Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Minnesota Consumer Data Privacy Act (MNCDPA)

Effective Date: July 31, 2025

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the MNDPA applies to legal entities that conduct business in Minnesota or produce products or services targeting Minnesota residents (consumer); and controls or processes either:

• 100,000+ Minnesota consumers' personal data (excluding payment transaction data), during a calendar year; or
• 25,000+ Minnesota consumers' personal data and derived more than 25 percent of its gross revenue from the sale of personal data.

Small Business Exemption:

• Similar to state privacy laws in Nebraska and Texas, the MNCDPA exempts certain small businesses.

2. Key Definitions:

Sales of Personal Data: Similar to California, "sale," "sell," or "sold" is broadly defined to include the exchange of personal data for not only monetary compensation but also "other valuable consideration," subject to certain exemptions.

3. Business Obligations:

The MNCDPA imposes additional obligations on persons who, alone or jointly with others, determine the purposes and means of processing personal data (Controller):

• Heightened Protection for Minor Under the Age of 16:
  • Teenagers who are at least 13 years old but younger than 16 years of age and children under the age of 13 are afforded heightened protection under the MNCDPA.
• Data Processing Agreement (DPA): Processing activities by a supplier (Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Assessment. Yes, a Controller must conduct a data protection assessment for certain activities that present a higher risk of harm to consumers.
• Data Privacy Policy and Documentation: A Controller must document and maintain a description of the policies and procedures the Controller has adopted to comply with the MNCDPA.
• Privacy Notice: A Controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
• Universal Opt-out Mechanism: Controllers must allow consumers to opt out of certain processing of consumer personal data for the purposes of targeted advertising and/or sale of personal data, including displaying certain internet hyperlink.

4. Consumer Rights:

Subject to certain exceptions, a Minnesota consumer has the right to:

• Confirm whether a Controller is processing their personal data and access the categories of data being processed;
• Correct inaccuracies in the consumer's personal data;
• Delete personal data concerning the consumer;
• Obtain a copy of their personal data previously provided by the consumer to the Controller in a portable and readily usable format: Upon request by a consumer, a Controller must provide a list of specific third parties to which consumers' personal data (either specific to this individual or in general) was disclosed;
• Opt-out of personal data processing for targeted advertising, sales of personal data, and profiling for solely automated decisions producing legal or similarly significant effects; and
• Question Results of Profiling.

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: $7,500 per violation.

Cure Period: A 30-day cure period following receipt of the notice of violation by the Minnesota attorney general. Such a grace period is only available until January 31, 2026.