Minnesota Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Minnesota has enacted one of the most significant state-level data privacy laws in the country. Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (MCDPA) into law on May 24, 2024, making Minnesota the eighteenth state to adopt comprehensive consumer data privacy legislation. The MCDPA takes effect on July 31, 2025, giving businesses a defined window to build or update compliance programs before enforcement begins. Combined with Minnesota's existing breach notification statute and the Government Data Practices Act, the regulatory landscape now imposes layered obligations on organizations that collect, process, or store the personal data of Minnesota residents.

This guide covers each major law, its specific requirements, and practical steps for compliance. The urgency is not hypothetical — Minnesota has experienced significant data breaches affecting millions of individuals, and the legislature has responded with progressively stronger protections. Organizations that treat compliance as a checkbox exercise risk both regulatory penalties and the kind of operational disruption that follows a real-world cyber incident.

Minnesota Consumer Data Privacy Act (MCDPA)

Overview and Scope

The MCDPA, codified as Minnesota Statutes Chapter 325O, applies to entities that conduct business in Minnesota or produce products or services targeted to Minnesota residents and that during a calendar year control or process the personal data of 100,000 or more consumers, or control or process the personal data of 25,000 or more consumers while deriving over 25 percent of gross revenue from the sale of personal data. The law covers personal data that identifies or is reasonably linkable to an identified individual, excluding de-identified data, publicly available information, and data covered by certain federal laws including HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.

Consumer Rights Under the MCDPA

The MCDPA grants Minnesota consumers a robust set of rights over their personal data:

• Right to know — consumers can confirm whether a controller is processing their personal data and access that data

• Right to correct — consumers can request correction of inaccurate personal data

• Right to delete — consumers can request deletion of personal data provided by or obtained about them

• Right to data portability — consumers can obtain a copy of their personal data in a portable and readily usable format

• Right to opt out — consumers can opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

• Right to question profiling — notably, the MCDPA includes a right to question the result of profiling and be informed of the reason behind a profiling decision, which goes further than most state privacy laws

Controller Obligations

Organizations that qualify as controllers under the MCDPA must meet several specific obligations:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose

• Implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue

• Provide a clear and accessible privacy notice disclosing the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, and whether personal data is shared with third parties

• Conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, the sale of personal data, processing for profiling, processing of sensitive data, and any processing that presents a heightened risk of harm to consumers

• Obtain opt-in consent before processing sensitive data, which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data

Enforcement and Penalties

The MCDPA is enforced exclusively by the Minnesota Attorney General. There is no private right of action. Before initiating an enforcement action, the Attorney General must provide the controller or processor with a 30-day written notice identifying the specific provisions alleged to have been violated. If the organization cures the violation within 30 days and provides a written statement that the violation has been cured and that no further violations will occur, the Attorney General may not bring an action. However, if the AG determines that a cure is not possible or that the organization has previously received a notice and engaged in a subsequent violation, the 30-day cure period does not apply. Violations are enforced under the Minnesota consumer protection statutes, with civil penalties of up to $7,500 per violation.

Minnesota Breach Notification Statute (Minn. Stat. 325E.61)

Minnesota's breach notification law, codified at Minnesota Statutes Section 325E.61, predates the MCDPA and remains independently operative. The statute requires any person or business that owns or licenses data containing personal information about a Minnesota resident to disclose a security breach following discovery. The law applies when there is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.

Notification Requirements

• Timing — notification must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the data system

• Method — written notice to the last known address, electronic notice if consistent with E-SIGN Act requirements, or substitute notice (email combined with conspicuous posting on the entity's website) if the cost of notice exceeds $250,000, the affected class exceeds 500,000 individuals, or the entity lacks sufficient contact information

• Consumer reporting agencies — if the breach affects more than 500 Minnesota residents, the entity must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis

• Content — while the statute does not mandate specific content, best practice and AG guidance recommend including a description of the incident, the types of personal information involved, steps the individual can take to protect against identity theft, and contact information for the entity

Scope of Protected Information

Under Section 325E.61, personal information means an individual's first name or first initial and last name in combination with one or more of the following data elements: Social Security number, driver's license number or Minnesota identification card number, account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial account. The definition was not substantially modified by the MCDPA, meaning both statutes operate with slightly different scopes of coverage.

Minnesota Government Data Practices Act

The Minnesota Government Data Practices Act (MGDPA), codified in Minnesota Statutes Chapter 13, governs how state agencies, political subdivisions, and statewide systems collect, create, receive, maintain, and disseminate data. Unlike the MCDPA, which targets private-sector data practices, the MGDPA establishes a comprehensive framework for government data classification. Data is classified as public, private, confidential, nonpublic, or protected nonpublic, with each classification carrying specific rules about who may access the data and under what circumstances.

