🔁  Growing tired of OneTrust? Migrate seamlessly with Ketch Switch.
Regulations
MNCDPA

Minnesota Consumer Data Privacy Act (MNCDPA)

Matt George
Data Protection Officer
Last updated
July 1, 2025

The Minnesota Consumer Data Privacy Act (MNCDPA) is a significant advancement in data privacy, designed to protect the personal information of Minnesota residents. Signed on May 19, 2024 by Minnesota Governor Tim Walz, MNCDPA makes Minnesota the 18th state to enact a comprehensive privacy law, setting clear guidelines for businesses handling consumer data. The MNCDPA effective date is July 31, 2025.

Try Ketch for Free
Request Regulatory Guidance
https://ketch.wistia.com/medias/3rpa64kvob

What is the Minnesota Consumer Data Privacy Act (MNCDPA)?

Why was MNCDPA passed?

What makes MNCDPA unique?

The Minnesota Consumer Data Privacy Act (MNCDPA) is unique as it grants consumers the right to request a list of third parties their data is shared with, following Oregon's model. This excludes service providers but applies to entities receiving data for sales or sharing. Businesses must map data-sharing practices to ensure compliance and transparency.

Example H2
Need an easy-to-use consent management solution?
Book a 30 min Demo

Key definitions in MNCDPA

In a sea of data privacy laws, MNCDPA defines several key terms to establish clear guidelines for data privacy, as outlined in Section 3 [325O.02] of the Act.

  • Consumer: A natural person who is a Minnesota resident acting in an individual or household context. This excludes individuals acting in a commercial or employment context.
  • Personal Data: Information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available data.
  • Sensitive Data: A subset of personal data including racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data for identification, data of known children (under 13), and precise geolocation data.
  • Controller: An entity that determines the purposes and means of processing personal data.
  • Processor: An entity that processes personal data on behalf of a controller.
  • Sale of Personal Data: The exchange of personal data for monetary or other valuable consideration to a third party, with exceptions such as disclosures to processors, affiliates, or as part of mergers.
  • Targeted Advertising: Displaying ads to a consumer based on personal data obtained from their activities across nonaffiliated websites or applications to predict preferences or interests. This excludes ads based on activities within a controller's own sites or in response to a consumer's request for information.
  • Consent: A freely given, specific, informed, and unambiguous indication of the consumer's agreement to process their personal data. Consent does not include acceptance of broad terms of use, or actions obtained through dark patterns. 

Who must comply with MNCDPA?

The Minnesota Consumer Data Privacy Act applies to entities that:

  1. Conduct business in Minnesota or target Minnesota residents with products or services; and
  2. Meet one of the following thresholds during a calendar year:
    • Control or process personal data of at least 100,000 consumers, excluding data processed solely for payment transactions; or
    • Derive over 25% of gross revenue from the sale of personal data and control or process data of at least 25,000 consumers.
"Consumer" means a natural person who is a Minnesota resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.

- Section 3 [325O.02] of the MNCDPA

MNCDPA exemptions

Notably, the MNCDPA exempts small businesses as defined by the U.S. Small Business Administration, except regarding the sale of sensitive data, which requires prior consent. 

Additionally, the Act does not apply to certain entities and data types, including:

  • State or federally chartered banks or credit unions and their affiliates or subsidiaries;
  • Data subject to federal regulations like the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). 

These provisions ensure that while the MNCDPA enhances consumer data protections, it also considers the operational capacities of smaller enterprises and existing federal regulations.

These exemptions ensure that federally regulated data and certain industries are not subject to overlapping compliance requirements.

Key provisions of MNCDPA

The Minnesota Consumer Data Privacy Act introduces several key provisions to protect consumer data:

  1. Consumer rights: Minnesota residents can access, correct, delete, and obtain copies of their personal data. They can also opt out of data sales, targeted advertising, and profiling.
  2. Business obligations: Businesses must provide clear privacy notices, limit data collection to necessary purposes, and obtain consent for processing sensitive data.
  3. Data protection assessments: Controllers are required to conduct assessments for processing activities that present a heightened risk to consumers, such as targeted advertising and profiling.
  4. Enforcement: The Minnesota Attorney General enforces the Act, with violations subject to civil penalties.

These provisions aim to enhance consumer privacy and establish clear responsibilities for businesses handling personal data.

"After working on this bill for five years, I’m confident that this is some of the strongest legislation to protect consumer data in the nation."

- State Representative Steve Elkins

Is MNCDPA opt-in or opt-out?

The Minnesota Consumer Data Privacy Act (MCDPA) incorporates both opt-in and opt-out mechanisms:

  • Opt-Out: Consumers have the right to opt out of the processing of their personal data for purposes such as targeted advertising, the sale of personal data, or profiling that leads to automated decisions affecting them legally. 
  • Opt-In: Processing sensitive data, including information on racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, data of known children (under 13), and precise geolocation data, requires obtaining the consumer's explicit consent before processing. 

