA:

  • Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which specifies: (i) the categories of personal data processed; (ii) the purposes for which the personal data is processed; (iii) the categories of third parties to which personal data may be disclosed; (iv) the categories of personal data that the controller shares with third parties; (v) how consumers may exercise their rights, including how a consumer may appeal a controller’s decision on his/her request; and (vi) an active email address or other online mechanism the consumer may use to contact the controller. Controllers must notify consumers when the controller makes a material change to its privacy notice or practices.
  • Restraint: controllers shall limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the controller’s purposes, as disclosed to the consumer.
  • Security: take reasonable measures to establish, implement and maintain administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of the personal data.
  • Rights Request Mechanism: controllers must provide an effective means by which a consumer may exercise the consumer’s rights and establish a process for the consumer to appeal the controller’s decision on the consumer’s request, which shall be conspicuously available and similar to the process for submitting requests to exercise the consumer’s rights.

The MCPA includes a prohibition against small businesses (as defined by the U.S. Small Business Administration) selling a consumer’s sensitive data without the consumer’s prior consent.

Consumer rights under the MCPA include the right to:

  • Confirm whether a controller processes personal data concerning the consumer and accesses the consumer’s personal data and allow the consumer to obtain a copy of the consumer’s personal data that the controller has processed or is processing;
  • Require a controller to correct inaccuracies in personal data about the consumer;
  • Require a controller to delete personal data concerning the consumer;
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, through a universal opt-out mechanism.

Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.

Like the privacy laws in Utah and Iowa, the MCPA does not provide a private right of action, with violations exclusively enforceable by the Minnesota Attorney General’s office. Until January 31, 2026, controllers are allowed a 30-day period to cure alleged violations before an enforcement action may proceed, the outcome of which may result in civil penalties of up to $7,500 per violation.

Have more Questions?