As of July 31, 2025, Minnesota will join the growing list of states enacting robust data privacy laws with the implementation of the Minnesota Consumer Privacy Act (MCPA). This law marks a significant step in protecting residents’ personal information, aligning Minnesota with states like California while introducing unique provisions that set it apart.
The MCPA applies to legal entities conducting business in Minnesota or offering products or services targeted at state residents. Specifically, it covers those controlling or processing the personal data of at least 100,000 consumers annually (excluding payment transactions) or deriving over 25% of gross revenue from selling personal data while processing the data of at least 25,000 consumers. Notably, unlike the California Consumer Privacy Act (CCPA), Minnesota’s law does not broadly exempt nonprofit organizations, meaning both businesses and nonprofits must review and potentially overhaul their privacy policies to avoid enforcement actions by the Minnesota Attorney General’s office.
At the heart of the MCPA is a clear definition of personal data: any information linked or reasonably linkable to an identified or identifiable natural person, excluding deidentified or publicly available information. The law introduces the term “controller,” referring to the natural or legal person who determines the purposes and means of processing personal data, echoing terminology from the European Union’s General Data Protection Regulation (GDPR). Consumers are defined as Minnesota residents acting in an individual or household context, explicitly excluding those acting commercially or as employees.
One of the law’s critical provisions is the broad definition of a “sale” of personal data, encompassing exchanges for monetary or any other valuable consideration. This expansive view ensures that transactions involving personal data, even those not strictly monetary, fall under the law’s purview. The MCPA also explicitly applies to technology providers contracting with public education agencies, highlighting its reach into educational technology sectors.
However, the law also outlines exemptions. Governmental entities, federally recognized Indian tribes, small businesses as defined by the U.S. Small Business Administration, certain air carriers, and specific banks, credit unions, and insurance companies are exempt. Importantly, while many state privacy laws exempt entities covered by the Health Insurance Portability and Accountability Act (HIPAA), the MCPA does not provide an entity-level exemption for such companies, though data-level exemptions for HIPAA-regulated data remain consistent with other laws.
Consumers gain enhanced rights under the MCPA, including the ability to confirm whether a controller is processing their personal data and access the categories of data processed. They can correct inaccuracies, request deletion of personal data (subject to exceptions), obtain copies of data they previously provided when processed automatically, and receive lists of third parties to whom their data was disclosed. The law also mandates recognition of universal opt-out mechanisms, empowering consumers to more easily manage their privacy preferences.
Profiling practices receive particular attention under the MCPA. Consumers can request explanations of profiling decisions made about them, question those decisions, and receive information on how to potentially secure different outcomes in the future. If profiling is based on inaccurate data, consumers have the right to correction and reevaluation. This provision is among the first of its kind in U.S. state privacy laws, underscoring Minnesota’s commitment to transparency and fairness in automated decision-making.
Another pioneering aspect of the MCPA is the requirement for controllers to maintain a detailed data inventory. This inventory must document the types of data collected, the purposes of collection, and the policies and procedures used to secure the data and comply with the law. Minnesota is the first state to mandate such comprehensive data inventories, reflecting a proactive approach to data governance. The Attorney General’s office may request access to these inventories during investigations.
Data retention is also regulated. Controllers are prohibited from keeping personal data that is no longer relevant or necessary for the original purposes unless retention is mandated by law or falls under specified exceptions, such as fulfilling contracts or warranties. This promotes data minimization and reduces the risks associated with holding excessive personal information.
Compliance documentation is required, with controllers needing to maintain descriptions of their privacy policies and procedures, including contact information for the chief privacy officer or the individual responsible for overseeing compliance. Furthermore, the MCPA mandates data privacy and protection assessments for certain high-risk processing activities, such as targeted advertising, sales of personal data, processing sensitive data, and profiling that poses heightened risks. These assessments must be documented and made available to the Attorney General upon request.
Enforcement of the MCPA lies with the Minnesota Attorney General’s office. There is no private right of action, meaning consumers cannot sue directly under the law. Violations may result in injunctive relief and civil penalties up to $7,500 per violation. Importantly, the Attorney General must provide a 30-day notice period for entities to cure alleged violations before initiating enforcement actions, though this cure period expires on January 31, 2026. Post-secondary institutions regulated by the Office of Higher Education have an extended compliance deadline until July 31, 2029.
For businesses and nonprofits, the time to prepare is now. Key steps include updating privacy notices, implementing processes to respond to consumer rights requests, creating comprehensive data inventories, and conducting required data protection assessments. These actions will help entities navigate the new regulatory landscape and avoid costly penalties.
Meanwhile, on a related front, Montana and Connecticut are reshaping their consumer data privacy laws, particularly concerning financial institutions. In May 2025, Montana enacted Senate Bill 297, amending its Consumer Data Privacy Act (MCDPA) to remove the broad exemption previously granted to financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Connecticut followed suit with Senate Bill 1295, which became a Public Act on June 11, 2025, and is awaiting the governor’s signature.
These legislative changes place Montana and Connecticut among a growing group of states that no longer broadly exempt GLBA-subject financial institutions from their state privacy laws. Since the advent of comprehensive privacy laws beginning with California’s groundbreaking legislation in 2020, around 19 states have enacted similar laws, each with varying definitions, applicability thresholds, consumer rights, and disclosure requirements. This patchwork creates a complex compliance environment for businesses operating across multiple states.
The GLBA, a federal law in place for over two decades, establishes a framework protecting consumers’ nonpublic personal information (NPI) within the financial services industry. Most states with comprehensive privacy laws traditionally provide two types of GLBA exemptions: an entity-level exemption for financial institutions themselves and a data-level exemption for NPI. These exemptions generally shield financial institutions from state privacy laws, while other businesses handling NPI benefit from data-level exemptions.
California’s Consumer Privacy Act has never offered an entity-level exemption for financial institutions, only a data-level exemption for NPI, aside from its data breach private right of action. Montana’s recent amendment removes the entity-level exemption, meaning that effective October 1, 2025, financial institutions in Montana will be subject to the state’s comprehensive privacy law, except for protections afforded by the data-level exemption. This shift signals a tightening regulatory environment for financial institutions nationwide.
Financial institutions may leverage their existing compliance frameworks, such as those developed for the CCPA, to address these evolving state laws. This involves understanding the full scope of data held, classifying data according to GLBA applicability, and developing processes to honor consumer rights under various state laws.
As states continue to refine their privacy laws, businesses, nonprofits, and financial institutions must stay vigilant. The evolving landscape demands proactive compliance strategies to protect consumer privacy and avoid enforcement actions. Minnesota’s MCPA and the amendments in Montana and Connecticut exemplify the dynamic nature of data privacy regulation in the United States, underscoring the importance of adaptability in an increasingly data-driven world.
