What the MCDPA does for you

Under the MCDPA, you have the right to know what personal data companies collect about you, correct inaccurate data, delete your data, and get a portable copy of your data. You can also opt out of targeted advertising, the sale of your data, and certain automated decision-making. Minnesota residents gain these protections starting July 31, 2025, with enforcement by the state Attorney General.

Your rights under the MCDPA

Right to Know

You have the right to confirm whether a company is processing your personal data and to access the categories of personal data the company holds about you. The company must respond within 45 days (with a possible 45-day extension). Note: certain highly sensitive identifiers like Social Security numbers won't be disclosed directly — the company will instead tell you that it holds that type of information.

Exceptions: Company cannot authenticate the request using commercially reasonable efforts; The controller is not required to reveal trade secrets; Certain sensitive identifiers (SSN, driver's license number, financial account numbers, health insurance account numbers, biometric data, passwords) will not be disclosed directly.

Source: Minn. Stat. § 325O.05, subd. 1(b)

Right to Delete

You have the right to ask a company to delete your personal data. The company must respond within 45 days (with a possible 45-day extension). If the company obtained your data from a source other than you directly, it may alternatively stop processing your data for any non-exempt purpose rather than fully deleting it.

Exceptions: Data needed to comply with federal, state, or local law (including legal data retention requirements); Data needed to complete a transaction or fulfill a contract you requested; Data used to detect, prevent, or respond to security incidents or fraud; Data used in peer-reviewed scientific, historical, or statistical research approved by an ethics board; Data needed to defend legal claims; Data needed to protect your life or physical safety or that of another person.

Source: Minn. Stat. § 325O.05, subd. 1(d)

Right to Correct

You have the right to ask a company to fix inaccurate personal data it holds about you, taking into account the nature of the data and the purposes for which it is being used. The company must respond within 45 days (with a possible 45-day extension).

Exceptions: Company cannot authenticate the request using commercially reasonable efforts; Requests that are manifestly unfounded or excessive may be subject to a reasonable fee or refusal.

Source: Minn. Stat. § 325O.05, subd. 1(c)

Right to Opt Out of Sales

You have the right to opt out of the sale of your personal data to third parties. You can do this directly with the company or through an authorized agent, including via a universal opt-out preference signal (like a browser setting) that the company must honor. The company must act on opt-out requests as soon as feasibly possible, but no later than 45 days.

Exceptions: Disclosure to a processor acting on the controller's behalf is not a 'sale'; Disclosure to a third party to provide a product or service you requested is not a 'sale'; Transfer to an affiliate is not a 'sale'; Transfer in a merger, acquisition, or bankruptcy is not a 'sale'.

Source: Minn. Stat. § 325O.05, subd. 1(f); § 325O.02(u)

Right to Opt Out of Processing

You have the right to opt out of certain processing of your personal data, including processing for targeted advertising and profiling in furtherance of decisions that produce legal or similarly significant effects on you (such as decisions about credit, housing, employment, education, health care, or access to essential goods). The company must act on your opt-out as soon as feasibly possible, no later than 45 days.

Exceptions: Processing required by law; Processing to fulfill a contract you requested; Processing to detect or prevent fraud or security incidents.

Source: Minn. Stat. § 325O.05, subd. 1(f)

Right to Opt Out of Automated Decisions

If a company uses automated profiling to make decisions that have legal or similarly significant effects on you (like decisions about credit, housing, jobs, education, or health care), you have the right to opt out of that profiling. You also have the right to question the result, be told why the decision was made, and — if it was based on inaccurate data — have the data corrected and the decision re-evaluated.

Exceptions: Processing required by law; Processing to fulfill a contract you requested; Processing to detect or prevent fraud or security incidents.

Source: Minn. Stat. § 325O.05, subd. 1(f)-(g)

Right to Data Portability

You have the right to get a copy of the personal data you previously gave to a company in a portable, and where technically feasible, readily usable format that lets you transfer it to another company without difficulty. This right applies where the company processes your data using automated means.

Exceptions: Only applies to data you previously provided to the controller; Only where processing is carried out by automated means; Company is not required to reveal trade secrets; Request must be authenticated using commercially reasonable efforts.

Source: Minn. Stat. § 325O.05, subd. 1(e)

Right to Non-Discrimination

A company cannot discriminate against you for exercising your privacy rights. This means they cannot deny you goods or services, charge you higher prices, or provide you a lower quality of service simply because you exercised a right under this law. Companies also cannot use your personal data to unlawfully discriminate against you based on race, color, ethnicity, religion, national origin, sex, gender, sexual orientation, familial status, lawful source of income, or disability.

