Under the MCDPA, websites targeting Minnesota residents must obtain explicit, unambiguous consent—prior to placing non-essential cookies—especially when processing sensitive data or profiling individuals. Transparency and a valid consent mechanism are mandatory for compliance. Are you compliant?
The Minnesota Consumer Data Privacy Act (MCDPA) is a statewide data privacy law, signed on May 24, 2024, that takes effect on July 31, 2025. It empowers Minnesota residents with rights over their personal data and imposes obligations—such as transparency, data inventory, and security—on qualifying businesses.
Businesses should perform a compliance checklist:
Update privacy policy:
Updating privacy policies with Minnesota-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out flows to obtain clear, affirmative consent and manage consumer rights
Data subject handling:
Establishing processes for handling data subject requests.
Data security:
Ensuring data security measures are in place.
Conduct data assessments:
Conduct required privacy impact or protection assessments and maintain a data inventory.
Different business types must comply with MCDPA:
Businesses that process data of 100,000+ MN consumers annually; or
Businesses with 25,000+ MN consumers and over 25% of revenue from selling personal data
Exemptions apply to small businesses (per SBA), government, Indian tribes, certain nonprofits, banks, insurance companies, HIPAA/GLBA-covered entities, and employment contexts.
Minnesota consumers have the:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers can challenge profiling outcomes and receive explanations and can appeal refusals
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can obtain a list of specific third parties who received their data
Businesses must have DSAR processes and response timelines.
Cookies that collect personal data from Minnesota users must be disclosed clearly, and non-essential or profiling cookies require opt-in consent. Consent mechanisms must integrate with cookie banners and CMPs to comply with opt-out and transparency obligations.
Enforcement is by the Minnesota Attorney General. Businesses get a 30-day cure period (ending Jan 31, 2026), after which fines can be imposed up to 7,500 USD per violation. Consumers do not have a private right of action.
Organizations should ensure adherence to data privacy best practices as a part of their MCDPA Minnesota compliance:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
The MCDPA covers Minnesota residents in their individual or household capacities, not B2B or employee data, and applies to businesses meeting data volume or revenue thresholds targeting those consumers.
Any information linked or reasonably linkable to an identifiable person—not including deidentified or public data—such as names, emails, IP addresses, geolocation, device IDs, biometric data and more.
Sensitive categories include racial or ethnic origin, religious beliefs, health data, sexual orientation, genetic/biometric data, citizenship status, precise geolocation, and personal data of known children.
The Minnesota Attorney General is the sole enforcement authority.
Exemptions apply to small businesses (SBA standard), government, federally recognized tribes, certain banks/insurers, nonprofits detecting insurance fraud, HIPAA/GLBA-regulated data, employment contexts, and public records.
Visit the Minnesota AG’s office website, review the enacted HF 4757/Minnesota statutes (chapter 325O).
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