For businesses that contract with Minnesota government entities, the MGDPA creates obligations around the handling of government data. Contractors may be required to adhere to the same data classification and protection standards that apply to the government entity itself. This is particularly relevant for IT service providers, healthcare organizations participating in state programs, and any vendor handling data subject to the Act. The interplay between the MGDPA and the MCDPA means that organizations serving both public and private sectors in Minnesota must maintain compliance programs that address both frameworks.

Federal Laws That Intersect with Minnesota Requirements

HIPAA

Minnesota's concentration of healthcare organizations — from the Mayo Clinic to regional hospital systems and thousands of clinics — means that HIPAA compliance is a baseline requirement for a large portion of the state's economy. HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule operate alongside Minnesota's state laws. Where state law provides greater protection, the stricter standard applies. Minnesota's breach notification statute and the MCDPA's provisions on health-related data both impose obligations that can exceed HIPAA minimums in certain scenarios.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions headquartered in Minnesota, including US Bancorp and Ameriprise Financial, must comply with the GLBA's Safeguards Rule, which requires written information security programs, risk assessments, and oversight of service providers. The MCDPA explicitly exempts data subject to GLBA, but financial institutions should recognize that customer data not covered by GLBA may fall under the MCDPA's scope, requiring parallel compliance efforts.

Building a Compliance Program for Minnesota Businesses

With the MCDPA taking effect on July 31, 2025, Minnesota businesses should take the following steps to prepare:

• Conduct a data inventory — map what personal data you collect, where it is stored, how it flows through your organization, and which third parties receive it

• Update privacy notices — ensure your privacy policy discloses the categories of data collected, purposes of processing, consumer rights under the MCDPA, and how consumers can exercise those rights

• Implement consumer rights request processes — build or configure systems to handle access, correction, deletion, and opt-out requests within the required timeframes

• Complete data protection assessments — identify processing activities that present heightened risk and document your assessments as required by the MCDPA

• Review vendor contracts — ensure processor agreements include the required MCDPA provisions regarding data handling, security requirements, and sub-processor oversight

• Strengthen security controls — implement reasonable technical safeguards including encryption, access controls, and monitoring appropriate to the sensitivity and volume of data you handle

• Train your workforce — ensure employees who handle personal data understand the new requirements and can identify and escalate consumer rights requests

Organizations that lack dedicated compliance or legal teams can work with managed IT services providers that have experience with state privacy law implementation, particularly firms that specialize in small business IT and understand the resource constraints that smaller organizations face.

Frequently Asked Questions

When does the Minnesota Consumer Data Privacy Act take effect?

The MCDPA takes effect on July 31, 2025. Governor Tim Walz signed the bill into law on May 24, 2024, giving businesses approximately 14 months to prepare. Some provisions related to data protection assessments and profiling obligations may have staggered compliance timelines, so organizations should review the full text of Minnesota Statutes Chapter 325O for specific effective dates.

Does the MCDPA apply to small businesses?

The MCDPA applies to entities that process the personal data of 100,000 or more Minnesota consumers in a year, or 25,000 or more consumers if more than 25 percent of revenue comes from selling personal data. Many small businesses will fall below these thresholds. However, the breach notification statute at Section 325E.61 applies to any person or business that owns or licenses personal data, regardless of size. Small businesses should still implement reasonable security practices and be prepared for breach notification obligations.

How does Minnesota's law compare to the California Consumer Privacy Act?

The MCDPA shares structural similarities with other state privacy laws but includes several provisions that go further. Its right to question profiling decisions is more robust than California's CCPA framework. The MCDPA also requires opt-in consent for processing sensitive data, whereas California allows opt-out mechanisms for some sensitive data categories. However, the CCPA includes a private right of action for certain data breaches, which the MCDPA does not. Both laws exempt data already covered by HIPAA and GLBA.

What happens if my business operates in multiple states?

If your business processes the personal data of residents in multiple states, you must comply with each state's applicable privacy law. The MCDPA applies specifically to the data of Minnesota residents. Organizations operating across states often build a unified compliance program based on the strictest applicable requirements and then adjust for state-specific variations. This approach is more efficient than maintaining entirely separate compliance programs for each state.

Are there criminal penalties under Minnesota's data privacy laws?

The MCDPA itself does not impose criminal penalties — enforcement is limited to civil actions by the Attorney General. However, the Minnesota Government Data Practices Act includes criminal penalty provisions for willful violations by government employees, classified as a misdemeanor. Additionally, conduct that constitutes identity theft or unauthorized computer access may be prosecuted under Minnesota's criminal statutes separately from the data privacy framework.