In May 2024, Minnesota was the 19th State to enact a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). For most “covered entities,” the MCDPA will become effective at the end of July 2025. In this article, the Consumer Data Protection Attorneys at Revision Legal offer a brief list of some of the uncommon and unique features of the MCDPA,

These State-level consumer data privacy and protection statutes are very similar. They all apply a notice-disclosure-consent framework for the collection, processing, and sale of consumer data, along with various mandates and imposed obligations on data controllers and processors. However, each statute has some unique features. With respect to the MCDPA, some of the unique features include:

• “Covered entities” include non-profit organizations — most of these statutes exempt non-profit entities
• Starting in 2029, “covered entities” will also include “technology providers” for “postsecondary institutions regulated by the [MN] Office of Higher Education…” — this is unique to the MCDPA
• Data that is publicly available is explicitly exempt from coverage — the explicit exemption is rare
• “Covered entities” does not include “small businesses” as defined by the U.S. Small Business Administration — only two other States have this provision; however, even small businesses must still  obtain consumer consent before selling “sensitive data”
• Controllers are expressly prohibited from processing the “personal data” of a “known child” for purposes of targeted advertising without parental consent — this is rare but becoming more common
• When a consumer asks for information about any third parties with which a controller has disclosed that specific consumer’s personal data, the MCDPA requires disclosure of the specific third parties with which the data has been or is shared — only Oregon’s statute shares this requirement of specificity
• When a consumer asks to know what data has been collected/processed with respect to them, controllers are prohibited from disclosing the actual sensitive information — like Social Security numbers; controllers must simply inform the consumer that it has collected that particular sensitive data — this is unique to the MCDPA
• Controllers must honor any universal mechanism, device, or setting for a consumer’s opt-out choices — this was rarely included in this statute a couple of years ago but is becoming a standard provision
• Controllers must allow consumers to opt out of automated decision-making involving profiling — only two States mandate this
• Further, controllers must allow consumers the right to question the result of any automated decision-making process involving profiling, to be told why the decision was made, and be told what behavior the consumer might take to avoid a similar decision in the future — this is unique to the MCDPA
• Consumers have the right to have any automatic decision-making involving profiling reevaluated if and when a consumer accesses and corrects their personal data — this is unique
• When a controller makes “material changes” to their privacy practices, consumers affected thereby must receive an updated disclosure notice, AND consumers must be offered the opportunity to withdraw any previously given consent — this is unique
• A controller’s privacy notice must include a description of policies and procedures implemented to comply with the MCDPA, including such matters as the name and contact information of the person with primary responsibility for such policies, procedures, and implementation — this is unique
• The privacy notice must also include a description of data retention policies and the date the notice was last updated — this is rare
• The MCDPA requires controllers to maintain a “data inventory” as part of their cybersecurity protocols (also known as “data mapping”) — this is unique

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Comparing the MCDPA to Other State Privacy Statutes

Understanding what makes the MCDPA distinctive requires situating it within the broader landscape of state consumer data privacy law. As of 2025, more than 20 states have enacted comprehensive consumer data privacy statutes. The majority follow a template derived from Virginia’s Consumer Data Protection Act (CDPA), enacted in 2021. The “Virginia model” statutes share core features: they apply to businesses above specified data processing thresholds, they grant consumers rights to access, correct, delete, and port their data, they impose opt-out rights for targeted advertising and data sales, and they are enforced exclusively by state attorneys general without a private right of action.

California’s CCPA/CPRA follows a somewhat different — and generally stronger — model that includes a limited private right of action for data breaches and, through CPRA amendments, a dedicated enforcement agency (the California Privacy Protection Agency). The MCDPA does not adopt California’s private right of action, but it does incorporate several features that go beyond the standard Virginia model.

The Non-Profit Inclusion: A Significant Departure from Other State Laws

Most state consumer data privacy statutes exempt non-profit organizations from coverage. The MCDPA does not. Minnesota non-profits — charities, foundations, advocacy organizations, trade associations, and other entities organized and operated as non-profits — are “covered entities” under the MCDPA if they meet the applicable data processing thresholds.

This inclusion has significant practical implications. Non-profit organizations that collect and process the personal data of Minnesota residents must comply with the MCDPA’s disclosure requirements, honor consumer rights requests, execute data processing agreements with vendors, conduct data impact assessments for high-risk processing, and implement documented cybersecurity protocols. Non-profits that have operated under the assumption that data privacy laws do not apply to them need to revisit that assumption for operations involving Minnesota residents.

The Small Business Exemption: Limited but Real

The MCDPA’s partial small business exemption — covering entities defined as “small businesses” by the U.S. Small Business Administration — is one of only a handful of such provisions in state privacy law. The SBA’s small business size standards vary by industry (defined by NAICS code) and are based on either annual receipts or number of employees depending on the industry. Businesses that qualify as SBA small businesses are not subject to most MCDPA requirements.

However, the exemption is not complete. Even small businesses must obtain consumer consent before selling “sensitive data.” This carve-out reflects the legislature’s judgment that the potential harm from selling sensitive categories of data — health information, biometric data, precise geolocation — is severe enough to warrant minimum protections even for the smallest covered entities. Small businesses that sell or monetize data should review their data practices to determine whether they are selling sensitive data in ways that require consumer consent.

The Specificity Requirement for Third-Party Disclosures

The MCDPA and Oregon’s privacy statute are the only state laws that require controllers to specifically identify — not just categorize — the third parties with whom a consumer’s personal data has been shared, when a consumer makes a request to know about data disclosures. This specificity requirement is demanding from a compliance standpoint. Controllers must maintain sufficiently detailed records of their data sharing practices to respond to these requests with the names of specific companies, not just generic categories like “advertising partners” or “analytics providers.”

The practical implication is that MCDPA-compliant data mapping must track not just categories of data shared and purposes of sharing, but the identities of specific recipients. Controllers that share data with large numbers of third-party partners — as is common in the digital advertising ecosystem — face a significant operational challenge in building and maintaining the records necessary to respond to these requests.

Universal Opt-Out Mechanisms: What Businesses Must Honor

The MCDPA requires that controllers honor universal opt-out mechanisms — technical signals or browser settings that communicate a consumer’s preference to opt out of the sale of their personal data or the use of their data for targeted advertising. Global Privacy Control (GPC), a browser-based signal that transmits opt-out preferences automatically, is the most widely used universal opt-out mechanism.

Technically, honoring GPC and similar signals requires website operators to implement detection and response mechanisms that recognize the signal and suppress data collection and sharing for targeted advertising purposes when the signal is present. This is not purely a legal compliance issue — it requires technical implementation by developers and regular testing to ensure the mechanism is functioning correctly. Businesses with significant web traffic from Minnesota should verify that their websites are correctly detecting and honoring universal opt-out signals.

Contact the Data Privacy Attorneys at Revision Legal

The MCDPA’s unique features require compliance strategies tailored specifically to Minnesota law — not just a copy of a compliance program built for CCPA or another state’s statute. The Data Privacy Attorneys at Revision Legal help businesses and non-profits build MCDPA-compliant privacy programs, update vendor contracts, and implement consumer rights request mechanisms. Contact us through the form on this page or call (855) 473-8474.