Privacy Law Status

Your Rights as a Minnesota Resident

The Minnesota Consumer Data Privacy Act grants residents comprehensive control over their personal data, with enhanced protections for sensitive information and automated decision-making processes.

• Right to know what data is collected: You can confirm whether a business is processing your personal data and request access to that information, including details about how it’s used and shared with third parties[9][10].
• Right to delete personal information: You can request businesses delete your personal data, whether you provided it directly or they collected it about you, with certain legal exceptions applying[9][8].
• Right to opt out of data sales: You can prevent businesses from selling your personal data, including through universal opt-out mechanisms like browser privacy settings that businesses must recognize[4][8].
• Right to correct inaccurate data: You can request correction of any inaccuracies in your personal data, considering the nature of the information and its intended use[9][8].
• Right to challenge profiling decisions: When automated processing affects legal or similarly significant decisions about you, you can review the data used, contest the outcome, receive explanations of decisions, and understand what actions might lead to different results[4][9].
• Right to data portability: You can request a copy of personal data you previously shared with a business in a usable format, subject to certain exceptions[9][8].
• Right to non-discrimination: Businesses cannot discriminate against you for exercising your privacy rights, and they’re prohibited from processing personal data in ways that unlawfully discriminate based on sensitive attributes like race, ethnicity, religion, gender, or sexual orientation[1][8].

When you exercise any of these rights, businesses must respond within 45 days and can provide up to two free responses annually per person[8]. For sensitive information like Social Security numbers or biometric data, businesses must inform you if they’ve collected such data without revealing the actual information[9].

Business Requirements

The MCDPA establishes comprehensive obligations for businesses that handle Minnesota residents’ personal data, with specific thresholds determining coverage.

• Coverage thresholds: The law applies to businesses conducting business in Minnesota or targeting Minnesota residents that either control or process personal data of 100,000 or more consumers annually, or derive over 25% of gross revenue from data sales while processing data of 25,000 or more consumers[6][7].
• Transparency requirements: Businesses must provide clear, accessible privacy notices listing data categories collected, processing purposes, data sharing practices, consumer rights, and contact information for their chief privacy officer[4][8].
• Consumer request procedures: Companies must establish systems to respond to consumer rights requests within 45 days, with possible 45-day extensions, and provide free responses twice annually per consumer[8].
• Data minimization and purpose limitation: Businesses must limit data collection to what’s necessary for disclosed purposes and cannot use data for undisclosed purposes without consent[8].
• Security measures: Companies must implement appropriate technical, physical, and administrative safeguards proportional to the data volume and nature[8].
• Risk assessments: Businesses must conduct privacy impact assessments for high-risk processing activities involving sensitive data or profiling[8].
• Documentation requirements: Unlike most state privacy laws, Minnesota explicitly requires appointing a Chief Privacy Officer and maintaining documented internal privacy policies and formal data inventories[9].

Practical Impact

• Daily life protection: The law provides meaningful control over data collected through everyday activities like using fitness devices, GPS navigation, website visits, and mailing list sign-ups, helping prevent misuse of location data for tracking healthcare visits or peaceful protests[5].
• Enhanced profiling protections: Minnesota uniquely addresses automated decision-making affecting essential services like jobs, housing, education, and insurance, allowing residents to challenge decisions that impact access to these critical areas[5][9].
• Violation reporting: Residents can file complaints with the Minnesota Attorney General’s Office through the PrivacyMN.com website, which processes violations of various consumer rights under the MCDPA[10][5].
• Enforcement limitations: The law does not provide a private right of action for consumers, meaning individuals cannot sue companies directly but must rely on Attorney General enforcement[8].
• Small business exemptions: Small businesses as defined by the U.S. Small Business Administration are generally exempt, though they must still obtain opt-in consent before processing sensitive data[1][6].
• Federal law interactions: Entities already covered by federal privacy laws like HIPAA, GLBA, or FERPA remain generally exempt from MCDPA requirements where those laws overlap[7].

