On July 31, 2025, the Minnesota Consumer Data Privacy Act of 2024 (MNCDPA) went into effect. This law provides Minnesota consumers with comprehensive privacy protections. This article provides an overview of the key provisions of the MNCDPA and what and how AASPMN members can comply with the requirements. 

Scope of the MNCDPA

The MNCDPA applies to legal entities that conduct business in Minnesota or provide products and services targeted to Minnesota

residents that control or process personal data of:

• 100,000 or more Minnesota consumers during a calendar year, excluding personal data processed solely to complete a payment transaction; or
• 25,000 or more Minnesota consumers, if they also derive more than 25 percent of their gross personal data sales. 

As the law excludes entities that process Minnesota consumers’ personal data solely for the purpose of completing a payment transaction, many businesses are likely to be exempt from this law. However, if your business collects personal data for any other purposes and you meet the threshold of consumers, you are subject to the MNCDPA. For the purposes of this law, “personal data” includes any information that is linked or reasonably linkable to an identified or identifiable individual or household. Some examples of personal data include names, email addresses, phone numbers, financial information, device identifiers, geolocation data and biometric data.

Consumer Rights

Under the MNCDPA, consumers are afforded certain rights regarding their personal data. These rights include:

• Access: Consumers can request confirmation from a business about how a business is processing their data, access the data and obtain a list of specific parties to whom its data has been disclosed.

• Correction: Consumers can request corrections to any inaccurate personal data collected by a business.

• Deletion: Consumers can require deletion of their personal data at any time.

• Data portability: Consumers can request a copy of their data in an accessible format.

• Opt-Out: Consumers can opt out of any personal data sales, targeted advertising and profiling activities.

• Appeal: If a business denies any personal data request from a consumer, the consumer can appeal this decision.

One unique aspect of the MNCDPA is the right for consumers to question the results of any decision, including the reasoning behind the decision.

What Businesses Need to Do to Comply with the MNCDPA

If you are subject to the MNCDPA, you must take several actions to remain in compliance:

• Provide transparent and accessible privacy notices detailing your business’s data collection practices and the consumer’s rights.
• Limit personal data collection to what is adequate, relevant and reasonably necessary to perform the processing as disclosed.
• Not retain any personal data that is no longer relevant or for a period not reasonably necessary for its original collection.
• Implement reasonable administrative, technical and physical data security procedures to protect the personal data’s confidentiality and accessibility.
• Obtain consent before processing sensitive data.
• Obtain consent from a parent or guardian before processing the data of a known child (under 13).
• Maintain comprehensive records of collected/ processed personal data.
• Enable, act on, and respond to a consumer’s data rights requests.
• Conduct regular assessments to determine if activities present heightened risks, including targeted advertising or processing sensitive data.
• Establish contracts with data processors outlining all processing instructions, confidentiality obligations, and compliance.

Businesses must respond to any consumer request within 45 days. If it is reasonably necessary to handle a complex request, a business may extend that response by 45 more days. However, consumers must be informed of any extension and its reason within the initial 45-day period.

Next Steps

Penalties for non-compliance can reach up to $7,500 per each individual violation. Until January 31, 2026, businesses have a 30-day period to cure any alleged violations before official enforcement actions begin. Given these steep penalties for violations and the approaching date of effect, AASPMN members  are encouraged to take the steps to comply with the law: 

1. Assess whether they fall within the scope of the MNCDPA. 
2. Review and update data collection and processing practices. 
3. Develop or revise privacy policies to align with the MNCDPA requirements. 
4. Implement mechanisms for consumers to exercise their rights. This could include the proper opt-out language on all emails, as well as a designated privacy email address where consumers can address their concerns and submit their requests. 

AASPMN is committed to providing its members with resources to implement these actions, including a template Privacy Policy that conforms to the MNCDPA requirements, and can be tailored to fit your specific website and business.