The Minnesota Consumer Data Privacy Act (MCDPA) will take effect on July 31,
2025, except that postsecondary institutions regulated by the Minnesota Office of Higher
Education are not required to comply until July 31, 2029. The Minnesota attorney general
enforces the MCDPA. This article discusses the MCDPA's application, definitions,
consumer rights, and notices.
MCDPA Application and Definitions
The MCDPA applies to legal entities that conduct business in
Minnesota or produce products or services that are targeted to Minnesota residents
and that satisfy any of the following thresholds.
During a calendar year, controls or processes personal data of 100,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.
A controller or processor acting as a technology provider under Minn. Stat. § 13.32 must comply with Minn. Stat. § 13.32 and the MCDPA, except that when the provisions of Minn. Stat. § 13.32 conflict with the MCDPA, Minn. Stat. § 13.32 prevails.
In addition, the MCDPA applies to a small business, as defined by
the US Small Business Administration under Code of Federal Regulations, title 13,
part 121, that conducts business in Minnesota or produces products or services that
are targeted to Minnesota residents as follows. Such a small business must not sell
a consumer's sensitive data without the consumer's prior consent, and penalties and
Minnesota attorney general enforcement procedures under Minn. Stat. § 325M.20 apply
to a small business. The MCDPA supersedes and preempts laws, ordinances,
regulations, or the equivalent adopted by any local government regarding the
processing of personal data by controllers or processors.
"Consumer" means a natural person who is a Minnesota resident acting only in an individual or household context, excluding a natural person acting in a commercial or employment context.
"Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Process" or "processing" means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, including without limitation, the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
"Processor" means a natural or legal person who processes personal data on behalf of a controller.
"Personal data" means any information that is linked or reasonably
linkable to an identified or identifiable natural person and does not include
de-identified data or publicly available information.
"Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.
"De-identified data" means data that cannot reasonably be used to
infer information about or otherwise be linked to an identified or identifiable
natural person or a device linked to an identified or identifiable natural person,
provided that the controller that possesses the data does the following.
Takes reasonable measures to ensure that the data cannot be associated with
a natural person;
Publicly commits to process the data only in a de-identified fashion and not
attempt to reidentify the data; and
Contractually obligates any recipients of the information to comply with the foregoing requirements.
"Publicly available information" means information that is lawfully made available from federal, state, or local government records or widely distributed media, or information that a controller has a reasonable basis to believe has lawfully been made available to the general public.
"Sensitive data" is a form of personal data and means the
following.
Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
The processing of biometric data or genetic information for the purpose of uniquely identifying an individual;
The personal data of a known child; or
Specific geolocation data.
"Biometric data" means data generated by automatic measurements of
an individual's biological characteristics, including a fingerprint, a voiceprint,
eye retinas, irises, or other unique biological patterns or characteristics that are
used to identify a specific individual and does not include the following.
A digital or physical photograph;
An audio or video recording; or
Any data generated from a digital or physical photograph, or an audio or video recording, unless the data is generated to identify a specific individual.
"Genetic information" has the meaning given in Minn. Stat. § 13.386, subdivision 1.
"Known child" means a person under circumstances where a controller has actual knowledge of, or willfully disregards, that the person is under 13 years of age.
"Specific geolocation data" means information derived from technology, including without limitation, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates and does not include the content of communications, the contents of databases containing street address information which are accessible to the public as authorized by law, or any data generated by or connected to advanced utility metering infrastructure systems or other equipment for use by a public utility.
"Sale" means the exchange of personal data for monetary or other
valuable consideration by the controller to a third party and does not include the
disclosure of the following.
Of personal data to a processor who processes the personal data on behalf of the controller;
Of personal data to a third party for the purposes of providing a product or service requested by the consumer;
Or transfer of personal data to an affiliate of the controller;
Of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience; or
Or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
"Sale" also does not include the exchange of personal data between
the producer of a good or service and authorized agents of the producer who sell and
service the goods and services, to enable the cooperative provisioning of goods and
services by both the producer and the producer's agents.
"Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
"Affiliate" means a legal entity that controls, is controlled by,
or is under common control with another legal entity, and for the purposes of this
definition, "control" or "controlled" means the following.
Ownership of or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company;
Control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
Power to exercise a controlling influence over the management of a company.
"Targeted advertising" means displaying advertisements to a
consumer where the advertisement is selected based on personal data obtained or
inferred from that consumer's activities over time and across nonaffiliated websites
or online applications to predict the consumer's preferences or interests and does
not include the following.
Advertising based on activities within a controller's own websites or online applications;
Advertising based on the context of a consumer's current search query, visit to a website or online application;
Advertising to a consumer in response to the consumer's request for information or feedback; or
Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.