Comparison Context

• Leading privacy state features: Minnesota incorporates strong provisions from states like California and Colorado while adding unique protections around profiling decisions that other states are beginning to adopt[4][5].
• Distinctive profiling rights: The MCDPA provides the most comprehensive protections for automated decision-making among state privacy laws, allowing consumers to challenge profiling decisions affecting legal or similarly significant outcomes[4][9].
• Enforcement approach: Like most state privacy laws, Minnesota relies on Attorney General enforcement rather than private lawsuits, with penalties up to $7,500 per violation[7][8].
• Nonprofit coverage: Minnesota will eventually regulate nonprofit organizations beginning July 31, 2029, making it one of the few states to include nonprofits under privacy law coverage[3].
• Documentation requirements: The explicit requirement for Chief Privacy Officers and formal data inventories represents stricter operational expectations than most other state privacy laws[9].

Action Steps for Residents

• Exercise your rights proactively: Contact businesses directly to request information about your data, request deletions, or opt out of data sales and targeted advertising using the specific rights outlined in the law[9][10].
• Use universal opt-out signals: Enable browser privacy settings and other universal opt-out mechanisms that businesses must recognize under the law[4][8].
• Challenge automated decisions: If you believe automated profiling has adversely affected your access to housing, employment, credit, education, or other services, exercise your right to contest these decisions and request explanations[4][9].
• Report violations: File complaints with the Minnesota Attorney General’s Office through PrivacyMN.com if businesses fail to respond to your requests or violate your privacy rights[10][5].
• Stay informed about implementation: Monitor enforcement activities and guidance from the Attorney General’s Office as the law’s implementation develops, particularly during the initial cure period through January 2026[5][8].
• Document your requests: Keep records of privacy rights requests you make to businesses, including dates and responses, to support potential complaints if companies fail to comply[10].

Official Resources and Contact Information

Minnesota Attorney General’s Office

The Attorney General has exclusive enforcement authority over the MCDPA and operates the PrivacyMN.com website for consumer education and complaint filing[5][11]. The office provides guidance on consumer rights and investigates violations of the privacy law.

Contact Information:
Office of Minnesota Attorney General Keith Ellison
445 Minnesota Street, Suite 600
St. Paul, MN 55101
Phone: (651) 296-3353 (Twin Cities area)
Phone: (800) 657-3787 (Outside Twin Cities)
TTY: (800) 627-3529 (Minnesota Relay)[12]

Privacy Complaint Filing: Consumers can report MCDPA violations through the online complaint form at the Attorney General’s Data Privacy section[10]. The office evaluates complaints and may contact businesses for responses, typically within 60 days[13].

Minnesota Legislature

Contact your state representatives to provide input on privacy legislation or suggest improvements to existing laws[14][15]. Representative Steve Elkins was the lead author of the MCDPA and continues to monitor its implementation[5].

Finding Your Legislators: Use the “Who Represents Me?” lookup tool through the Minnesota Legislature website to identify your specific House Representative and State Senator based on your address[15].

House of Representatives:
Minnesota House of Representatives
Centennial Office Building
658 Cedar Street
St. Paul, MN 55155-1298
Public Information Services: (651) 296-2146[15]

State Senate:
Minnesota State Senate
Minnesota Senate Building
95 University Avenue West
St. Paul, MN 55155-1606
Senate Information: (651) 296-0504
Email: senate.information@senate.mn
Toll-free: (888) 234-1112[16][15]

Legislative Contact Guidelines

When contacting legislators about privacy issues, include your name, postal address, and phone number in correspondence[14][15]. Email addresses follow the format rep.firstname.lastname@house.mn.gov for Representatives and sen.firstname.lastname@senate.mn for Senators[15]. Schedule appointments through individual legislator offices for in-person meetings about privacy concerns or legislative suggestions[14].

Sources and Citations

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.