Legal Alert
Preparing Your Company for the Minnesota Consumer Data Privacy Act (MCDPA)
May 30, 2025
The Minnesota Consumer Data Privacy Act (MCDPA or Act) is set to take effect on July 31, 2025, introducing significant new data privacy obligations for many businesses and enhanced rights for Minnesota residents (referred to as “consumers”).
I. Understanding the MCDPA: Key Takeaways
Broad Applicability: The MCDPA applies to entities conducting business in Minnesota or targeting products/services to Minnesota consumers if they meet one of these thresholds annually:
- Control or process the personal data of 100,000 or more Minnesota consumers; or
- Derive over 25% of gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Minnesota consumers.
Important Exemptions & Inclusions:
- While certain entities like government bodies, federally recognized Indian tribes, and some financial institutions are exempt, most non-profit organizations are covered by the MCDPA.
- There is no general entity-level exemption for HIPAA covered entities or business associates, though data regulated by HIPAA is exempt.
- Enhanced Consumer Rights: Minnesota consumers will gain several rights, including the right to access their personal data; to correct inaccurate personal data; to delete their personal data; to obtain a portable copy of their data; and to opt out of the sale of personal data, targeted advertising, and certain profiling.
Explicit Consent for Sensitive Data: Businesses must obtain explicit consumer consent before processing “sensitive data,” which includes racial or ethnic origin, religious beliefs, health conditions, sexual orientation, and a known child's data.
II. Key Business Obligations Under the MCDPA
Controllers (businesses that determine the purposes and means of processing personal data) have several significant responsibilities, including:
- Transparency and Privacy Notices
- Data Governance and Security
- Consumer Request Handling & Appeals
- Data Privacy and Protection Assessments (DPPAs)
- Processor Contracts
- Non-Discrimination
III. PROMPT ACTION IS REQUIRED: Preparing Your Business for the MCDPA
With the July 31, 2025, deadline approaching, and penalties of up to $7,500 per violation, prompt action is crucial.
We Can Help
We can help you understand the MCDPA's specific impact on your business and develop a tailored compliance roadmap. Specifically,
- Applicability Assessment: Determine if and how the MCDPA applies to your business.
- Data Security: Guide you on establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices.
- Data Mapping & Inventory: Help you identify the personal data you collect, process, and store.
- Gap Analysis: Compare your current data practices, policies, and procedures against MCDPA requirements.
- Policy & Notice Updates: Draft or revise privacy policy, internal policies, and data handling procedures.
- Consumer Rights Infrastructure: Help you develop and implement systems for receiving, authenticating, and responding to consumer rights requests and appeals within the mandated timelines.
- Vendor Contract Review: Guide you through the process of updating your data processing agreements with all third-party vendors (processors).
- DPPA Implementation: Help establish a process for conducting and documenting DPPAs for required processing activities.
- Staff Training: Train your employees on MCDPA requirements and your updated policies and procedures.