Minnesota Consumer Data Privacy Act (“MCDPA”)
Information for Businesses   •   Controller Responsibilities   •   Processor Responsibilities   •   Exemptions   •   Criteria

• Collection and Use of Data Must be Reasonable in Relation to the Purpose of Processing

  Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed. Those purposes must be disclosed to the consumer. If the controller would like to process personal data for purposes not disclosed to the consumer, the controller must obtain consumer consent for that processing.

• Processing of Sensitive Data or Data Concerning a Known Child

  Sensitive Data

  With limited exceptions, a controller may not process sensitive data concerning a consumer without the consumer’s consent.

  Children (up to age 13)

  Controllers must comply with the requirements of the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 – 6506 and related regulations, rules, and exemptions. With limited exceptions, controllers may not process the personal data concerning a known child without obtaining consent from the child’s parent or lawful guardian.

  Children (13-16)

  Controllers may not process the personal data of a consumer for the purposes of targeted advertising, or sell the consumer’s personal data, without the consent of that consumer, where the controller knows that the consumer is between the ages of 13 and 16.

• Discriminatory Processing Prohibited

  Controllers are prohibited from processing personal data on the basis of a consumer’s (or a class of consumers’) actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that would unlawfully discriminate against the consumer or class of consumers with respect to the offering or provision of housing, employment, credit, or education. The same applies to such processing that would unlawfully discriminate against the consumer or class of consumers with respect to the offering or provision of goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.

• Non-disclosure of Certain Data

  Although some provisions of the Act require a controller to provide a response to a consumer, that response may not disclose the following information pursuant to a request to enforce a consumer’s rights:

  • Government-issued identification numbers, including social security numbers and driver’s license numbers;
  • Financial account numbers;
  • Health insurance account numbers or medical identification numbers;
  • Account passwords, security questions, or answers; or
  • Biometric data.

  Instead, if relevant, a controller must inform the consumer that certain data has been collected (e.g., “social security number”) without providing the sensitive information itself.

• Processing of Consumer Data not Obtained from the Consumer

  Controllers sometimes acquire consumer data from sources other than the consumer themselves. When controllers receive a consumer’s request to delete the consumer’s data, pursuant to the Act, but that data did not come from the consumer themselves, the controller may either:

  • delete the data, as requested, maintaining only a record of the deletion request (using that retained information only as permitted by the Act); or
  • opt the consumer out of the processing of personal data for any purpose, except for purposes exempted pursuant to the Act.
• Exception: Trade Secret Data

  The Act does not require controllers provide trade secrets in response to a consumer request.

The Official Website of Office of Minnesota Attorney General Keith Ellison

The Minnesota Attorney General's Office values diversity and is an equal opportunity employer.