Privacy Laws in Minnesota: What You Need to Know

Minnesota's Consumer Data Privacy Act (MCDPA), which took full effect in 2025, gives residents powerful new rights over their personal data. With its cure period expiring in January 2026, Minnesota now has one of the strictest privacy enforcement regimes in the country. Here's what you need to know to take advantage of these protections.

What Is the Minnesota Consumer Data Privacy Act?

The MCDPA (Chapter 325M of Minnesota Statutes) was signed into law by Governor Tim Walz in May 2024 and took effect on July 31, 2025. It gives Minnesota residents the power to control how companies collect, use, and sell their personal data.

The law applies to businesses that operate in Minnesota or target Minnesota residents and meet at least one of these thresholds:

• Control or process personal data of at least 100,000 Minnesota consumers (excluding payment-only data)
• Derive over 25% of gross revenue from selling personal data and process data of at least 25,000 consumers

Certain education technology providers are also covered regardless of these thresholds.

Your Rights Under the MCDPA

The MCDPA grants Minnesota residents a comprehensive set of data rights:

Right to Know

You can request that a business tell you what personal information it has collected about you, including the categories of data, the purposes for collection, and whether it has been shared with third parties.

Right to a List of Third Parties

Businesses must provide you with a list of specific third parties to whom they've sold or shared your personal data. This goes beyond what many other state privacy laws require.

Right to Access and Portability

You can request a copy of your personal and sensitive data in a portable, usable format.

Right to Correct

If a business has inaccurate information about you, you can demand they fix it.

Right to Delete

You can request that a business delete your personal and sensitive information from their systems.

Right to Opt Out

You can opt out of businesses selling your personal data, using it for targeted advertising, or profiling you based on it.

Right to Question AI Decisions

Minnesota is one of the first states to give consumers a specific right to question automated profiling decisions. If an AI system or algorithm makes a decision that affects your access to jobs, housing, insurance, or other critical services, you can demand an explanation of the reasoning and learn what you could have done differently.

The Cure Period Is Over

Until January 31, 2026, the MCDPA included a 30-day cure period — meaning the Attorney General had to give companies a warning and 30 days to fix violations before taking enforcement action. That period has now expired.

As of February 2026, the Minnesota Attorney General can pursue enforcement immediately, without warning. This makes Minnesota's law one of the strictest in the nation for enforcement. The AG's office has already received over 200 complaints and sent dozens of warning letters to companies with inadequate privacy practices.

Enforcement and Penalties

The Minnesota Attorney General has exclusive enforcement authority under the MCDPA. There is no private right of action — meaning individual consumers cannot sue companies directly under this law (unlike Illinois's BIPA).

Penalties include:

• Civil penalties up to $7,500 per violation
• Reasonable attorney's fees
• Injunctive relief — courts can order companies to change their practices

Who Is Exempt?

The MCDPA exempts several types of organizations:

• Government entities
• Federally recognized Indian tribes
• State or federally chartered banks and credit unions
• Insurance companies regulated under existing insurance law
• Nonprofits established to detect and prevent insurance fraud
• Small businesses as defined by the U.S. Small Business Administration (though they still cannot sell sensitive data without consent)

Notably, Minnesota does not broadly exempt nonprofits — unlike many other state privacy laws.

How to Exercise Your Rights

Here's how to put the MCDPA to work for you:

1. Identify companies that have your data — Start with data brokers, people-search sites, social media platforms, retailers, and any business you've interacted with online
2. Submit a data rights request — Contact the business directly. Most companies now have a "Privacy" or "Do Not Sell My Information" link in their website footer. Submit your request in writing.
3. Be specific — Cite the Minnesota Consumer Data Privacy Act and specify which right you're exercising (access, deletion, opt-out, etc.)
4. Track your requests — Businesses have 45 days to respond. Keep records of when you submitted each request.
5. Escalate if needed — If a company ignores your request or refuses to comply, file a complaint with the Minnesota Attorney General's Consumer Fraud Bureau

The Faster Way: Automate Your Privacy Protection

Exercising your rights under the MCDPA one company at a time is effective but slow — especially when your data appears on dozens or even hundreds of sites. PrivacyOn automates the process by scanning 100+ data broker and people-search sites, submitting removal requests on your behalf, and monitoring 24/7 to catch re-listings.

Combined with dark web monitoring and family plans that protect up to 5 people, PrivacyOn makes it practical to enforce your Minnesota privacy rights without spending hours on manual requests. Plans start at just $8.33/month.

What's Next for Minnesota Privacy

Minnesota's MCDPA is already one of the most comprehensive state privacy laws, but the legislature continues to evolve it. Watch for potential expansions in areas like:

• Stronger protections for children's data
• Enhanced rules around AI and automated decision-making
• Potential data broker registration requirements
• Possible private right of action in future amendments

For now, the MCDPA gives Minnesota residents a strong foundation to protect their personal data — and with the cure period gone, companies have every reason to take your requests seriously.