Minnesota Consumer Data Privacy Act (MCDPA)

Overview

While the Minnesota Consumer Data Privacy Act largely follows the Washington Privacy Act framework, it includes several distinctive elements. Among those is an exemption for small businesses, as well as granting consumers the right to challenge and seek explanations for profiling decisions. The bill also emphasizes cross-state compatibility through its privacy policy requirements, aiming to streamline compliance across different state privacy laws.

Key Dates

• Signed into law: May 19, 2024
• Effective date: July 31, 2025

Thresholds

The MNCDPA applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to Minnesota residents and satisfy one or more of the following thresholds:

• control or process personal data of 100,000 or more consumers in a calendar year (excluding personal data controlled or processed solely for the purpose of completing a payment transaction)
• derive over twenty-five percent (25%) of gross revenue from the sale of personal data and process or control personal data of 25,000 or more consumers.

Consumer Rights

• The right to confirm whether a controller is processing their personal data and providing access to their data, unless providing confirmation and access would require the controller to reveal a trade secret.
• The right to correct inaccuracies in their personal data.
• The right to delete personal data concerning them.
• The right to obtain a copy, in an accessible format, of their personal data processed by the controller (i.e., data portability).
• The right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling.
• The right to obtain a list of third parties to which the controller has disclosed the consumer's personal data.

Sensitive Data

Sensitive data is defined as:

• Personal data revealing
  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
• Genetic or biometric data for the purpose of uniquely identifying an individual
• Data collected from a known child
• Specific geolocation data.

Penalties

Up to $7,500 per violation.

Configure Your Consent Banner for MCDPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. MCDPA in MCDPA). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like MCDPA in Minnesota).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

• Consent Mode: Implied
• Blocking Mode: Strict
• Google Consent Mode V2: Basic
• Consent Duration: 12 months
• Enable Limit Sensitive Information: Enabled
• Enable Do Not Sell Consent: Enabled
• Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.