Key definitions in MNCDPA
In a sea of data privacy laws, MNCDPA defines several key terms to establish clear guidelines for data privacy, as outlined in Section 3 [325O.02] of the Act.
- Consumer: A natural person who is a Minnesota resident acting in an individual or household context. This excludes individuals acting in a commercial or employment context.
- Personal Data: Information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available data.
- Sensitive Data: A subset of personal data including racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data for identification, data of known children (under 13), and precise geolocation data.
- Controller: An entity that determines the purposes and means of processing personal data.
- Processor: An entity that processes personal data on behalf of a controller.
- Sale of Personal Data: The exchange of personal data for monetary or other valuable consideration to a third party, with exceptions such as disclosures to processors, affiliates, or as part of mergers.
- Targeted Advertising: Displaying ads to a consumer based on personal data obtained from their activities across nonaffiliated websites or applications to predict preferences or interests. This excludes ads based on activities within a controller's own sites or in response to a consumer's request for information.
- Consent: A freely given, specific, informed, and unambiguous indication of the consumer's agreement to process their personal data. Consent does not include acceptance of broad terms of use, or actions obtained through dark patterns.
Who must comply with MNCDPA?
The Minnesota Consumer Data Privacy Act applies to entities that:
- Conduct business in Minnesota or target Minnesota residents with products or services; and
- Meet one of the following thresholds during a calendar year:
- Control or process personal data of at least 100,000 consumers, excluding data processed solely for payment transactions; or
- Derive over 25% of gross revenue from the sale of personal data and control or process data of at least 25,000 consumers.
"Consumer" means a natural person who is a Minnesota resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.
- Section 3 [325O.02] of the MNCDPA
MNCDPA exemptions
Notably, the MNCDPA exempts small businesses as defined by the U.S. Small Business Administration, except regarding the sale of sensitive data, which requires prior consent.
Additionally, the Act does not apply to certain entities and data types, including:
- State or federally chartered banks or credit unions and their affiliates or subsidiaries;
- Data subject to federal regulations like the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).
These provisions ensure that while the MNCDPA enhances consumer data protections, it also considers the operational capacities of smaller enterprises and existing federal regulations.
These exemptions ensure that federally regulated data and certain industries are not subject to overlapping compliance requirements.
Key provisions of MNCDPA
The Minnesota Consumer Data Privacy Act introduces several key provisions to protect consumer data:
- Consumer rights: Minnesota residents can access, correct, delete, and obtain copies of their personal data. They can also opt out of data sales, targeted advertising, and profiling.
- Business obligations: Businesses must provide clear privacy notices, limit data collection to necessary purposes, and obtain consent for processing sensitive data.
- Data protection assessments: Controllers are required to conduct assessments for processing activities that present a heightened risk to consumers, such as targeted advertising and profiling.
- Enforcement: The Minnesota Attorney General enforces the Act, with violations subject to civil penalties.
These provisions aim to enhance consumer privacy and establish clear responsibilities for businesses handling personal data.
"After working on this bill for five years, I’m confident that this is some of the strongest legislation to protect consumer data in the nation."
- State Representative Steve Elkins
Is MNCDPA opt-in or opt-out?
The Minnesota Consumer Data Privacy Act (MCDPA) incorporates both opt-in and opt-out mechanisms:
- Opt-Out: Consumers have the right to opt out of the processing of their personal data for purposes such as targeted advertising, the sale of personal data, or profiling that leads to automated decisions affecting them legally.
- Opt-In: Processing sensitive data, including information on racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, data of known children (under 13), and precise geolocation data, requires obtaining the consumer's explicit consent before processing.
The price of non-compliance
MNCDPA fines
The Minnesota data privacy law is enforced by the Minnesota Attorney General. Violations of the MCDPA can result in civil penalties of up to $7,500 per violation.
Additionally, the Attorney General may seek injunctive relief to prevent ongoing or future violations. Notably, there is a 30-day cure period for businesses to address alleged violations, which expires on January 31, 2026.
The impact of MNCDPA on businesses
The Minnesota privacy law requires businesses handling Minnesota residents' data to provide consumer rights such as access, correction, deletion, and opt-outs for data sales and targeted ads. Businesses must ensure privacy transparency, data security, and conduct risk assessments for sensitive processing. Compliance includes clear privacy notices, data minimization, and reasonable security measures.
What are the MNCDPA requirements for businesses?
The MCDPA imposes several obligations on businesses handling consumer data:
- Data protection assessments: Businesses must conduct regular assessments of their data processing activities to evaluate and mitigate risks associated with personal data handling.
- Privacy policy requirements: Companies are required to publish clear and concise privacy policies, detailing their data collection practices, purposes, and consumer rights.
- Data minimization and retention: The Act mandates that businesses limit data collection to what is necessary for providing goods or services and retain data only as long as needed for those purposes.
- Consumer rights facilitation: Businesses must establish mechanisms to enable consumers to exercise their rights, including accessing, correcting, deleting, and obtaining copies of their personal data.
- Consent for sensitive data: Processing sensitive data requires obtaining explicit consumer consent, ensuring that individuals are fully informed about how their sensitive information will be used.
The impact of MNCDPA on consumers
The Minnesota data privacy law significantly enhances consumer data rights. Minnesota residents gain the ability to access, correct, delete, and obtain copies of their personal data. They can also opt out of data sales, targeted advertising, and profiling decisions that produce legal or similarly significant effects.
Notably, the MCDPA provides consumers with the right to obtain a list of specific third parties to whom their personal data has been disclosed.