"Profiling" means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Decisions that produce legal or similarly significant effects
concerning the consumer" means decisions made by the controller that result in the
provision or denial by the controller of financial or lending services, housing,
insurance, education enrollment or opportunity, criminal justice, employment
opportunities, healthcare services, or access to essential goods or services.
"Consent" means any freely given, specific, informed, and
unambiguous indication of the consumer's wishes by which the consumer signifies
agreement to the processing of personal data relating to the consumer but does not
include acceptance of a general or broad terms of use or similar document that
contains descriptions of personal data processing along with other, unrelated
information, or hovering over, muting, pausing, or closing a given piece of content.
A consent is not valid when the consumer's indication has been obtained by a dark
pattern. A consumer may revoke consent previously given, consistent with the
MCDPA.
"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
"Delete" means to remove or destroy information so it is not maintained in human- or machine-readable form and cannot be retrieved or utilized in the ordinary course of business.
"Authenticate" means to use reasonable means to determine that a request to exercise any of the rights under Minn. Stat. § 325M.14, subdivision 1, paragraphs (b) to (h), is being made by or rightfully on behalf of the consumer who is entitled to exercise the rights with respect to the personal data at issue.
"Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
MCDPA Consumer Rights
A consumer has the following rights.
Right of access. A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing.
Right to correction. A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data.
Right to deletion. A consumer has the
right to delete personal data concerning the consumer.
Right to data portability. A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
Right to opt out. A consumer has the right
to opt out of the processing of personal data concerning the consumer for the
purposes of the following.
Targeted advertising;
The sale of personal data; or
Profiling in furtherance of automated decisions that
produce legal effects concerning the consumer or similarly significant
effects concerning a consumer.
If a consumer's personal data is profiled in furtherance of decisions that
produce legal effects concerning a consumer or similarly significant effects
concerning a consumer, the consumer has the right to the following.
Question the result of the profiling,
Be informed of the reason that the profiling resulted in the decision, and
If feasible, be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.
The consumer also has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based on inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.
In addition, a consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead.
A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale.
The platform, technology, or mechanism must do the following.
Not unfairly disadvantage another controller;
Not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data;
Be consumer-friendly and easy to use by the average consumer;
Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and
Enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising.
For purposes of the foregoing, the use of an internet protocol address to
estimate the consumer's location is sufficient to determine the consumer's
residence.
If a consumer's opt-out request is exercised through the platform, technology, or mechanism required above, and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program.
The platform, technology, or mechanism required above is subject to the requirements of Minn. Stat. § 325M.14, subdivision 4.
A controller that recognizes opt-out preference signals that have been approved by other state laws or regulations is in compliance with Minn. Stat. § 325M.14, subdivision 3.
MCDPA Notice Requirements
A controller must provide a consumer with a reasonably accessible,
clear, and meaningful privacy notice that includes the following.
The categories of the personal data processed by the controller;
The purposes for which the categories of personal data are processed;
An explanation of the rights contained in Minn. Stat. § 325M.14 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request;
The categories of personal data that the controller sells to or shares with third parties, if any;
The categories of third parties, if any, with whom the controller sells or shares personal data;
The controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller;
A description of the controller's retention policies for personal data; and
The date the privacy notice was last updated.
If a controller sells personal data to third parties, processes
personal data for targeted advertising, or engages in profiling in furtherance of
decisions that produce legal effects concerning a consumer or similarly significant
effects concerning a consumer, the controller must disclose the processing in the
privacy notice and provide access to a clear and conspicuous method outside the
privacy notice for a consumer to opt out of the sale, processing, or profiling in
furtherance of decisions that produce legal effects concerning a consumer or
similarly significant effects concerning a consumer. This method may include, but is
not limited to, an internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your
Privacy Rights" that directly effectuates the opt-out request or takes consumers to
a web page where the consumer can make the opt-out request.
The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service.
The controller must provide the privacy notice in a manner that is
reasonably accessible to and usable by individuals with disabilities.
Whenever a controller makes a material change to the controller's
privacy notice or practices, the controller must notify consumers affected by the
material change with respect to any prospectively collected personal data and
provide a reasonable opportunity for consumers to withdraw consent to any further
materially different collection, processing, or transfer of previously collected
personal data under the changed policy. The controller must take all reasonable
electronic measures to provide notification regarding material changes to affected
consumers, taking into account available technology and the nature of the
relationship.
A controller is not required to provide a separate
Minnesota-specific privacy notice or section of a privacy notice if the controller's
general privacy notice contains all of the information required by Minn. Stat. §
325M.16.
