Policy Briefing — July 31, 2025
Minnesota’s Consumer Data Privacy Act becomes enforceable July 31, 2025, requiring controllers to deliver consumer rights, document DPIAs, and coordinate attorney-general engagement workflows for complaints.
Executive briefing: Minnesota’s Consumer Data Privacy Act (MCDPA) becomes enforceable on July 31, 2025. Controllers meeting the 100,000-resident processing threshold—or 25,000 with 25% revenue from data sales—must deliver access, deletion, correction, and opt-out rights, obtain consent for sensitive data, and document assessments for targeted advertising, profiling, or processing that heightens privacy risk.
Key statutory signals
- Broad controller duties. Controllers must maintain data inventories, publish purpose-specific notices, and honor universal opt-out mechanisms while ensuring processor contracts bind subprocessors.
- Risk governance. Section 8 mandates documented data protection assessments for targeted ads, sale of personal data, profiling with significant effects, and sensitive data processing, aligning programs with enterprise risk committees.
- Enforcement cadence. The Minnesota Attorney General enforces with a discretionary 30-day cure through January 2026, after which statutory damages up to $7,500 per violation may be pursued.
Operational priorities
- Update recordkeeping. Map Minnesota residents in data inventories and classify sensitive data to gate processing on opt-in consent.
- Integrate universal opt-out. Build recognition of browser-based opt-out signals into advertising platforms and consent management.
- Align DPIA templates. Extend enterprise privacy impact assessments to capture MCDPA risk triggers and attach remediation owners.
Sources
- Minnesota Session Law 2024, Chapter 93 (HF 4757)
- IAPP: Minnesota enacts comprehensive privacy law
- Faegre Drinker: Minnesota passes Consumer Data Privacy Law
Zeph Tech is aligning Minnesota readiness with multi-state privacy playbooks, universal opt-out integrations, and audit-ready DPIA evidence.