Minnesota adopts Consumer Data Privacy Act

Pandectes GDPR Compliance app for Shopify stores - Minnesota adopts Consumer Data Privacy Act - cover

Table of Contents


The Minnesota Consumer Data Privacy Act (MCDPA) represents a significant milestone in the state’s effort to protect consumer privacy. This legislation aims to safeguard personal data, addressing the growing concerns about data privacy and security in an increasingly digital world. The MCDPA applies to legal entities that conduct business in Minnesota or produce products or services targeted to residents of Minnesota. By setting stringent requirements for businesses that process personal data, the MCDPA aligns Minnesota with other states that have passed comprehensive privacy legislation. This act is a crucial step towards protecting consumer privacy rights and promoting responsible data handling practices within the state, particularly regarding the consumer’s personal data.

Importance of personal data protection

Personal data encompasses any information that can identify an individual, such as names, addresses, and social security numbers. Protecting this data is crucial in preventing identity theft, fraud, and other malicious activities. The MCDPA ensures that businesses handling personal data implement strict security measures and maintain reasonable administrative practices to protect this sensitive information. Individuals and organizations need to be aware of the potential risks associated with the mishandling of personal data. By understanding the significance of safeguarding personal information, we can collectively work towards creating a safer and more secure online environment for everyone.

Key provisions of the Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act (MCDPA) introduces comprehensive data privacy regulations to protect consumer personal data. Here are the key provisions:

  1. Scope and applicability: The MCDPA applies to data “controllers” and “processors” that collect and process personal data of Minnesota residents, irrespective of where the business is located. It broadly defines “personal data” as any information that identifies or can be linked to an individual.

  2. Consumer rights: The Act provides several rights to consumers, including the right to access, correct, delete, and port their data. Consumers can also opt-out of processing their data for targeted advertising and the sale of personal data.

  3. Controller and processor obligations: Controllers must provide clear privacy notices detailing their data collection practices and purposes. They are also required to conduct regular data protection assessments to mitigate risks. Processors must adhere to controllers’ instructions and ensure data protection throughout the processing activities.

  4. Data security: The MCDPA mandates implementing reasonable administrative, technical, and physical data security practices to protect personal data from unauthorized access, destruction, use, modification, or disclosure.

  5. Enforcement: The Minnesota Attorney General is responsible for enforcing the Act. Businesses found in violation may face significant fines and other penalties. The enforcement provisions aim to ensure compliance and effectively protect consumer rights.

Processing personal data under the MCDPA

Processing personal data involves any operation performed on data, such as collection, storage, and sharing. The MCDPA mandates that businesses that process personal data adhere to obligations and requirements imposed on controllers and processors, including maintaining a comprehensive privacy notice, providing opt-out mechanisms, documenting policies and procedures, conducting data protection impact assessments, and entering into binding contracts for data processing. This means collecting only the data necessary for the intended purpose and retaining it for no longer than required.

Pandectes GDPR Compliance app for Shopify stores - Minnesota adopts Consumer Data Privacy Act - digital law

Consumer rights under the MCDPA

The Minnesota Consumer Data Privacy Act (MCDPA), enacted on May 24, 2024, grants Minnesota residents a suite of rights concerning their personal data. Here are the key rights provided to consumers under this comprehensive privacy law:

  1. Right to access: Consumers have the right to access their personal data held by businesses. This includes obtaining information about the data collected, the purposes for which it is processed, and any third parties with whom the data is shared. Additionally, consumers have the right to know if their sensitive data, such as Social Security numbers or biometric data, has been disclosed to specific third parties.

  2. Right to correct: Consumers can request the correction of inaccurate personal data. Businesses are obligated to rectify any errors in the data they hold upon receiving a consumer’s request.

  3. Right to delete: Consumers can request the deletion of their personal data. Businesses must comply with such requests unless the data is required for specific legal or operational purposes.

  4. Right to data portability: Consumers have the right to obtain a copy of their personal data in a portable and commonly used format, facilitating the transfer of data between services.

  5. Right to opt-out: Consumers can opt-out of processing their personal data for purposes such as targeted advertising, sale of personal data, or profiling in furtherance of automated decisions. Businesses must provide clear mechanisms for consumers to exercise this right.

