Applies to businesses processing personal data of 100,000+ Minnesota residents, or 25,000+ if you derive 25%+ of revenue from data sales. Cure period ended January 31, 2026.
Effective
2025-07-31
Penalty max
$7,500
Cure period
None
Honor GPC
Required
Overview
The Minnesota Consumer Data Privacy Act (MCDPA) took effect July 31, 2025. Minnesota's law has two distinguishing features. First, it includes a 'right to question profiling' — consumers can challenge automated decisions made about them and request human review, an obligation not found in most state privacy laws. Second, like Oregon and Delaware, Minnesota gives consumers the right to a list of specific third-party recipients of their personal data, not just categories. The 30-day cure period sunset on January 31, 2026.
Who it applies to
Businesses processing personal data of 100,000+ Minnesota residents annually.
Businesses processing personal data of 25,000+ Minnesota residents AND deriving 25%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
Right to know specific third-party recipients
Consumers can request a list of the specific third parties to whom you have disclosed their personal data.
What this means for e-commerce
Minnesota has a unique and operationally significant requirement: consumers can not only opt out of profiling but can also question the result of profiling decisions and request human review. Minnesota also gives consumers the right to a list of specific third-party recipients (like Oregon and Delaware). The cure period sunset January 31, 2026.
Penalties & enforcement
Enforced by the Minnesota Attorney General. Penalties range from $0 to $7,500 per violation.
The cure period sunset on 2026-01-31 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.
Compliance checklist
Add a 'Your Privacy Choices' link in the site footer
Implement a system to track which specific third parties receive personal data per consumer (Minnesota-specific)
Implement a process for consumers to question profiling decisions and request human review (Minnesota-specific)
Configure your site to detect and honor Global Privacy Control (GPC) signals
Update privacy policy with MCDPA-required disclosures
Implement a 45-day consumer request response process
Conduct data protection assessments for high-risk processing
Does the MCDPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Minnesota.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.