What is MCDPA?

The Minnesota Consumer Data Privacy Act (MCDPA) is a state law that grants Minnesota residents control over their personal data and requires businesses to implement privacy protections. It closely aligns with other state laws like Virginia’s VCDPA.2. When does MCDPA take effect?MCDPA was signed into law on May 24, 2024, and will go into effect on July 31, 2025 (with a grace period for compliance until January 31, 2026).

Who needs to comply with MCDPA?

The MCDPA applies to businesses that:
- Operate in Minnesota or target Minnesota residents (geographic scope), AND
- Meet at least one of the following two financial/data processing thresholds:

‍Threshold 1: Processing Data of 100,000+ Consumers.
‍‍Example:A national e-commerce company with 100,000+ unique Minnesota customers annually must comply, even if HQ is outside Minnesota.
‍Threshold 2: Revenue from Data Sales + 25,000+ Consumers
Example:A Minnesota-based ad-tech company earns 30% of revenue by selling user location data to advertisers and processes data of 30,000 Minnesota residents → Must comply.

graphic of a white magnifying glass against a blue background

Key requirements under MCDPA

1. Consumer Rights & Requests - Businesses must enable Minnesota residents to exercise the following rights: Right to Access; Right to Correct; Right to Delete; Right to Portability; Right to Opt Out
2. Privacy Notice & Transparency - Businesses must publish a clear, accessible privacy policy.
‍3. Data Security Obligations - Implement reasonable administrative, technical, and physical safeguards
‍4. Data Protection Assessments (DPAs)
‍‍5. Opt-Out Mechanisms - clear "Do Not Sell/Share My Data" link
‍6. Non-Discrimination - Businesses cannot charge higher prices or deny services to consumers who exercise rights.

How to Achieve MCDPA Compliance

1. Check if it applies to you: Do business in Minnesota or target MN residents? Handle data for 100,000+ MN consumers/year OR make 25%+ revenue selling data from 25,000+ consumers?
2. Know what consumers can ask you: Access, delete, or correct their data; Say no to data sales or targeted ads.
3. Update your privacy policy: Clearly explain what data you collect and why. Tell users how to opt out or delete their info.
4. Set up easy request methods: Offer at least two ways (e.g., email + webform) to submit requests. Reply within 45 days (90 if complex).
5. Add a "Do Not Sell" link: Place it on your website footer (like California’s CCPA).
6. Secure your data: Use encryption, strong passwords, and limit who can access info.
7. Sign contracts with vendors: Make sure partners (e.g., cloud providers) also protect data.
8. Train your team:Teach staff how to handle privacy requests.

graphic of a building in white against a blue background

white sheet of paper graphic against a blue background with shield in front of it

Penalties for Non-Compliance

- Fines: Up to $7,500 per violation (enforced by Minnesota AG).
- No private lawsuits: Only the AG can enforce.
- 30-day cure period: Expires July 31, 2026 (after which violations may incur immediate fines).

Get the UCPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist

graphic of a white notepad page against a black background

Frequently Asked Questions

What rights does MCDPA give consumers?

The MCDPA gives Minnesota residents these key rights over their personal data:
✅ Right to Know - Confirm if a business is collecting/using their data. Get a copy of their personal data.
✅ Right to Correct - Fix inaccurate or outdated personal info (e.g., wrong address).
✅ Right to Delete - Ask a business to delete their data (with some exceptions, like fraud prevention).
✅ Right to Opt Out - Say no to: Sale of their data; Targeted ads (based on their activity); Profiling (automated decisions affecting things like loans/jobs).
✅ Right to Portability - Get their data in a format they can easily move to another service.

Who is exempt from MCDPA?

The MCDPA does not apply to:
‍1. Certain Organizations - Government agencies (state/local); Nonprofits; Higher education institutions (colleges/universities)
‍2. Regulated Industries - Healthcare providers & data already covered by HIPAA; Banks & financial institutions under GLBA; Credit reporting agencies (governed by FCRA); Schools handling data under FERPA (student records)
‍3. Specific Data Types - Employment data (e.g., job applicant/resume info); B2B data (e.g., business contact details for corporate transactions); Publicly available info (e.g., from government records)

What steps should businesses take to comply?

The MCDPA covers businesses that either:
- Process personal data of 100,000+ Minnesota consumers annually, OR
- Earn 25%+ of revenue from selling data of 25,000+ consumers

If covered, take these key actions:
- Build Your Compliance Foundation
Start by: Creating a data inventory (what you collect, where it's stored)Reviewing vendor contracts to ensure they meet MCDPA standardsAppointing a team member to oversee privacy compliance
- Update Consumer Rights Processes
Minnesota residents can request to access, correct, delete, or opt-out of data sales. Provide at least two request methods (e.g., webform + phone); Respond within 45 days (90 for complex requests); Add a clear "Do Not Sell My Data" link on your website
- Revamp Your Privacy Policy
Your updated policy should explain in plain language: What data you collect and why; How consumers can exercise their rights; Whether you sell data or use it for targeted ads
- Security and Documentation Essentials
Implement reasonable security measures (encryption, access controls); Conduct annual risk assessments, especially for sensitive data; Train staff on handling requests and spotting breaches; Maintain records of all consumer requests and your responses
‍
Shopify merchants can streamline compliance by leveraging tools like Consentmo, which offers automated solutions for managing cookie consent, generating privacy notices, and processing data subject requests.

Mariya Petrova

Jan 7, 2025

8 mins

Dilyana Simeonova

Jan 5, 2024

7 mins