What the MCDPA Covers and When It Took Effect
The Minnesota Consumer Data Privacy Act (MCDPA), codified as Chapter 325M of Minnesota Statutes, took effect on 31 July 2025. It grants Minnesota residents a set of rights over their personal data and places obligations on businesses that collect, process, or sell that data. Among US state privacy laws, the MCDPA stands out for its detailed profiling protections and its requirement that controllers honour universal opt-out signals from day one.
The law applies to entities that conduct business in Minnesota or target products and services at Minnesota residents, provided they meet one of two thresholds during a calendar year:
- Control or process personal data of at least 100,000 Minnesota consumers (excluding data processed solely to complete a payment transaction), or
- Derive more than 25 per cent of gross revenue from the sale of personal data and process personal data of at least 25,000 Minnesota consumers.
These thresholds are comparable to those in Colorado and Connecticut, though the MCDPA's broader consumer rights set it apart.
Consumer Rights Under the MCDPA
Minnesota residents gain several rights that directly affect how your website handles personal data.
Access, Deletion, and Portability
Consumers can request access to the personal data a controller holds about them, ask for deletion of that data, and obtain a copy in a portable format. Controllers must respond within 45 days, with a possible 45-day extension when reasonably necessary.
Opt-Out Rights
The MCDPA grants consumers the right to opt out of three activities: the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects. If your site uses tracking cookies such as _ga, _fbp, or _ttp for advertising purposes, you must provide a mechanism for Minnesota visitors to refuse that processing.
Your site must also honour Global Privacy Control (GPC) signals. The MCDPA explicitly requires controllers to treat a universal opt-out signal as a valid opt-out request for the sale of personal data and targeted advertising.
Profiling Protections: Where Minnesota Goes Further
The MCDPA contains some of the most detailed profiling provisions in any US state privacy law. Consumers can opt out of profiling used to make automated decisions with legal or similarly significant effects, including decisions that limit access to housing, insurance, education, employment, healthcare, or financial services.
When profiling does occur, consumers have the right to request a detailed explanation of the decision, to review the personal data used, and to have the profiling decision re-evaluated if it relied on inaccurate information. This goes well beyond the opt-out-only approach taken by Virginia and Utah.
If your website or application uses automated decision-making - for example, algorithmic pricing, risk scoring, or eligibility screening - you should document the logic involved and build a process for handling consumer challenges.
Sensitive Data and Consent
The MCDPA defines sensitive data broadly: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data. Processing sensitive data requires the consumer's prior consent.
For website owners, this means that any cookie or tracker collecting precise geolocation or health-related browsing data must be blocked until consent is obtained. A properly configured cookie consent banner with category-level controls can manage this requirement.
Comparison With Other State Laws
| Feature | Minnesota (MCDPA) | Colorado (CPA) | Texas (TDPSA) | Virginia (VCDPA) |
|---|---|---|---|---|
| Effective date | 31 Jul 2025 | 1 Jul 2023 | 1 Jul 2024 | 1 Jan 2023 |
| Universal opt-out signal required | Yes | Yes | No | No |
| Profiling appeal rights | Yes - explanation and re-evaluation | Limited | No | No |
| Sensitive data consent | Opt-in | Opt-in | Opt-in | Opt-in |
| Cure period | 30 days (expired 31 Jan 2026) | 60 days (expired 1 Jan 2025) | 30 days | 30 days (expired) |
| Private right of action | Limited (data broker violations) | No | No | No |
| Enforcement penalty | Up to $7,500 per violation | Up to $20,000 per violation | Up to $7,500 per violation | Up to $7,500 per violation |
Enforcement: The Cure Period Is Over
The MCDPA included a 30-day right-to-cure period that expired on 31 January 2026. During those first six months, the Minnesota Attorney General was required to send a warning letter before taking enforcement action, giving the controller 30 days to fix the identified violation.
That grace period is now over. The Attorney General can bring enforcement actions without prior notice, and penalties reach up to $7,500 per violation. The AG's office has already received more than 200 consumer complaints since the law took effect, many involving difficulties exercising deletion rights or problems with universal opt-out signal recognition.