The privacy notice must be posted online through a conspicuous
hyperlink using the word "privacy" on the controller's website home page or on a
mobile application's app store page or download page. A controller that maintains an
application on a mobile or other device must also include a hyperlink to the privacy
notice in the application's settings menu or in a similarly conspicuous and
accessible location. A controller that does not operate a website must make the
privacy notice conspicuously available to consumers through a medium regularly used
by the controller to interact with consumers, including but not limited to mail.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
The Minnesota Consumer Data Privacy Act (MCDPA) will take effect on July 31, 2025, except that postsecondary institutions regulated by the Minnesota Office of Higher Education are not required to comply until July 31, 2029. The Minnesota attorney general enforces the MCDPA. This article discusses the MCDPA's application, definitions, consumer rights, and notices.
MCDPA Application and Definitions
The MCDPA applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to Minnesota residents and that satisfy any of the following thresholds.
A controller or processor acting as a technology provider under Minn. Stat. § 13.32 must comply with Minn. Stat. § 13.32 and the MCDPA, except that when the provisions of Minn. Stat. § 13.32 conflict with the MCDPA, Minn. Stat. § 13.32 prevails.
In addition, the MCDPA applies to a small business, as defined by the US Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to Minnesota residents as follows. Such a small business must not sell a consumer's sensitive data without the consumer's prior consent, and penalties and Minnesota attorney general enforcement procedures under Minn. Stat. § 325M.20 apply to a small business. The MCDPA supersedes and preempts laws, ordinances, regulations, or the equivalent adopted by any local government regarding the processing of personal data by controllers or processors.
"Consumer" means a natural person who is a Minnesota resident acting only in an individual or household context, excluding a natural person acting in a commercial or employment context.
"Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Process" or "processing" means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, including without limitation, the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
"Processor" means a natural or legal person who processes personal data on behalf of a controller.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified data or publicly available information.
"Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.
"De-identified data" means data that cannot reasonably be used to infer information about or otherwise be linked to an identified or identifiable natural person or a device linked to an identified or identifiable natural person, provided that the controller that possesses the data does the following.
"Publicly available information" means information that is lawfully made available from federal, state, or local government records or widely distributed media, or information that a controller has a reasonable basis to believe has lawfully been made available to the general public.
"Sensitive data" is a form of personal data and means the following.
"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual and does not include the following.
"Genetic information" has the meaning given in Minn. Stat. § 13.386, subdivision 1.
"Known child" means a person under circumstances where a controller has actual knowledge of, or willfully disregards, that the person is under 13 years of age.
"Specific geolocation data" means information derived from technology, including without limitation, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates and does not include the content of communications, the contents of databases containing street address information which are accessible to the public as authorized by law, or any data generated by or connected to advanced utility metering infrastructure systems or other equipment for use by a public utility.
"Sale" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party and does not include the disclosure of the following.
"Sale" also does not include the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer's agents.
"Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity, and for the purposes of this definition, "control" or "controlled" means the following.
"Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests and does not include the following.
"Profiling" means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Decisions that produce legal or similarly significant effects concerning the consumer" means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to essential goods or services.
"Consent" means any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer but does not include acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information, or hovering over, muting, pausing, or closing a given piece of content. A consent is not valid when the consumer's indication has been obtained by a dark pattern. A consumer may revoke consent previously given, consistent with the MCDPA.
"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
"Delete" means to remove or destroy information so it is not maintained in human- or machine-readable form and cannot be retrieved or utilized in the ordinary course of business.
"Authenticate" means to use reasonable means to determine that a request to exercise any of the rights under Minn. Stat. § 325M.14, subdivision 1, paragraphs (b) to (h), is being made by or rightfully on behalf of the consumer who is entitled to exercise the rights with respect to the personal data at issue.
"Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
MCDPA Consumer Rights
A consumer has the following rights.
If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to the following.
The consumer also has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based on inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.
In addition, a consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead.
A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale.
The platform, technology, or mechanism must do the following.
For purposes of the foregoing, the use of an internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence.
If a consumer's opt-out request is exercised through the platform, technology, or mechanism required above, and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program.
The platform, technology, or mechanism required above is subject to the requirements of Minn. Stat. § 325M.14, subdivision 4.
A controller that recognizes opt-out preference signals that have been approved by other state laws or regulations is in compliance with Minn. Stat. § 325M.14, subdivision 3.
MCDPA Notice Requirements
A controller must provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes the following.
If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include, but is not limited to, an internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request.
The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service.
The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities.
Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller must take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship.
A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all of the information required by Minn. Stat. § 325M.16.
The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device must also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website must make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.