Additionally, consumers have the right to question and understand profiling decisions, including the rationale behind them and actions they can take to achieve different outcomes in the future.
These provisions empower individuals with greater control and transparency over their personal information.
How MNCDPA compares to other U.S. data privacy laws
MNCDPA shares similarities with data privacy laws in states like California (CCPA), Virginia (VCDPA), and Oregon (OCPA), granting consumers rights to access, correct, delete, and opt out of data sales and targeted ads.
MNCDPA vs other state privacy laws
State |
Scope |
Effective Date |
Key Features |
Penalties for Non-Compliance |
Minnesota (MNCDPA) |
Minnesota residents |
July 31, 2025 |
Opt-out for data sales and targeted ads; opt-in for sensitive and biometric data; parental consent under 13; universal opt-out mechanism; data protection assessments for high-risk processing
|
Up to $7,500 per violation |
California (CCPA/CPRA) |
California residents |
January 1, 2023 |
Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action |
Up to $7,500 per violation |
Utah (UCPA) |
Utah residents |
December 31, 2023 |
Limited consumer rights; opt-out of certain data processing; applies to businesses with $25M+ revenue and data thresholds |
Up to $7,500 per violation |
Colorado (CPA) |
Colorado residents |
July 1, 2023 |
Opt-out for targeted advertising; sensitive data consent; data protection assessments |
Up to $20,000 per violation |
Virginia (VCDPA) |
Virginia residents |
January 1, 2023 |
Opt-out rights, data protection assessments, strong consumer rights |
Up to $7,500 per violation |
Texas (TDPSA) |
Texas residents |
July 1, 2024 |
Consumer rights, data protection, opt-out of data sales |
Up to $7,500 per violation |
Oregon (OCPA) |
Oregon residents |
July 1, 2024 |
Strong consumer rights, opt-out options, data minimization |
Up to $7,500 per violation |
Connecticut (CTDPA) |
Connecticut residents |
July 1, 2023 |
Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights |
Up to $5,000 per violation |
Iowa (ICDPA) |
Iowa residents |
January 1, 2025 |
Data protection, opt-out of data sharing |
Up to $7,500 per violation |
Montana (MCDPA) |
Montana residents |
October 1, 2024 |
Consumer rights, opt-out options, sensitive data consent |
Up to $7,500 per violation |
New Jersey (NJDPA) |
New Jersey residents |
January 15, 2025 |
Right to access, correct, delete data; opt-out of targeted advertising |
Up to $10,000 per violation |
What makes MNCDPA stand out?
The MCDPA aligns with the general framework of other US state data privacy laws but introduces notable distinctions:
- Profiling transparency: MCDPA grants consumers enhanced rights concerning profiling decisions that produce legal or similarly significant effects. Consumers can question profiling outcomes, access the data used, and, if inaccuracies are found, have the data corrected and decisions reevaluated.
- Data inventory requirement: Unlike many state laws, MCDPA mandates that controllers maintain a detailed data inventory as part of their security practices, ensuring comprehensive oversight of personal data processing activities.
- Small business exemption: MCDPA exempts small businesses, as defined by the U.S. Small Business Administration, from certain obligations. However, these entities are prohibited from selling sensitive data without prior consent, ensuring consumer protection while considering business capacities.
How to ensure MNCDPA compliance
If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are some key steps every business should take to ensure they don’t fall foul of regulators:
What is MNCDPA compliance
MNCDPA compliance means businesses follow the Minnesota Consumer Data Privacy Act by honoring consumer rights (access, correction, deletion, and opt-outs), maintaining privacy notices, securing personal data, conducting risk assessments, and ensuring profiling transparency. The Minnesota Attorney General enforces violations, with fines up to $7,500 per violation.
How to comply with the Minnesota Consumer Data Privacy Act
To meet the MNCDPA compliance requirements, businesses should:
- Determine applicability: Identify if MNCDPA applies based on data processing thresholds.
- Honor consumer rights: Enable access, correction, deletion, and opt-outs for data sales, ads, and profiling.
- Enhance data security: Maintain safeguards and a data inventory.
- Conduct risk assessments: Evaluate high-risk processing like profiling and sensitive data use.
- Update processor contracts: Ensure compliance terms with third-party data processors.
- Prepare for enforcement: The Minnesota Attorney General enforces violations, with fines up to $7,500 per violation and a 30-day cure period until January 31, 2026.
How Ketch can simplify MNCDPA compliance
With the Ketch Data Permissioning Platform, you can simplify MNCDPA compliance by automating key privacy requirements, including:
- Consumer rights management – Streamlines data access, deletion, and opt-out requests through a centralized platform.
- Universal opt-out handling – Supports automated opt-out mechanisms for targeted ads and data sales.
- Data protection assessments – Automates risk assessments for high-risk processing like profiling and sensitive data handling.
- Consent management – Ensures opt-in compliance for sensitive data through automated consent collection and tracking.
- Policy enforcement – Helps businesses maintain real-time privacy notices and compliance monitoring.
By integrating Ketch, businesses can ensure seamless and scalable MNCDPA compliance while reducing operational burdens.
When you automate these processes, you enable your internal stakeholders:
- Your developers and marketers can do their jobs without fretting about regulations
- Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)
Final thoughts: Preparing your business for MNCDPA
MNCDPA compliance requires businesses to adopt a proactive approach to data privacy by implementing robust data management practices, ensuring transparency, and staying informed about evolving regulatory requirements.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
Read further: 2025 U.S. State Privacy Laws: what you need to know
FAQs about the Minnesota privacy regulation