Exceptions: A controller may offer a different price or level of service if you voluntarily participate in a bona fide loyalty, rewards, premium features, discounts, or club card program; A controller is not required to provide a service that requires data it does not collect.

Source: Minn. Stat. § 325O.07, subd. 3

Right to Limit Sensitive Data

Companies must obtain your consent before processing sensitive data about you. Sensitive data includes information about your race or ethnicity, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, biometric data, genetic information, precise geolocation, and the personal data of children under 13. You can revoke consent at any time, and the company must stop processing within 15 days. Companies also cannot process your data for targeted advertising or sell it if they know you are between ages 13 and 16, without your consent.

Exceptions: Processing of sensitive data may be permitted under specific exemptions (e.g., legal compliance, security, research approved by an ethics board, completing a requested transaction).

Source: Minn. Stat. § 325O.07, subd. 2(d)-(f)

How to exercise your rights

1. See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
2. Submit a MCDPA deletion or opt-out request. Covered businesses have 45 days to respond (Minn. Stat. § 325O.05, subd. 4), with up to 45 additional days if they invoke the extension provision.
3. Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →

Authorized agents

The MCDPA mentions authorized agents only in the context of opt-out requests (Minn. Stat. § 3250.01 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.

Enforcement and penalties

The MCDPA is enforced by Minnesota Attorney General. If a company violates your privacy rights under this law, the Minnesota Attorney General can take them to court. Before filing suit, the AG must first send the company a warning letter giving them 30 days to fix the problem (this cure period expires January 31, 2026). Companies found to have violated the law can be fined up to $7,500 per violation and may be subject to a court injunction requiring them to stop the unlawful conduct.

Who does the MCDPA apply to?

This law applies to businesses that operate in Minnesota or target Minnesota residents, AND either (1) process personal data of 100,000 or more consumers per year (not counting data used only to complete a payment), or (2) earn more than 25% of their gross revenue from selling personal data AND process personal data of 25,000 or more consumers. Government entities, federally recognized Indian tribes, small businesses (with limited exceptions), certain financial institutions, insurance entities, nonprofits established to detect insurance fraud, and businesses handling data already covered by specific federal laws (like HIPAA, GLBA, FERPA) are generally excluded.

Frequently asked questions

Who does the Minnesota Consumer Data Privacy Act protect?

The MCDPA protects Minnesota residents acting in a personal or household capacity — not people acting in a work or business context (Minn. Stat. § 325O.02(g)). It applies to businesses that either process personal data of 100,000 or more Minnesota consumers per year, or earn more than 25% of their gross revenue from selling personal data AND process data of 25,000 or more consumers (Minn. Stat. § 325O.03, subd. 1). Many types of entities — including government agencies, federally recognized tribes, banks, insurance companies, and most small businesses — are excluded.

How do I ask a company to delete my personal data under the MCDPA?

You can submit a deletion request directly to the company at any time — you don't need to create a new account to do so, though you may use an existing one (Minn. Stat. § 325O.05, subd. 4(c)). The company has up to 45 days to respond, with a possible 45-day extension (Minn. Stat. § 325O.05, subd. 4(e)). If the company declines, it must tell you why and explain how to appeal. If you're not satisfied with the appeal outcome, you can file a complaint with the Minnesota Attorney General.

Can I opt out of companies selling my personal data or using it for targeted ads?

Yes. Under the MCDPA, you have the right to opt out of the sale of your personal data and the use of your data for targeted advertising (Minn. Stat. § 325O.05, subd. 1(f)). You can opt out directly with each company, through an authorized agent, or by using a universal opt-out signal such as a browser privacy setting — companies must honor these signals (Minn. Stat. § 325O.05, subd. 3). Companies must act on your opt-out as soon as feasibly possible, but no later than 45 days.

What happens if a company violates my privacy rights?

There is no private lawsuit option under the MCDPA — you cannot sue the company directly (Minn. Stat. § 325O.10(d)). However, the Minnesota Attorney General can enforce the law and seek civil penalties of up to $7,500 per violation (Minn. Stat. § 325O.10(c)). Before filing suit, the AG must first give the company a 30-day warning to fix the problem (this cure period expires January 31, 2026). You can file a complaint with the Attorney General's office if you believe a company has violated your rights.

When does the Minnesota Consumer Data Privacy Act take effect?

The MCDPA takes effect July 31, 2025 for most businesses (Minn. Stat. ch. 325O, Art. 5, Sec. 14). However, postsecondary institutions regulated by the Office of Higher Education have until July 31, 2029 to comply. The law was signed by the governor on May 24, 2024.

Official resources

• Full statute text (HF 4757)
• Minnesota Attorney General’s office
• Primary enforcement agency