In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very “pro-consumer.” In this article, the Consumer Data Protection Attorneys at Revision Legal provide a summary of the MCDPA relevant to consumers.

Like similar statutes, the MCDPA attempts to protect consumer data privacy through a notice/consent and business mandates framework. Under the MCDPA, consumers are given various rights related to how their personal data is collected, processed, shared, stored, and deleted. Note that, like many other similar statutes, the MCDPA only protects consumer data when a person is acting as a consumer but not when a person is acting in a business or employment capacity. The MCDPA includes these standard rights for consumers:

• Right to notice and to give consent — consumers have a right to receive a privacy notice from controllers of data and to give consent for such things as processing “sensitive data,” having data used for targeting advertising, etc.
• Expanded right to new disclosures and consent options when policies are changed — the MCDPA adds an expanded right that new disclosures (and consent options) must be sent to impacted consumers when a business makes material changes in its privacy policies; consumers have the right to the new disclosure statements and to be given new opt-out and consent options
• Right to know — consumers have the right to know if a business is collecting and processing their personal and sensitive data
• Right to access — this is the right to have access to the data collected and stored by a business
• Right to portability — this is the right to have a copy of the data collected and stored where the copy is in such a form as can be provided/downloaded/imported to another business
• Right to know with whom data is shared — this is the right to know with whom personal data is being shared
• Expanded right to know specifics — the MCDPA adds an expanded right that allows consumers to know specifically with whom their data is shared (if possible); that is, controllers must specifically identify a company or person with whom consumer data is shared (if possible)
• Right to correct — this is the right to correct inaccurate data held by a controller
• Right to opt-out — under the MCDPA, the opt-out right relates to opting out of having their data used for targeted advertising, the sale of data, and use of personal data for profiling for purposes of automated decision-making that results in legal or significant effects
• Right to speedy action — this is the right to have, upon request, a business act quickly (within 45 days) after receiving a consumer’s request
• Right to appeal non-action or negative action — this is the right to have a mechanism, internal to the business, to appeal a non-action or negative action made by the business after a consumer’s request
• Right to UOOMS — this is a consumer’s right to use a universal opt-out mechanism (“UOOMs”), like a browser or other setting/device, to apply their opt-out choices to each website visited; the MCDPA requires businesses to honor such UOOMs
• Children’s right to no processing — the MCDPA prohibits businesses from processing any personal data of a “known child” (under the age of 16) for certain types of processing (like for targeted advertising)
• Parent’s right to consent — the MCDPA grants parents the right to consent, on behalf of their children, for other types of data processing

As noted, as of now, the above is the basic and standard set of consumer rights granted by most of these consumer data protection statutes. However, as noted, the MCDPA has added another set of consumer rights for circumstances where profiling is used in automated decision-making. These new consumer rights are unique — for now — to the MCDPA. When profiling is used in automated decision-making processes, the MCDPA gives consumers the following additional rights:

• Right to know about the decision-making process — that is, the right to know what data was profiled and how it was used in the automated process
• Right to know why — that is, the right to know why (or what factors led to) the decision that was made using profiling in an automated decision-making process
• Right to know what could be changed to obtain a different result — that is, where possible, consumers have a right to be informed of actions or behaviors that the consumer might have taken or might take in the future to obtain a different result
• Right to reevaluation — that is, consumers have a right, under some circumstances, to a reevaluation of the decision made using profiling with an automated decision-making process

As noted, these additional rights are unique to the MCDPA. Businesses must provide a mechanism for consumers to activate these rights.

If consumers think that their rights under the MCDPA have been violated, complaints can be made with the Office of the Minnesota Attorney General who is tasked with enforcing the law. Businesses that violate the MCDPA can be fined $7,500 per violation and, depending on the facts, can face punishments under the Minnesota anti-discrimination laws.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

How to Exercise Your MCDPA Consumer Rights

Knowing that rights exist under the MCDPA is only half the equation. Consumers must understand how to actually exercise those rights. Under the MCDPA, controllers must provide consumers with one or more secure and reliable means of submitting requests to exercise their rights. These mechanisms must be reasonably accessible and must not require consumers to create new accounts — though a controller may require a consumer to use an existing account if one has already been created.

