What the Minnesota Consumer Data Privacy Act (MCDPA) means for businesses
Minnesota’s new privacy law introduces some of the nation’s strongest consumer data protections. Here’s what privacy, legal, and data teams need to understand, and how to prepare your systems to comply.
On July 31, 2025, Minnesota’s Consumer Data Privacy Act (MCDPA) went into effect, expanding the growing patchwork of state-level privacy regulation in the U.S. The law grants Minnesota residents a robust set of rights over their personal data and imposes clear obligations on businesses that collect and process that data.
The MCDPA reflects an evolving standard: consumer privacy isn’t meaningful without operational enforcement. This post outlines what makes the MCDPA notable, how it compares to other laws, and what engineering and compliance leaders should consider as they operationalize compliance.
What’s new in the Minnesota law
The MCDPA grants Minnesota residents nine core rights:
- Access: Know what personal data a business has collected.
- Deletion: Request erasure of personal and sensitive data.
- Portability: Receive a copy of that data in a portable format.
- Correction: Fix inaccurate data records.
- Opt-out: Say no to data sales, targeted advertising, and profiling.
- Automated decision transparency: Challenge significant decisions made by algorithms.
- Third-party disclosure: Request a list of entities with whom data was shared.
- Parental consent: Require guardian approval for targeting or sales involving minors under 16.
- Global opt-out recognition: Assert opt-out rights via browser-based signals like Global Privacy Control (GPC).
While many of these rights mirror provisions in other state laws, Minnesota’s version includes several key enhancements:
- Universal opt-out requirements. Controllers must honor browser-based global privacy signals as a valid method for exercising opt-out rights. This requires technical readiness to detect and enforce preferences passed via user agents.
- Profiling & automated decision-making. The law provides individuals with the right to opt out of profiling and to contest automated decisions that produce legal or similarly significant effects. Businesses must understand how automated decisions are made and what data powers them.
- Clear deadlines for compliance. Controllers must respond to consumer rights requests within 45 days. That requirement introduces process pressure, especially for enterprises operating across systems and jurisdictions.
Minnesota is now one of nineteen states that have comprehensive consumer data privacy laws [...] According to data privacy authorities like the Future of Privacy Forum, ours is among the strongest consumer data privacy laws in the country.”Attorney General Keith Ellison
What businesses need to know
The MCDPA applies to entities that conduct business in Minnesota or target Minnesota residents, and meet specific thresholds for data processing volume or revenue. Small businesses (as defined by the U.S. Small Business Administration) are mostly exempt, but no business is permitted to sell sensitive personal data without prior consent.
What are the volume thresholds for which the MCDPA kicks in? Businesses will be impacted if either they (1) process or control the personal data of at least 100,000 Minnesota residents within a calendar year (excluding payment transaction data processing), or if they (2) generate 25% of gross revenue from the sale of personal data and process or control the data of at least 25,000 Minnesota residents.
If impacted, businesses must determine whether they are a:
- Controller: Determines the purposes and means of processing personal data.
- Processor: Acts on behalf of a controller and follows their instructions.
Each role comes with distinct obligations:
- Controllers are responsible for disclosures, rights requests, and opt-out mechanisms.
- Processors must implement appropriate security and act only on documented instructions.
Engineering considerations
The MCDPA does not mandate specific tools or architectures. But achieving compliance reliably, especially across distributed systems, requires more than manual workflows.
To prepare, enterprise teams should consider:
- Structured Data Mapping: Identifying where personal and sensitive data lives across the stack.
- Consent Signal Integration: Detecting and enforcing browser-based global privacy controls.
- Request Handling Workflows: Building repeatable processes to fulfill access, deletion, and correction requests within statutory timeframes.
- Decision System Transparency: Tracing and documenting where automated decisions occur and what data feeds them.
For organizations at scale, these tasks are difficult to manage without software support. While manual approaches are legally permitted, they rarely meet enterprise needs for speed, consistency, or auditability.
Ethyca’s take on compliance for MCDPA
Ethyca helps enterprises operationalize their privacy programs through integrated data infrastructure. Our platform supports:
- Real-time data classification and lineage
- Centralized consent and opt-out signal enforcement
- Automated workflows for fulfilling rights requests
- Transparent documentation of automated decision processes
These capabilities are not legally required, but they make compliance more scalable, reliable, and defensible for businesses focused on growth.
Conclusion
Final word
Minnesota’s Consumer Data Privacy Act is another step toward codifying enforceable privacy rights in the U.S. As more states follow suit, businesses must evolve their privacy posture from reactive compliance to proactive, systems-driven governance.
If your team is preparing for MCDPA enforcement, or evaluating your readiness for emerging regulations, now is the time to assess whether your infrastructure can support the rights you’re expected to honor.
To learn how Ethyca can help your team get ahead of compliance, speak with one of our privacy engineers today.
.jpeg?rect=270,0,2160,2160&w=2560&h=2560&fit=min&auto=format)
.png?w=3200&h=2133&auto=format)
.png?w=3200&h=2133&auto=format)