Dozens of warning letters were sent to companies during the cure period, targeting issues with privacy policies, consent mechanisms for sensitive data, and failures to respond to opt-out signals. The AG's office reported that most companies corrected the identified issues promptly.
Private Right of Action: A Limited but Notable Provision
Unlike most US state privacy laws, the MCDPA includes a private right of action for certain violations related to data broker requirements. This does not extend to all provisions of the law, but it does give consumers a direct path to court in specific circumstances - a feature absent from the Texas, Indiana, and Kentucky privacy laws.
If your business qualifies as a data broker under Minnesota law, this provision carries particular risk.
Practical Steps for Website Compliance
Bringing your website into compliance with the MCDPA involves several concrete actions.
1. Detect and Honour GPC Signals
Your site must recognise the Sec-GPC HTTP header and treat it as an opt-out of sale and targeted advertising. A consent management platform that supports GPC signal detection can handle this automatically.
2. Audit Your Cookies and Trackers
Run a cookie scan to identify every cookie and tracker on your site. Categorise them as strictly necessary, functional, analytics, or advertising. Block non-essential cookies until consent is given, particularly any that collect sensitive data such as precise geolocation.
3. Update Your Privacy Notice
The MCDPA requires a privacy notice that discloses the types of personal data processed, whether data is sold or used for profiling, the retention period, and how consumers can exercise their rights. Review your existing privacy policy against these requirements.
4. Build a Rights Request Process
You need a documented process for receiving and responding to access, deletion, correction, and opt-out requests within 45 days. If your site processes data at scale, consider automating intake through a web form or dedicated email address.
5. Review Profiling Practices
If you use any form of automated decision-making that affects consumers in areas such as pricing, eligibility, or content personalisation, document the logic and establish a procedure for consumer challenges. The MCDPA's profiling provisions require transparency and, in some cases, human review.
How the MCDPA Interacts With Other Privacy Laws
If your website already complies with the CCPA/CPRA or GDPR, you have a head start, but the MCDPA has distinct requirements that may not be covered by existing compliance programmes. The profiling explanation and re-evaluation rights go beyond what California or the EU require in practice. The universal opt-out signal requirement aligns with Colorado and Delaware but differs from states like Iowa, which does not mandate GPC recognition.
For sites with visitors across multiple US states, a layered approach works best: honour GPC signals site-wide, provide granular cookie consent controls, and maintain a rights request process that can adapt to each state's specific requirements. A consent banner that works alongside GPC avoids gaps in compliance coverage.
Frequently Asked Questions
Does the Minnesota Consumer Data Privacy Act apply to small businesses?
The MCDPA applies only if your business meets one of two thresholds: processing personal data of 100,000 or more Minnesota consumers, or deriving over 25 per cent of gross revenue from data sales while processing data of 25,000 or more Minnesota consumers. Most small businesses with limited Minnesota traffic will fall below these thresholds.
Do I need to honour Global Privacy Control signals under the MCDPA?
Yes. The MCDPA explicitly requires controllers to recognise universal opt-out mechanisms, including the GPC browser signal, as valid opt-out requests for the sale of personal data and targeted advertising.
Can consumers sue my business under the MCDPA?
The MCDPA includes a limited private right of action that applies to certain data broker violations. General enforcement of the law is handled exclusively by the Minnesota Attorney General, who can impose penalties of up to $7,500 per violation.
What counts as sensitive data under the MCDPA?
Sensitive data includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic or biometric data, data of known children, and precise geolocation. Processing any of these categories requires prior consumer consent.
Is there still a cure period for MCDPA violations?
No. The 30-day cure period expired on 31 January 2026. The Attorney General can now bring enforcement actions without prior warning.
How does the MCDPA differ from the CCPA?
The MCDPA includes profiling explanation and re-evaluation rights that the CCPA does not provide. It also has different applicability thresholds and a narrower private right of action limited to data broker violations, whereas the CCPA allows broader private claims for data breaches.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