  6. Right to receive notice: Businesses must provide consumers with meaningful privacy notices that detail their data collection and processing practices. These notices must be transparent and easily accessible.

These rights are designed to give Minnesota residents more control over their personal data and to ensure that businesses handle data responsibly and transparently. Enforcement of these rights will begin on July 31, 2025.

Physical data security practices

In addition to digital security measures, the MCDPA emphasizes the importance of physical data security practices. Businesses must secure physical locations where personal data is stored, using locked cabinets, access controls, surveillance systems, and alarm systems to prevent unauthorized access. Restricting access to sensitive areas and implementing visitor management protocols is crucial. Additionally, organizations should consider implementing secure destruction procedures for physical records that are no longer needed to ensure that sensitive information cannot be retrieved from discarded materials. Regular security assessments and audits of physical security measures should also be conducted to identify and address any vulnerabilities or gaps in the security infrastructure.

Data protection assessments

The MCDPA requires businesses to conduct thorough data protection assessments to evaluate the risks associated with various data processing activities systematically. These assessments are crucial in identifying potential vulnerabilities and ensuring that appropriate safeguards are in place to protect consumer data from unauthorized access, misuse, and other potential threats. By conducting these assessments, businesses can gain valuable insights into their data processing practices, address any possible security gaps, and ultimately enhance consumer data protection in compliance with the MCDPA.

Businesses and legal entities that process personal data are obligated to adhere to the regulations outlined in the MCDPA. Controllers are required to allow consumers to opt-out of processing their personal data using universal opt-out mechanisms (UOOMs) as mandated by the Minnesota Act. These obligations encompass implementing a wide range of data security practices, such as encryption and access controls and regularly reviewing and updating these measures to ensure ongoing effectiveness. Furthermore, organizations must maintain a detailed inventory of the personal data they handle, including information about its processing activities and any third-party data sharing. In addition, they must appoint a chief privacy officer responsible for overseeing and managing the organization’s compliance efforts with the MCDPA, including conducting regular audits and assessments to ensure the proper handling of personal data.

Pandectes GDPR Compliance app for Shopify stores - Minnesota adopts Consumer Data Privacy Act - design

Handling sensitive data

Sensitive data, such as health information and biometric data, falls under the purview of the MCDPA. This comprehensive legislation mandates additional safeguards for the processing of sensitive data. Under the MCDPA’s provisions, businesses must obtain explicit consent from consumers before processing any form of sensitive data. This means that individuals must be fully informed and give explicit approval before any sensitive data can be utilized.

Furthermore, the MCDPA stipulates that businesses must handle sensitive data with the utmost care and security. This involves implementing robust security measures to ensure the confidentiality and integrity of the data. Additionally, businesses must provide clear and transparent information to consumers about how their sensitive data will be used and processed.

The MCDPA’s specific requirements for handling sensitive data are designed to empower consumers and protect their privacy rights. By requiring explicit consent and imposing strict security measures, the legislation ensures that sensitive data is used responsibly and with the utmost respect for individuals’ privacy.

Data portability and data minimization

The Minnesota Consumer Data Privacy Act (MCDPA) is designed to protect consumer data by providing individuals with the right to data portability. This means that consumers can transfer their personal data from one service provider to another. The act also includes data minimization principles, which mandate that businesses restrict the collection and storage of personal data to only what is essential for their operations. This ensures that businesses do not retain more data than necessary, thereby enhancing consumer privacy and data security.

Compliance and enforcement

The Minnesota Attorney General plays a crucial role in enforcing the Minnesota Consumer Data Privacy Act (MCDPA), which aims to safeguard the privacy of consumers. The MCDPA contains provisions that exempt certain data already regulated by federal laws, such as the Fair Credit Reporting Act, from its scope. It is important for businesses to comply with the MCDPA to avoid facing significant penalties. This highlights the crucial need for businesses to ensure strict adherence to these new regulations in order to protect consumer data privacy.

Impact on small businesses

The MCDPA is designed to safeguard consumer privacy while also taking into account the potential impact on small businesses. One notable aspect of the MCDPA is that it provides exemptions for certain types of data that are already governed by federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA). These exemptions are intended to assist small businesses in meeting the new requirements without encountering excessive challenges. Additionally, the legislation includes specific provisions aimed at supporting small businesses in their efforts to adhere to the regulations without experiencing unreasonable hardships.