The price of non-compliance

MNCDPA fines

The Minnesota data privacy law is enforced by the  Minnesota Attorney General. Violations of the MCDPA can result in civil penalties of up to $7,500 per violation. 

Additionally, the Attorney General may seek injunctive relief to prevent ongoing or future violations. Notably, there is a 30-day cure period for businesses to address alleged violations, which expires on January 31, 2026.

The impact of MNCDPA on businesses

The Minnesota privacy law requires businesses handling Minnesota residents' data to provide consumer rights such as access, correction, deletion, and opt-outs for data sales and targeted ads. Businesses must ensure privacy transparency, data security, and conduct risk assessments for sensitive processing. Compliance includes clear privacy notices, data minimization, and reasonable security measures. 

What are the MNCDPA requirements for businesses?

The MCDPA imposes several obligations on businesses handling consumer data:

  1. Data protection assessments: Businesses must conduct regular assessments of their data processing activities to evaluate and mitigate risks associated with personal data handling.
  2. Privacy policy requirements: Companies are required to publish clear and concise privacy policies, detailing their data collection practices, purposes, and consumer rights.
  3. Data minimization and retention: The Act mandates that businesses limit data collection to what is necessary for providing goods or services and retain data only as long as needed for those purposes.
  4. Consumer rights facilitation: Businesses must establish mechanisms to enable consumers to exercise their rights, including accessing, correcting, deleting, and obtaining copies of their personal data.
  5. Consent for sensitive data: Processing sensitive data requires obtaining explicit consumer consent, ensuring that individuals are fully informed about how their sensitive information will be used.


The impact of MNCDPA on consumers

The Minnesota data privacy law significantly enhances consumer data rights. Minnesota residents gain the ability to access, correct, delete, and obtain copies of their personal data. They can also opt out of data sales, targeted advertising, and profiling decisions that produce legal or similarly significant effects. 

Notably, the MCDPA provides consumers with the right to obtain a list of specific third parties to whom their personal data has been disclosed. 

Additionally, consumers have the right to question and understand profiling decisions, including the rationale behind them and actions they can take to achieve different outcomes in the future. 

These provisions empower individuals with greater control and transparency over their personal information.

How MNCDPA compares to other U.S. data privacy laws

MNCDPA shares similarities with data privacy laws in states like California (CCPA), Virginia (VCDPA), and Oregon (OCPA), granting consumers rights to access, correct, delete, and opt out of data sales and targeted ads. 

MNCDPA vs other state privacy laws

State Scope Effective Date Key Features Penalties for Non-Compliance
Minnesota (MNCDPA) Minnesota residents July 31, 2025 Opt-out for data sales and targeted ads; opt-in for sensitive and biometric data; parental consent under 13; universal opt-out mechanism; data protection assessments for high-risk processing Up to $7,500 per violation
California (CCPA/CPRA) California residents January 1, 2023 Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action Up to $7,500 per violation
Utah (UCPA) Utah residents December 31, 2023 Limited consumer rights; opt-out of certain data processing; applies to businesses with $25M+ revenue and data thresholds Up to $7,500 per violation
Colorado (CPA) Colorado residents July 1, 2023 Opt-out for targeted advertising; sensitive data consent; data protection assessments Up to $20,000 per violation
Virginia (VCDPA) Virginia residents January 1, 2023 Opt-out rights, data protection assessments, strong consumer rights Up to $7,500 per violation
Texas (TDPSA) Texas residents July 1, 2024 Consumer rights, data protection, opt-out of data sales Up to $7,500 per violation
Oregon (OCPA) Oregon residents July 1, 2024 Strong consumer rights, opt-out options, data minimization Up to $7,500 per violation
Connecticut (CTDPA) Connecticut residents July 1, 2023 Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights Up to $5,000 per violation
Iowa (ICDPA) Iowa residents January 1, 2025 Data protection, opt-out of data sharing Up to $7,500 per violation
Montana (MCDPA) Montana residents October 1, 2024 Consumer rights, opt-out options, sensitive data consent Up to $7,500 per violation
New Jersey (NJDPA) New Jersey residents January 15, 2025 Right to access, correct, delete data; opt-out of targeted advertising Up to $10,000 per violation

What makes MNCDPA stand out?

The MCDPA aligns with the general framework of other US state data privacy laws but introduces notable distinctions:

  1. Profiling transparency: MCDPA grants consumers enhanced rights concerning profiling decisions that produce legal or similarly significant effects. Consumers can question profiling outcomes, access the data used, and, if inaccuracies are found, have the data corrected and decisions reevaluated.

  2. Data inventory requirement: Unlike many state laws, MCDPA mandates that controllers maintain a detailed data inventory as part of their security practices, ensuring comprehensive oversight of personal data processing activities.

  3. Small business exemption: MCDPA exempts small businesses, as defined by the U.S. Small Business Administration, from certain obligations. However, these entities are prohibited from selling sensitive data without prior consent, ensuring consumer protection while considering business capacities.

