Applicability

The MNCDPA applies to entities that conduct business in Minnesota or produce products or services that target Minnesota consumers and, during the immediately preceding calendar year, meet one of the following thresholds:

• Control or process the personal data of 100,000 Minnesota consumers or more; or
• Derive more than 25 percent of gross revenue from the sale of personal data, and process or control the personal data of at least 25,000 Minnesota consumers.

Reflective of Minnesota’s strong emphasis on education, the MNCDPA also applies to “technology providers” that contract with public education agencies and institutions under Minnesota’s educational data laws.

Similar to other consumer privacy statutes, the MNCDPA provides limited entity-level exemptions, and excludes personal data processed solely for the purpose of completing a payment transaction as long as no consumer data is retained. The MNCDPA also does not apply to employee or applicant personal data.

Consumer rights

The MNCPDA provides Minnesotans with the following data privacy rights:

• The right to confirm whether a controller is processing the consumer’s personal data and the right to access the data.
• The right to correct inaccurate personal data.
• The right to require deletion of personal data (subject to exceptions).
• The right to data portability.
• The right to obtain a list of third parties to which the controller disclosed the consumer’s personal data.
• The right to opt out of targeted advertising, the sale of personal data, and the use of personal data for profiling by automated means that produce legal or significant effects. Controllers must also adhere to opt-out requests submitted by universal opt-out mechanisms, or “UOOMs.”

The MNCDPA goes into more depth than most state privacy laws in addressing the issue of automated profiling that produces legal or similarly significant effects. The MCDPA gives consumers the right to (1) question the result of profiling; (2) be informed of the reasoning behind the profiling-produced decision; and (3) if feasible, to be informed of actions the consumers could have taken that would have secured a different result or that could secure a different result in the future. Consumers can also review data used in the profiling decision and correct any inaccurate data for a reevaluation of the decision. This right increases the importance of ensuring transparency, explainability, and documentation in an organization’s governance program for any automated or artificial intelligence processes that produce legal or similarly significant effects.

In most circumstances, a controller will have 45 days to respond to a request, and must establish an appeal process for consumers to appeal a controllers’ denial of any request to exercise their rights.

Obligations for controllers and processors

The MNCDPA also includes a number of noteworthy compliance obligations:

• Data Limitation: The MNCDPA requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary to effectuate the purposes for which it was collected and processed.
• Sensitive Data: Controllers may not process “sensitive data” without consumers’ consent. “Sensitive data” includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying an individual, data collected from a known child, and specific geolocation data.
• Transparency and Notice: Controllers must provide consumers with a privacy notice that is reasonably accessible, clear and meaningful. Consumers must be notified of any material changes to the privacy notice. Additionally, when consent is required, consumers must be given an opportunity to withdraw consent to any materially different processing. Controllers must also provide a method outside of the privacy notice for consumers to opt out of personal data sales, targeted advertising, or profiling.
• Safeguarding Data: Controllers must establish and maintain reasonable administrative, technical and physical safeguards to protect the confidentiality, integrity and accessibility of the data. Notably, the MNCDPA requires controllers to maintain personal data inventories in order to appropriately implement safeguards.
• Data Protection Impact Assessments: For certain categories of data processing, controllers must conduct data protection impact assessments to mitigate the risk of consumer harm. Specifically, DPIAs are required in advance of targeted advertising, sales of personal data, certain types of profiling, processing of sensitive data, and any processing activities that present a “heightened risk of harm.”
• Data Processors: Controllers must ensure that their agreements with processors contain required provisions regarding personal data processing, including protecting the confidentiality of the data, data retention, subcontractor flow-down obligations, and more.

Enforcement

The MNCDPA does not have a private right of action, meaning that individuals will not be able to file suit if their rights are violated. Rather, the MNCDPA will be enforced exclusively by the state Attorney General’s Office with civil penalties of up to $7,500 per violation after the end of a temporary cure period that will expire on January 31, 2026.