Minnesota was the nineteenth state to pass a comprehensive data privacy law, the Minnesota Consumer Privacy Act (H.F. 4757) (MCPA), which becomes effective on July 31, 2025.

While we continue to see more of these laws popping up across the country, one of the most important analyses that a business can do when these new laws are passed is to 1) determine if they apply to their business and 2) understand the variations from other existing laws currently in effect (especially if the business already complies with those laws).

The MCPA applies to companies that conduct business in Minnesota or produce products or ser-vices targeted to Minnesota residents and that satisfy one or more of the following:

  • Control or process the personal information of at least 100,000 Minnesota consumers (excluding payment transactions), or
  • Derive over 25% of gross revenue from the sale of personal information and processes or controls the personal data of at least 25,000 Minnesota consumers.

How is this new law different than other state consumer privacy laws? The law includes new consumer rights and business obligations around profiling practices. Consumers have the right to request information regarding a profiling decision carried out against them, including the reasoning behind a particular profiling decision. Consumers can also request access to the data used to make that decision.

Additionally, Minnesota also requires businesses to maintain data inventories: “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.”

Retention is addressed by the MCPA; a business may only retain personal information for as long as the data is relevant and reasonably necessary to fulfill the purpose for which it was collected.

Businesses must also document compliance; a business must “document and maintain a description of the policies and procedures that controller has adopted to comply.” The documentation must include the name and contact information for the entity’s chief privacy officer or other individual with primary responsibility for overseeing the policies and procedures implemented to comply with the MCPA.

After Minnesota, Rhode Island also passed a consumer privacy rights law. Be on the lookout for the rest of the country to follow along.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.