When a consumer submits a request, the controller has 45 days to respond, with a single 45-day extension permitted if reasonably necessary. If the controller declines to take action on a request, the controller must notify the consumer within 45 days and explain the reason for the refusal. The controller must also provide information about how the consumer can appeal the decision.

The appeal process is one of the MCDPA’s important consumer protections: if a controller denies a request, the consumer must be given a meaningful opportunity to challenge that decision through an internal appeal process. The controller must respond to the appeal within 60 days and must inform the consumer of the outcome in writing. If the appeal is denied, the controller must provide instructions for the consumer to contact the Minnesota Attorney General to submit a complaint.

What Is “Sensitive Data” and Why It Matters for Consumers

The MCDPA gives heightened protection to “sensitive data” — a defined category of personal data that carries greater risk of harm if improperly collected, processed, or disclosed. Under the MCDPA, sensitive data includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed for the purpose of identifying a natural person
• Personal data collected from a known child
• Precise geolocation data (defined as location data that can identify a person’s location within a radius of 1,750 feet)

Controllers must obtain a consumer’s explicit consent before collecting or processing sensitive data. This opt-in requirement is a higher standard than the opt-out framework used for other categories of personal data. Consumers can revoke consent at any time, and controllers must honor that revocation within 15 days.

Importantly, the MCDPA contains a unique protection for consumers regarding sensitive data disclosures: when a consumer requests to know what data a controller has collected about them, the controller is prohibited from disclosing the actual sensitive data itself. Instead, the controller must simply confirm that it holds that category of sensitive data. This provision protects consumers from inadvertently exposing sensitive information through their own access requests.

Targeted Advertising: Your Opt-Out Rights

One of the most broadly applicable MCDPA rights for consumers is the right to opt out of having their personal data used for targeted advertising. “Targeted advertising” under the MCDPA means displaying advertisements to a consumer that are selected based on personal data obtained from the consumer’s activities across contexts — meaning across different websites, applications, or online services — not just advertising based on the consumer’s activity on a single controller’s own platform.

The opt-out right extends to the sale of personal data and to profiling for certain decisions with legal or similarly significant effects. Notably, the MCDPA requires that controllers honor opt-out preferences communicated through universal opt-out mechanisms — browser settings or other technical signals that communicate a consumer’s preference not to have their data sold or used for targeted advertising. This means consumers do not necessarily need to visit every website individually to exercise opt-out rights; a properly configured browser signal can automatically communicate opt-out preferences to covered controllers.

MCDPA and Children’s Data: What Parents Should Know

The MCDPA treats all personal data collected from known children as sensitive data, requiring opt-in consent — not merely opt-out — for collection and processing. For targeted advertising purposes, the MCDPA expressly prohibits controllers from processing the personal data of a known child for targeted advertising without parental consent.

These protections operate alongside the federal Children’s Online Privacy Protection Act (COPPA), which imposes separate requirements on operators of websites and online services directed to children under 13. Businesses operating online platforms that may attract or specifically target minors must comply with both COPPA and the MCDPA’s heightened protections for children’s data, and should ensure that parental consent mechanisms are built into their data collection workflows.

Filing a Complaint with the Minnesota Attorney General

The MCDPA is enforced by the Minnesota Attorney General. Consumers who believe a controller has violated the MCDPA can file a complaint with the AG’s office after exhausting any available appeal process with the controller. The AG has authority to investigate complaints, demand production of data protection assessments, and bring civil enforcement actions seeking injunctive relief and civil penalties up to $7,500 per violation.

While the MCDPA does not provide a private right of action — meaning individual consumers cannot sue companies directly under the statute — the AG’s enforcement authority provides a meaningful mechanism for consumer redress. Consumers can also pursue claims under Minnesota’s consumer fraud statutes for violations that constitute deceptive trade practices.

Contact the Data Privacy Attorneys at Revision Legal

Whether you are a consumer seeking to understand your rights under the MCDPA or a business working to ensure compliance with Minnesota’s data privacy requirements, the Data Privacy Attorneys at Revision Legal can help. Contact us through the form on this page or call (855) 473-8474.