Minnesota Consumer Privacy Act (MCPA) to Take Effect in 2025

Minnesota Consumer Privacy Act (MCPA) to Take Effect in 2025

According to an article by Lathrop GPM, Minnesota has enacted the Minnesota Consumer Privacy Act (MCPA), becoming the 19th state with a comprehensive data privacy law. Signed by Governor Tim Walz on May 24, the law will take effect on July 31, 2025. 

The MCPA addresses the gap left by the absence of a federal privacy law, requiring businesses and organizations handling personal data to comply with various data privacy regulations.

The article highlights these elements of the Minnesota Consumer Privacy Act:

Coverage: The MCPA applies to businesses in Minnesota or those targeting state residents, meeting certain criteria: handling the personal data of at least 100,000 consumers or deriving over 25% of revenue from selling personal data of at least 25,000 consumers.

Definitions: Personal data includes information linked to an identifiable person but excludes deidentified or publicly available information. A “controller” determines the purposes and means of processing personal data. A “consumer” is a Minnesota resident acting in a personal context, not in a commercial or employment context. The MCPA defines a “sale” of data as any exchange for monetary or other valuable consideration.

Exemptions: Certain entities, like government bodies, small businesses, and specific financial institutions, are exempt. Unlike some state laws, there is no broad exemption for non-profits, except those preventing insurance fraud. Data already regulated under laws like HIPAA or the Fair Credit Reporting Act is also exempt.

Consumer Rights: Consumers can access, correct, delete, and obtain their personal data. They can also get a list of third parties who received their data.

New Provisions: The MCPA introduces new rights around profiling decisions and mandates businesses maintain a data inventory and document compliance. It also requires data protection assessments for certain activities.

Enforcement: The MCPA is enforced by the Minnesota Attorney General, with violations subject to fines up to $7,500 per violation. Businesses have a 30-day period to address violations before enforcement, expiring in 2026. The law is effective from July 31, 2025, with a delayed compliance date for postsecondary institutions until 2029.