Minnesota MCDPA

Minnesota Consumer Data Privacy Act

Flag of US
Minnesota, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
July 31, 2025
Enacted
May 19, 2024
Enforcing Authority
Minnesota Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities in MN or targeting MN residents: 100,000+ consumers OR 25,000+ consumers and 25%+ revenue from selling PI

Overview

Minnesota's MCDPA introduces several firsts among US state privacy laws: mandatory Chief Privacy Officer designation, required data inventory maintenance, and the right to challenge profiling decisions. The expanded sensitive data definition includes SSN, government IDs, financial and insurance accounts, and passwords.

What This Means for Your Website

  • You must designate a Chief Privacy Officer (or equivalent) — first US state to require this
  • A documented data inventory must be maintained — first US state to require this
  • GPC/UOOM signals must be honored
  • Consumers have a unique right to question profiling decisions
  • Opt-in consent is required for sensitive data (expanded definition)
  • The 30-day cure period sunsets January 1, 2026

Key Requirements

The Minnesota AG enforces the MCDPA with penalties up to $7,500 per violation. Consumer requests must be fulfilled within 45 days. The CPO and data inventory requirements are organizational obligations that go beyond typical US state privacy laws. The right to question profiling decisions creates a unique challenge mechanism for consumers.

How ConsentStack Handles This

ConsentStack detects Minnesota visitors, honors GPC signals, applies opt-in for the expanded sensitive data categories, and supports the consent record-keeping that complements organizational CPO and inventory requirements.

Penalties

Up to $7,500 per violation.

Maximum Fine
USD7,500 per violation

Key Requirements

  • Designate a Chief Privacy Officer — first US state to require this
  • Maintain documented data inventory — first US state to require this
  • Honor GPC/universal opt-out signals
  • Opt-in consent for sensitive data
  • Right to question profiling decisions — unique
  • Data protection assessments for profiling with legal effects

Notable Provisions

  • First US state requiring Chief Privacy Officer
  • First requiring data inventory maintenance
  • Right to question profiling decisions — unique
  • Expanded sensitive data definition (SSN, government IDs, financial accounts, passwords)
  • Cure period sunsets January 2026

US State Specifics

Cure Period
30 days
Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 13 data is sensitive requiring opt-in consent.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

Does Minnesota require a Chief Privacy Officer?

Yes — Minnesota is the first US state to require designation of a CPO or equivalent. This is a mandatory organizational requirement.

What is Minnesota's data inventory requirement?

Minnesota is the first US state to require a documented data inventory — organizations must maintain records of their data processing activities.

Can consumers challenge profiling in Minnesota?

Yes. Minnesota uniquely grants consumers the right to question profiling decisions — a consumer right not found in other US state privacy laws.

What are the Minnesota MCDPA penalties?

Up to $7,500 per violation. The 30-day cure period sunsets January 1, 2026.

Stay compliant with Minnesota MCDPA

ConsentStack helps you implement Opt-out consent for Minnesota, United States automatically.

Get started free