On May 24, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (MCDPA), which will go into effect on July 31, 2025.

The law applies to entities that within a calendar year: (1) control or process personal data of at least 100,000 Minnesota residents; or (2) derive over 25% of their gross revenue from selling personal data and process or control personal data of at least 25,000 Minnesota residents within a calendar year. 

The law also provides Minnesota residents with the following rights:

• The right to access personal data;
• The right to correct personal data;
• The right to delete personal data;
• The right to data portability; and 
• The right to opt out of targeted advertising, sale of personal data, and profiling.

Amongst other things, the law requires controllers of personal data: 

• To establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.
• To provide consumers a "reasonably accessible, clear, and meaningful" online privacy notice, posted on its homepage using a hyperlink that contains the word “privacy.”
• Controllers must electronically notify consumers of any material changes to the privacy notice and provide them a reasonable opportunity to withdraw consent to any materially different processing activities.
• Perform a data protection impact assessment (DPIA) for data processing activities that include: targeted advertising; processing sensitive data; selling personal data; any processing activities involving personal data with a heightened risk of consumer harm; and processing data for profiling, if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact on consumers, intrusion upon a consumer's solitude or private affairs, or other substantial injury to consumers.
• Maintain records of all appeals and responses to those appeals for at least 24 months. 
• Retain policies adopted to comply with the law, including identifying the primary individual responsible for the controller's compliance.

Similar to the other state privacy laws, the law exempts entities regulated by the Gramm-Leach-Bliley Act; protected health information governed by the Health Insurance Portability and Accountability Act; consumer credit-reporting data; and data covered by the Drivers' Privacy Protection Act, the Family Educational Rights and Privacy Act, Fair Credit Reporting Act, and the Farm Credit Act. 

The Minnesota Attorney General will have exclusive enforcement authority and may bring an enforcement action for civil penalties of up to $7,500 per violation and reasonable attorney's fees. The Minnesota Attorney General may also seek injunctive relief to curb identified violations. There is a 30-day cure period until January 31, 2026, to cure alleged violations before an enforcement action may proceed. The law does not provide a private right of action.