In May 2024, Minnesota was the 19th State to enact a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). For most businesses, the MCDPA will become effective at the end of July 2025. The mandates and obligations imposed by the MCDPA on covered businesses are numerous. As such, we will split this article into two parts. In this Part One, the Consumer Data Protection Attorneys at Revision Legal discuss the portion of the MCDPA mandates related to consumers.

Like most of these State-level consumer data protection statutes, the focus is on data “controllers” and “processors” along with various “rights” given to consumers with respect to how their data is collected, processed, shared, and stored. The MCDPA applies in a manner that is similar to other statutes of this kind. That is, the Act applies to persons and entities that conduct business in Minnesota or that target Minnesota residents and that meet either of the following:

• Controls or processes data of 100,000 Minnesota consumers (except where processing is only for completing a payment transaction and the consumer data is not retained) OR
• Derives more than 25% of gross revenue from the sale of personal data AND processes or controls the personal data of at least 25,000 Minnesota consumers

As with all of these statutes, certain types of businesses, such as banks, many health-related entities, governments, etc., are excluded. The MCDPA also partially exempts small businesses (as such are defined by the U.S. Small Business Administration). However, these small businesses are not entirely exempt, so, for example, they must still obtain consumer consent before selling consumer “sensitive data.” Also notable is the lack of exemption for non-profit entities and the explicit inclusion of “technology providers” for colleges, universities, and other higher education entities. This is something new in the MCDPA and is only vaguely defined.

These statutes also typically exclude various categories of data from coverage, and the usual exclusions are found in the MCDPA. Like most of these Statutes, personal data collected from consumers is covered by the MCDPA but not if the consumer is acting in a commercial or employment capacity.

In terms of consumer-facing mandates, the MCDPA requires that controllers of data provide notices and disclosures to consumers, obtain consent from consumers for certain types of processing, and honor certain consumer rights granted by the Act. Some of these rights allow consumers to make requests for data controllers (such as a request to know what data has been collected about a consumer). The MCDPA mandates that businesses respond quickly to these requests (45 days) and to create and maintain a process for consumers to appeal the denial of any request.

The list of consumer rights included in the MCDPA is typical of these statutes. However, the MCDPA has added another set of consumer rights when profiling is used in automated decision-making. Examples might include a consumer request for credit or insurance. When this type of process is used, the MCDPA gives consumers several additional rights:

• To request information about the decision-making process
• To be informed why the automated decision-making process using profiling resulted in the decision that was made
• To be informed of any actions or behaviors that the consumer might have taken or might take in the future to obtain a different result
• To obtain a reevaluation of the decision if the consumer accesses and corrects incorrect data

This set of consumer rights and mandates on data controllers is not present in any similar statute. Businesses that use an automated decision-making process using profiling must provide a mechanism for a consumer to activate these rights.

In Part Two of this article, we will examine other compliance obligations imposed by the MCDPA.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Consumer Rights: The Access, Correction, Deletion, and Portability Framework

The consumer rights framework in the MCDPA represents the most visible set of obligations for businesses. Covered controllers must establish processes for receiving and responding to consumer requests to exercise each of the following rights:

• Right to access. A consumer may request confirmation of whether a controller is processing their personal data and, if so, access to that data. The controller must respond within 45 days, with a 45-day extension permitted where reasonably necessary. The response must be provided in a portable format where technically feasible.
• Right to correct. A consumer may request that a controller correct inaccurate personal data held about them. Controllers must take reasonable steps to correct the data in light of the nature of the data and the purposes for which it is processed.
• Right to delete. A consumer may request that a controller delete personal data the controller holds about them, including data provided by the consumer and data obtained from other sources. Controllers must delete the data unless retention is necessary for a permitted purpose under the statute — completing a transaction, complying with legal obligations, exercising free speech, or other specified purposes.
• Right to portability. A consumer may request a copy of the personal data they provided to a controller in a portable, technically feasible format that allows the consumer to transmit that data to another controller.
• Right to opt out. A consumer may opt out of the processing of their personal data for targeted advertising, the sale of their personal data, and profiling used for decisions with legal or similarly significant effects.

Preparing an MCDPA-Compliant Privacy Notice

The MCDPA requires that controllers provide consumers with a clear and accessible privacy notice before or at the time of data collection. The notice must disclose:

• The categories of personal data collected and processed
• The purposes for which personal data is processed
• How consumers may exercise their rights, including the categories of third parties with whom personal data is shared
• The categories of personal data shared with third parties and the categories of those third parties
• An active email address or other online mechanism consumers can use to submit rights requests

One of the MCDPA’s most notable requirements — unique among state privacy statutes at the time of enactment — is the obligation to notify consumers and offer new opt-out choices when a controller makes material changes to its privacy practices. This is not merely an obligation to update the published privacy policy: it is an obligation to affirmatively communicate changes to impacted consumers and provide them with a renewed opportunity to opt out. This ongoing disclosure obligation requires businesses to build notification workflows into their privacy governance processes.

Processor Obligations: The Controller-Processor Relationship

The MCDPA draws a clear distinction between data controllers — entities that determine the purposes and means of processing personal data — and data processors — entities that process personal data on behalf of and under the instruction of controllers. This distinction determines the compliance obligations that apply to each party.

Processors must adhere to the controller’s instructions and assist the controller in meeting its MCDPA obligations. Controllers must verify that the processors they engage provide sufficient guarantees through their data processing agreements. The DPA between controller and processor must address: the nature, purpose, and duration of processing; the types of personal data and categories of consumers involved; the rights and obligations of both parties; and the processor’s obligations to assist the controller with consumer rights requests, security breach response, and data impact assessments.

Processors may only engage subprocessors with the prior authorization of the controller, and must bind subprocessors to equivalent data protection obligations. Businesses that operate as processors — SaaS vendors, marketing platforms, analytics providers — need to update their standard customer agreements to include compliant DPA language and to ensure their subprocessor management practices align with controller requirements.

Building a Consumer Rights Request Response Program

The operational reality of MCDPA compliance is that businesses must build a functioning program for receiving, authenticating, tracking, and responding to consumer rights requests. Key elements of this program include:

• Request intake mechanisms. The MCDPA requires at least two methods for submitting requests: an online mechanism and an email address. Larger businesses with significant Minnesota consumer bases may need a dedicated privacy request portal.
• Identity verification. Controllers must verify that requests are submitted by the consumer whose data is at issue — or by an authorized agent. Verification procedures must be reasonably reliable without being unnecessarily burdensome to consumers. Controllers cannot require consumers to provide more information than is reasonably necessary to verify identity.
• Response tracking and documentation. Every request must be tracked from receipt through final response. Documentation of responses — including the basis for any denial — is essential for demonstrating compliance during an AG investigation.
• Appeal processes. When a request is denied, the controller must provide an internal appeal mechanism. This requires a designated reviewer, a defined process, and a documented response within the statutory 60-day window.

Contact the Data Privacy Attorneys at Revision Legal

MCDPA compliance is a multi-faceted operational challenge — not just a legal drafting exercise. The Data Privacy Attorneys at Revision Legal help businesses assess their compliance gaps, build consumer rights request programs, update privacy notices, and execute data processing agreements with vendors. Contact us through the form on this page or call (855) 473-8474.