№ 16 Data Privacy
Minnesota's Data Privacy Law is Here: What It Means and Why It Matters
Minnesota's Consumer Data Privacy Act takes effect July 2025. What the MCDPA requires, how it compares to other state laws, and how to prepare your organization.
As a digital strategist based in Minnesota, the signing of the Minnesota Consumer Data Privacy Act (MCDPA) hit close to home—literally. Governor Walz signed this landmark legislation in May 2024—and it takes effect July 31, 2025. Minnesota is now part of a rapidly growing wave of states establishing comprehensive privacy protections—and if your organization does business here, the clock is ticking.
I wrote a detailed compliance breakdown of the MCDPA on the RBA blog covering the full legal scope, thresholds, and technical requirements. Here, I want to step back and share my perspective on what this law signals strategically—and what organizations should actually be doing about it right now.
Why This One Stands Out
Minnesota’s law isn’t just another copy-paste of existing state privacy legislation. It distinguishes itself in a few notable ways.
First, the MCDPA gives consumers the right to question and review the results of automated profiling decisions. In an era where AI is increasingly making or influencing decisions about people—credit approvals, hiring recommendations, insurance pricing—this is a significant provision. It signals where privacy law is heading nationally, not just in Minnesota.
Second, the law requires organizations to display a clearly labeled “Privacy Rights” link on their homepage and implement Universal Opt-Out Mechanisms. This isn’t a suggestion buried in legal text—it’s a specific, visible, user-facing requirement that will be immediately obvious if you’re not compliant.
Third, the MCDPA takes a particularly strong stance on sensitive data. Racial and ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, biometric and genetic data, children’s data, and precise geolocation all require opt-in consent before processing. The definition is broad, and the consent requirements are strict.
The Bigger Picture
Minnesota is one of eight states that implemented comprehensive privacy laws in 2025. By the end of the year, 32% of U.S. states will have such legislation on the books, covering 43% of Americans. The patchwork is growing fast, and the compliance complexity grows with it.
For organizations operating across state lines—which is nearly everyone with a digital presence—this isn’t a state-by-state problem. It’s a data governance problem. Every new law makes the case stronger for establishing a single, high-bar privacy standard across your entire operation rather than trying to manage jurisdiction-by-jurisdiction compliance.
The organizations I see handling this best aren’t scrambling to meet each new state deadline. They’ve built privacy programs that treat the strictest applicable standard as their baseline and adapt from there. It’s less expensive, less risky, and frankly less stressful than the alternative.
What You Should Be Doing Now
If your organization touches Minnesota consumer data and you haven’t started preparing, here’s where to focus your energy:
Know what you’re collecting. This sounds obvious, but in practice, most organizations can’t give a complete, accurate answer. Map your data flows—what personal data you collect, where it lives, how it moves between systems, and who has access. You can’t comply with rights requests if you don’t know where the data is.
Audit your consent practices. The MCDPA requires opt-in consent for sensitive data and provides opt-out rights for targeted advertising and data sales. Review your current consent mechanisms. Are they clear, conspicuous, and actually capturing the right level of consent for the data categories you process?
Update your public-facing privacy presence. The “Privacy Rights” link requirement means your website needs visible, accessible privacy controls. If you’re still relying on a generic privacy policy footer link and a basic cookie banner, that likely won’t cut it.
Prepare for rights requests. Consumers will have the right to access, correct, delete, and port their data, plus the right to appeal denied requests. You need processes and, ideally, tooling in place to handle these within the 45-day response window.
Don’t forget the cure period. Until January 31, 2026, businesses have a 30-day window to fix alleged violations before the Attorney General can impose penalties of up to $7,500 per violation. That grace period is a gift—use it wisely by getting your compliance house in order now, not after you receive a notice.
A Word on the Enforcement Approach
Unlike some states that allow private lawsuits for privacy violations, the MCDPA is enforced exclusively by the Minnesota Attorney General. This means you’re less likely to face the kind of serial litigation that has plagued Americans with Disabilities Act (ADA) web accessibility compliance—a cottage industry of plaintiff-side firms, for those who haven’t followed it. But it also means that when enforcement actions do come, they’ll come with the full weight and resources of the state AG’s office—and on the office’s own timeline, not a plaintiff’s.
The combination of exclusive AG enforcement, a temporary cure period, and the $7,500 per-violation penalty structure suggests the law is designed to drive compliance, not gotcha litigation. That’s a reasonable approach—but it only works in your favor if you’re genuinely working toward compliance.
Looking Forward
The MCDPA is part of an irreversible trend. Consumer data privacy legislation is spreading across states, getting stricter with each iteration, and increasingly intersecting with AI regulation. The profiling provisions in Minnesota’s law are just the beginning of that convergence.
Organizations that build strong privacy foundations now—real data governance, meaningful consent mechanisms, responsive rights-request processes—aren’t just preparing for one state law. They’re building the infrastructure they’ll need for every privacy law that follows.
For a detailed compliance breakdown of the MCDPA including scope thresholds, consumer rights, sensitive data definitions, and enforcement details, see the full analysis on the RBA blog.