Overview of the Minnesota Consumer Data Privacy Act
Minnesota’s comprehensive consumer data privacy law known as the Minnesota Consumer Data Privacy Act (the “Act”) went into effect on July 31, 2025. The Act regulates how businesses collect and share personal data (i.e., data that is linked or reasonably linked to an identified or identifiable natural person) and grants additional rights to Minnesota residents. Beginning January 31, 2026, businesses will no longer be able to rely on a statutory 30-day cure period. Minnesota businesses should review their policies and practices now to ensure compliance with the Act.
While the Act applies to all businesses that (A) control or process the personal data of 100,000 or more consumers in a calendar year, and/or (B) control or process the personal data of 25,000 or more consumers in a calendar year and earn 25% or more of their gross revenue from the sale of personal data, there are certain exemptions for healthcare entities and specific nonprofits, including:
- Nonprofits established to detect and prevent fraudulent acts in connection with insurance.
- Insurance companies, insurance producers, and third-party administrators.
- Data regulated under the Health Insurance Portability and Accountability Act (HIPAA) and the Minnesota Health Records Act (MHRA).
- Part 2 substance use disorder records.
- Information included in a limited data set and data used for public health activities.
Implications for Healthcare Entities and Nonprofits
Healthcare Entities: Many healthcare providers will fall outside the Act’s scope because protected health information (PHI) is exempt and does not count toward the applicability thresholds. However, healthcare providers should be aware that they may still process non-PHI personal data that does count toward the applicability thresholds, such as website tracking and analytics data. Healthcare-adjacent entities, including health technology companies and fitness or wellness app providers not otherwise regulated by HIPAA, may be subject to the Act if they meet the applicability thresholds.
Nonprofits: Unlike many other state privacy laws, the Act does not include a broad entity-level exemption for nonprofits (except as noted above). As a result, nonprofits that meet the applicability thresholds are required to comply with the Act.
Key Consumer Rights
Those businesses subject to the Act must be prepared to honor a range of individual consumer rights, including:
- Right to Access: The right to request a copy of personal data held about the consumer.
- Right to Correct: The right to correct inaccurate personal data.
- Right to Delete: The right to request deletion of personal data.
- Right to Portability: The right to obtain personal data in a readily usable format.
- Right to Opt-Out: The right to opt out of targeted advertising, the sale of personal data, and profiling for automated decision-making.
- Right to Obtain a List of Third Parties: The right to obtain a list of specific third parties to whom personal data has been disclosed.
Additional Consumer Rights Related to Profiling: In addition to the rights listed above, the Act grants consumers specific rights when profiling results in decisions that produce legal or similarly significant effects. Affected consumers may challenge the profiling outcome, receive an explanation of the decision, learn what actions may lead to a different result, and review the personal data used in the profiling process.
Business Compliance Obligations
The Act further sets forth critical responsibilities for businesses, which include:
- Privacy Policy: Providing a clear, accessible, and meaningful privacy policy.
- Documented Policies and Procedures: Maintaining written privacy policies and procedures, including designation of a chief privacy officer or another individual responsible for compliance.
- Data Protection Assessments: Conducting data protection assessments for high-risk processing activities, such as targeted advertising, sale of personal data, processing of sensitive data, or profiling that presents a heightened risk of harm.
- Data Security: Implementing reasonable administrative, technical, and physical safeguards to protect personal data.
- Processor Contracts: Entering into binding contracts with data processors that clearly define processing instructions and compliance obligations.
