How to Use the AGO's Forms

The fillable PDFs on this site have been supplied to you to help you write to a data controller or processor to exercise your rights under the Minnesota Consumer Data Privacy Act (“MCDPA”).

Where and How to Submit

Controllers are required to have a privacy page on their website that provides the mechanism by which you may exercise your privacy rights. Usually, this mechanism takes the form of an online portal or an email address. You may use this form by filling in some or all of the fields above, saving the completed document or printing as a PDF, and submitting it to the controller per the instructions on that controller’s privacy webpage.

One Name Per Form

The MCDPA allows legal guardians or conservators to exercise the privacy rights of a consumer subject to conservatorship or guardianship, on that person’s behalf. The MCDPA also allows parents to exercise the privacy right of certain minor children, specifically those under the age of 13. You should only use this form for one individual at a time. For example, if you are seeking to exercise your privacy rights and the privacy rights of your minor child, you should submit separate requests, on separate forms, for you and your minor child—you should not use a single form to exercise both of your rights.

Choosing to Submit Data

The provided forms do not require you to enter in all (or any) of the fields suggested. You should only complete as many fields as you are comfortable with filling in.

Controllers must only comply with requests that the controller is able to authenticate using “commercially reasonable efforts.” Accordingly, if you do not supply sufficient information to identify the person whose privacy right you are exercising—or do not supply sufficient information to show that you, the requester, are an authorized representative of the person whose privacy rights you are attempting to exercise—the controller may request additional information from you that is reasonably needed to authenticate your request.

After processing a request to delete data, controllers are mandated to retain “the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted.”

Retaining Copies

You should retain a copy of the form you complete and submit to the controller for your own records. Should you later wish to complain to the Attorney General’s Office about a controller failing to honor your privacy rights, it is likely that the Office will find your initial submission helpful in evaluating your complaint.

---

Disclaimer: The Attorney General’s Office (“AGO”) is providing this page as a rough guide to explore rights and obligations pursuant to the Act. In many instances, this website simplifies or rewords the provisions of the Act for comprehension and readability. The website is not intended to provide guidance as to how the AGO would enforce the Act. It is not the AGO’s intention to provide any information on this website that would conflict with the Act. The AGO offers this website as a tool for exploring the Act, but nothing on this site should be construed as legal advice for interpreting the Act or how the Act might be enforced.