U.S. states continue to take charge of data privacy for their residents, as Minnesota passed its Consumer Data Privacy Act (MCDPA). This latest comprehensive privacy law is based on the model first passed by Virginia, Colorado, and others, but adds a few of its own innovations as well.
Here’s what you need to know about the Minnesota Consumer Data Privacy Act.
The Minnesota privacy law goes into effect on July 31, 2025.
The Minnesota Consumer Data Privacy Act applies to any person or organization that does business in the state or targets its products or services toward state residents, and meets at least one of the following requirements:
The MCDPA contains a number of exemptions, such as for data that is covered by federal laws such as HIPAA and the Gramm-Leach-Bliley Act. A unique provision in the Minnesota law exempts all “small businesses,” as that term is defined by the Small Business Administration. The MCDPA can also apply to nonprofit organizations.
The MCDPA gives state residents the following rights.
Violations of the Minnesota Consumer Data Privacy Act are punishable by civil penalties of up to $7,500 per violation.
The MCDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. Only the Minnesota Attorney General’s Office has authority to enforce the law.
As described above, the MCDPA grants consumers new rights not found in other privacy laws: the right to question profiling results, and the right to receive a list of third parties.
Most state privacy laws require businesses to offer an appeals process in case they deny a consumer’s privacy request. Minnesota’s privacy law is no different in this respect, except that it imposes an additional record-keeping requirement. Businesses must retain records relating to all appeals for at least 24 months, and make those records available to the Attorney General upon request.
The MCDPA introduces a new compliance task for data controllers: documenting and maintaining “a description of the policies and procedures the controller has adopted to comply with [the MCDPA].”
This description should include the following.
Creating this documentation could be a significant project for businesses, so it may be a good idea to begin well in advance of the MCDPA’s 2025 effective date.
The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Built by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.
To learn more about how TrueVault US can help your business, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2024 © All Rights Reserved. Privacy Policy | Terms of Use | Supplemental Terms | California Privacy Notice