New Minnesota law creates stronger privacy protections for residents

Attorney General Ellison and Representative Elkins share important information about the Minnesota Consumer Data Privacy Act taking effect on July 31

Attorney General’s Office launches PrivacyMN.com to help consumers assert their new rights

July 28, 2025 (SAINT PAUL) — On July 31st, the Minnesota Consumer Data Privacy Act (MCDPA) takes effect, ushering in a new era of privacy and digital protections for Minnesotans. Today, Attorney General Keith Ellison and Representative Steve Elkins—lead author of the law—announced how residents can exercise their new rights to control how their data is collected and used. Under the law, businesses must also meet strict requirements to better protect and secure consumer data. 

"All of us are constantly creating data about ourselves, often without even realizing it," said Attorney General Ellison. "This happens whenever we put on a smart watch or fitness device, travel somewhere with our phone's GPS turned on, sign up for a mailing list, or even visit a website. Each data point may not seem like much on its own, but when all that data comes together, it can become a significant invasion of our privacy and potentially even a threat to our safety. This is especially true when that data is bought and sold to virtually anyone who will pay. Geolocation data can be used to track people visiting healthcare facilities or attending peaceful protests, and social media data can be scraped and compiled to build targeted disinformation campaigns. For years, this loss of privacy has felt inevitable, but it does not have to be. Our state’s new Consumer Data Privacy Act gives Minnesotans greater freedom to control their data. I look forward to this law taking effect and to enforcing it in order to protect the privacy and safety of the people of Minnesota.”

“Minnesota is now one of nineteen states that have comprehensive consumer data privacy laws,” said Representative Steve Elkins. “Eighteen of them are based upon a framework that originated in the state of Washington which includes a common set of definitions and basic consumer rights. Because ours was the most recent such act to be passed into law, I was able to incorporate a number of improvements to this basic framework that I borrowed from other states, as well as a few further improvements that other states are starting to copy from us. According to data privacy authorities like the Future of Privacy Forum, ours is among the strongest consumer data privacy laws in the country.”

“One of our unique provisions is the one which grants consumers the right to question the results of ‘profiling’ that scores us based upon our personal data to make automated decisions affecting our access to jobs, housing, education, insurance or other essential services, regardless of whether ‘artificial intelligence’ is used in the profiling process,” added Representative Elkins. “We’re ahead of the game on this issue.”

The MCDPA, signed into law on May 19, 2024, governs the personal data of Minnesota residents. Any data that reveals information about an individual is considered personal data. Examples include: a person’s name, email, login credentials, and browsing history. The law also includes enhanced protections for sensitive data, a subset of personal data which includes information such as race, ethnicity, religion, mental or physical health, sexuality, or location, as well as genetic and biometric data.

Consumers

The MCDPA grants Minnesota consumers new rights concerning their data. These rights include: 

Consumers can contact businesses governed by the law to assert these rights, and businesses are required to respond within 45 days. Businesses must also include an email address or other online mechanism within their privacy disclosures page that consumers can use to contact the business.

The MCDPA also requires businesses to honor universal opt-out mechanisms. Universal opt-out mechanisms can be activated on a user’s web browser, and they send a signal that the user would like to opt out of targeted advertisements and data collection to whatever website the user is on. Universal opt-out mechanisms allow users to assert certain privacy rights without needing to manually adjust their preferences on every website they visit.

Profiling
Minnesota now leads the nation with some of the strongest protections against harmful data profiling and automated decision making. Minnesota’s law creates special rights to ensure that Artificial Intelligence (AI) and automated systems cannot deprive residents of critical goods and services. Under the law, profiling refers to the use of personal data to evaluate or predict aspects of an individual’s life—such as their behavior, preferences, or economic status. Profiling and automated decision-making can be useful to some organizations but is often invisible to individuals and the decisions may harm consumers.  Under Minnesota’s new law, consumers can opt out of profiling used to make automated decisions with legal or similarly significant effects, such as limiting access to housing, insurance, education, employment, healthcare, or financial services. If profiled in this way, consumers have the right to request detailed explanations regarding the decision or a reevaluation if the profiling used inaccurate data.

Kids and Teenagers
Additionally, the MCDPA includes enhanced protections for the data of children and teenagers. For children under the age of 16, businesses must obtain permission from a parent or legal guardian before selling their personal data or using their data for targeted advertising.

Resources for Consumers
Minnesotans who would like to learn more about this law and how to assert their new privacy rights are encouraged to visit PrivacyMN.com. This website has information on Minnesotans’ rights, template letters Minnesotans can send to exercise those rights, information on setting up a universal opt-out-mechanism, as well as a place where Minnesotans can report violations of the law.

Enforcement
The Minnesota Attorney General’s Office is responsible for enforcing this new law. Consumers are encouraged to report any violations of the law to the Attorney General’s Office via PrivacyMN.com. The MCDPA included funding for the office to hire four new attorneys as well as an investigator who will primarily focus on the enforcement of this legislation.

Representative Elkins’ Data Requests

At a press conference focused on the new law, Representative Elkins announced that, when the law takes effect, he will be submitting some of the first requests under the new law. Representative Elkins will request that multiple data brokers erase any data they have on him. Data brokers are businesses that specialize in collecting, compiling, and selling data on a variety of subjects, including data on the American people.

“One of the rights granted by the Act is the right to request the deletion of your data,” said Representative Elkins. “I will be requesting the deletion of my personal data from the databases of a long list of “data brokers” who provide address look-up services to the public. Accused murderer Vance Boelter used several of these data broker web sites to look up the home addresses of the legislators who he targeted. This will provide a timely ‘test case’ that we can use to measure compliance with this aspect of the Act and I’m happy to be the ‘guinea pig’. Minnesota is one of 19 states that now grants its citizens this right and these brokers should now be in position to routinely and promptly act on these requests.”

Businesses

Under the MCDPA, certain businesses have new obligations when it comes to collecting and protecting consumer data. Those obligations include:

Businesses Covered by the Law
Businesses are subject to the Minnesota Consumer Data Privacy Act if they control or process the personal data of 100,000 or more Minnesota residents, or if they earn over 25% of their revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. In addition, certain education technology providers are subject to the new law. 

Cure Period
For the first six months the law is in effect, if the Minnesota Attorney General’s Office believes an entity is violating the MCDPA, the law requires the office to notify the business in writing of the alleged violation and give that business 30 days to correct that violation. If, after 30 days, the office believes the entity has failed to cure the violation, the Attorney General’s Office can then bring an enforcement action. This cure period is designed to help businesses adapt to this new law, and it expires on January 31, 2026. 

Resources for Businesses
In addition to containing useful information for consumers, privacymn.gov also has resources for businesses. These resources include frequently asked questions, information on what entities are exempt from the law, the steps businesses must take to honor consumer privacy rights, what businesses are required to do to protect consumer data, and more. Business owners are encouraged to consult PrivacyMN.com if they have any questions about the MCDPA.