How to ensure MNCDPA compliance

If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are some key steps every business should take to ensure they don’t fall foul of regulators:

What is MNCDPA compliance

MNCDPA compliance means businesses follow the Minnesota Consumer Data Privacy Act by honoring consumer rights (access, correction, deletion, and opt-outs), maintaining privacy notices, securing personal data, conducting risk assessments, and ensuring profiling transparency. The Minnesota Attorney General enforces violations, with fines up to $7,500 per violation.

How to comply with the Minnesota Consumer Data Privacy Act

To meet the MNCDPA compliance requirements, businesses should:

  1. Determine applicability: Identify if MNCDPA applies based on data processing thresholds.
  2. Honor consumer rights: Enable access, correction, deletion, and opt-outs for data sales, ads, and profiling.
  3. Enhance data security: Maintain safeguards and a data inventory.
  4. Conduct risk assessments: Evaluate high-risk processing like profiling and sensitive data use.
  5. Update processor contracts: Ensure compliance terms with third-party data processors.
  6. Prepare for enforcement: The Minnesota Attorney General enforces violations, with fines up to $7,500 per violation and a 30-day cure period until January 31, 2026.

How Ketch can simplify MNCDPA compliance

With the Ketch Data Permissioning Platform, you can simplify MNCDPA compliance by automating key privacy requirements, including:

  1. Consumer rights management – Streamlines data access, deletion, and opt-out requests through a centralized platform.
  2. Universal opt-out handling – Supports automated opt-out mechanisms for targeted ads and data sales.
  3. Data protection assessments – Automates risk assessments for high-risk processing like profiling and sensitive data handling.
  4. Consent management – Ensures opt-in compliance for sensitive data through automated consent collection and tracking.
  5. Policy enforcement – Helps businesses maintain real-time privacy notices and compliance monitoring.

By integrating Ketch, businesses can ensure seamless and scalable MNCDPA compliance while reducing operational burdens.

When you automate these processes, you enable your internal stakeholders: 

  • Your developers and marketers can do their jobs without fretting about regulations
  • Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)

Final thoughts: Preparing your business for MNCDPA

MNCDPA compliance requires businesses to adopt a proactive approach to data privacy by implementing robust data management practices, ensuring transparency, and staying informed about evolving regulatory requirements.

Contact Ketch today to streamline your compliance and future-proof your privacy strategy. 

Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQs about the Minnesota privacy regulation

This a sample accordion element needed for script above to work

Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
  1. Does MNCDPA apply to small businesses?
    The Minnesota Consumer Data Privacy Act (MNCDPA) does not apply to most small businesses. It includes a small business exemption, meaning businesses that meet the U.S. Small Business Administration’s (SBA) definition of a small business are generally not required to comply. However, small businesses cannot sell sensitive data without obtaining prior consumer consent. Businesses that process data of 100,000+ consumers or derive 25%+ of gross revenue from data sales while processing at least 25,000 consumers’ data must comply, regardless of size.
  2. Does MNCDPA apply to nonprofit organizations?
    No, MNCDPA exempts nonprofits, including those that process consumer data for charitable, educational, or religious purposes.
  3. Are there special rules for data related to children?
    Yes, businesses cannot process personal data of children under 13 without verifiable parental consent, aligning with COPPA (Children’s Online Privacy Protection Act).
  4. Does MNCDPA require a data protection officer (DPO)?
    No, unlike GDPR, MNCDPA does not mandate businesses to appoint a DPO, but companies must conduct data protection assessments for high-risk processing.
  5. What are the differences between MNCDPA and GDPR?
    The MNCDPA applies to businesses in Minnesota, while GDPR has a global reach. MNCDPA allows opt-out for most data but requires opt-in for sensitive data, whereas GDPR mandates a legal basis for all processing. GDPR has stricter fines and broader consumer rights. Both require data processing agreements, but GDPR enforces stricter global compliance.
  6. How does MNCDPA handle biometric data?
    Biometric data is classified as sensitive data and requires explicit opt-in consent before processing.
  7. Can businesses deny a consumer request under MNCDPA?
    Yes, businesses may deny requests if they cannot verify a consumer’s identity or if an exemption applies. They must provide a clear explanation for the denial.
  8. How long do businesses have to respond to consumer data requests?
    Businesses must respond within 45 days, with a possible 45-day extension if necessary.
  9. Does MNCDPA require a privacy policy?
    Yes, businesses must provide a clear and accessible privacy notice, detailing data collection, usage, and consumer rights.
  10. Does MNCDPA require businesses to recognize global privacy signals?
    The MNCDPA requires businesses to honor universal opt-out mechanisms (UOOMs), such as the Global Privacy Control (GPC). This means consumers can signal their preference to opt out of data sales and targeted advertising through browser settings or similar technologies, and businesses are obligated to comply with these signals.
Matt George
Data Protection Officer
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
Try Ketch for Free
Book a Demo