Minnesota Consumer Data Privacy Act (“MCDPA”)
Information for Businesses   •   Controller Responsibilities   •   Processor Responsibilities   •   Exemptions   •   Criteria

Information for Businesses

The MCDPA requires businesses to comply with certain consumer demands about their own personal data among other obligations. The MCDPA regulates certain data and types of entities, and the MCDPA contains separate provisions for “controllers” of personal data versus “processors” of personal data. Accordingly, it is important for businesses to first understand whether they, or the personal data they process or control, is subject to the MCDPA. Businesses must then determine what role they playin holding or using personal data since this distinction will determine their specific obligations under the law

Small Businesses

Small businesses are generally exempt from most requirements of the MCDPA, though small businesses are always prohibited from selling a consumer’s sensitive data without the consumer’s prior consent. The MCDPA defines a small business as an entity that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota and which meet the definition of small business provided by the United States Small Business Administration’s (“SBA”) definition in 13 CFR § 121. The SBA publishes a full table of industries providing cutoffs for what constitutes a small business in amount of yearly receipts and/or number of employees at 13 CFR § 121.201.

Controller

A controller of data is an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

I want to learn more about my responsibilities as a controller.

Processor

A processor of data is an entity which processes personal data on behalf of a controller. “Process” means any operation or set of operations that are performed on personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. Processors may only process data at the direction of a controller.

I want to learn more about my responsibilities as a processor.

Scope of Act and Exempt Businesses and Data

The Act does not apply in the same way to all businesses and all data. You can read more about the criteria for being subject to the Act here, and you may read more about the various exemptions of the Act here.

Disclaimer: The Attorney General’s Office (“AGO”) is providing this page as a rough guide to explore rights and obligations pursuant to the Act. In many instances, this website simplifies or rewords the provisions of the Act for comprehension and readability. The website is not intended to provide guidance as to how the AGO would enforce the Act. It is not the AGO’s intention to provide any information on this website that would conflict with the Act. The AGO offers this website as a tool for exploring the Act, but nothing on this site should be construed as legal advice for interpreting the Act or how the Act might be enforced.