Pandectes GDPR Compliance app for Shopify stores - Minnesota adopts Consumer Data Privacy Act - law

Comparison with other state privacy laws

The Minnesota Consumer Data Privacy Act (MCDPA) is a significant addition to the landscape of state-level privacy laws in the United States. Here is a comparison of the MCDPA with other notable state privacy laws, including the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).

Scope and applicability

  • MCDPA: Businesses that control or process the personal data of 100,000 or more Minnesota residents or derive over 50% of their gross revenue from selling the personal data of 25,000 or more consumers are affected.

  • CCPA: Applies to businesses with gross revenues over $25 million, buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices, or derive 50% or more of their annual revenues from selling consumers’ personal information.

  • VCDPA: This regulation applies to businesses that control or process the personal data of at least 100,000 consumers or derive over 50% of their gross revenue from selling personal data and control or process the data of at least 25,000 consumers.

Consumer rights

  • MCDPA: Grants rights to access, correct, delete, and port personal data. It also allows consumers to opt-out of the processing of personal data for purposes such as targeted advertising and profiling.

  • CCPA: Provides rights to access, delete, and opt-out of the sale of personal information, as well as the right to non-discrimination for exercising these rights.

  • VCDPA: Offers rights to access, correct, delete, and port personal data, similar to MCDPA, and includes the right to opt-out of data processing for targeted advertising, sale of personal data, and profiling.

Data controller obligations

  • MCDPA: Requires data controllers to provide a “reasonably accessible, clear, and meaningful” privacy notice, maintain a data inventory, and limit data collection to what is necessary.

  • CCPA: This law mandates clear privacy notices, implements reasonable security measures, and includes specific disclosure requirements related to the sale of personal information.

  • VCDPA: Requires clear and meaningful privacy notices, data protection assessments, and the limitation of data collection to what is necessary.

Enforcement and penalties

  • MCDPA: Enforcement is handled by the Minnesota Attorney General, with penalties including injunctions and civil penalties.

  • CCPA: Enforcement by the California Attorney General, with civil penalties for violations and a private right of action for certain data breaches.

  • VCDPA: Enforced by the Virginia Attorney General, with civil penalties and no private right of action.

Unique provisions

  • MCDPA: Emphasizes maintaining a data inventory and requires detailed documentation of data processing activities, which is a step further than the CCPA and VCDPA.

  • CCPA: Introduces the concept of “Do Not Sell My Personal Information,” a specific opt-out mechanism for the sale of personal data.

  • VCDPA: Requires data protection assessments for activities such as processing sensitive data and children’s personal data.

Overall, while the MCDPA aligns closely with other state privacy laws, its specific requirements for data inventory and detailed documentation set it apart, ensuring robust protection for Minnesota residents’ personal data.


In summary, the Minnesota Consumer Data Privacy Act (MCDPA) exemplifies a comprehensive and forward-thinking strategy for shielding consumer data in an era dominated by digital interactions. By imposing rigorous data protection protocols and empowering consumers with greater control over their personal information, the MCDPA establishes a novel benchmark for privacy legislation, paving the way for enhanced data security and consumer empowerment.

The MCDPA achieves this through a range of provisions that offer significant protections for individuals’ privacy rights. For instance, the act outlines precise requirements for businesses to obtain explicit consumer consent before collecting, processing, or sharing their data. Moreover, it mandates that businesses provide consumers with the ability to access, correct, delete, and transfer their personal information, thus giving individuals unprecedented control over their data. By enacting these measures, the MCDPA not only sets a high standard for data protection but also positions Minnesota as a leader in safeguarding consumer privacy within the digital economy.

The act’s comprehensive approach reflects a deep understanding of the evolving challenges posed by data privacy in the modern world. Its proactive stance could serve as a model for other states and jurisdictions seeking to address similar concerns. Overall, the MCDPA is a commendable and progressive step toward ensuring individuals’ personal information is handled responsibly and ethically in an increasingly data-driven society.

Make your Shopify Store GDPR/CCPA compliant today
Pandectes GDPR Compliance App for Shopify
Subscribe to learn more

You Might Also Like

Scroll to Top