What Is the Minnesota Consumer Data Privacy Act?
MCDPA applies to controllers processing data of 100,000+ Minnesota consumers or 25,000+ while selling data. Unique features include a right to question automated decisions, data minimization obligations (controllers must delete data no longer needed), and a privacy-impact-assessment requirement for high-risk processing. Enforcement is by the AG, with a 30-day cure period that sunsets in January 2026.
At a glance
- Full name
- Minnesota Consumer Data Privacy Act
- Short code
- MCDPA
- Effective date
- July 31, 2025
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- Minnesota Attorney General
- Maximum penalty
- Up to $7,500 per violation under existing consumer protection authority
- Statutory citation
- Minn. Stat. § 325O.01 et seq.
Who MCDPA applies to
A business is covered if it meets the applicability thresholds set out in Minn. Stat. § 325O.01 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Minnesota or targets Minnesota residents, AND
- Controls or processes personal data of 100,000+ Minnesota consumers (excluding data processed solely for payment), OR
- Controls or processes personal data of 25,000+ Minnesota consumers AND derives more than 25% of gross revenue from the sale of personal data
Consumer rights under MCDPA
Delete, access, correct, port, opt-out
Right to question automated decisions
Data-minimization obligations on controllers
Privacy impact assessment requirements
Notable features (vs. CCPA)
MCDPA grants a distinctive right against profiling: consumers may question decisions based on automated profiling that produce legal or similarly significant effects, and may request human review and correction. This is broader than most state laws' profiling opt-out. The MN AG may also require data controllers to provide documentation of their data protection assessments upon request.
Enforcement & penalties
Enforcing agency: Minnesota Attorney General
Maximum penalty: Up to $7,500 per violation under existing consumer protection authority
Cure period: The 30-day cure period sunset on January 31, 2026. Violations are now directly enforceable.
Private right of action: MCDPA has no private right of action. Enforcement is exclusive to the Minnesota Attorney General.
Where to file a complaint: Minnesota Attorney General
How to exercise your MCDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies MCDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Minnesota resident (e.g., ZIP code, email associated with your record).
- 3
Under MCDPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Minnesota Attorney General at https://www.ag.state.mn.us/Office/Complaint.asp.
Use your rights
MCDPA-compliant deletion emails, $5 one-time
OfflistMe drafts MCDPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
What makes MCDPA different from other state privacy laws?+
MCDPA has the strongest automated-decision transparency rights — you can demand a plain-language explanation of how a profile was built and request human review. It also imposes data-minimization obligations on controllers, requiring them to actively delete data they no longer need.
Official sources & citations
Compare with sibling state laws
MCDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: