Attorney General Keith Ellison is sharing an update with Minnesota businesses and consumers about the status of the Minnesota Consumer Data Privacy Act (MCDPA), including the office’s early enforcement efforts, the end of an early warning period built into the law, and steps consumers can take to guard their privacy.
“There are more reasons than ever why Minnesotans should care about and want to protect their online privacy,” said Attorney General Keith Ellison. “My office has been hard at work enforcing the Consumer Data Privacy Act, I encourage people across our state to make use of this powerful new law to protect their data and minimize their digital footprint. And remember, if you try to assert your rights under the Consumer Data Privacy Act and don’t hear back from the business in question within 45 days, file a complaint with my office.”
Background on the MCDPA
Six months ago, the Minnesota Consumer Data Privacy Act took effect. The law empowers Minnesota residents with key rights over their personal data. Minnesota residents have the right to: access data that companies are holding about them; have companies correct data that is inaccurate; request that companies delete such data; and opt-out of the processing of their personal data targeted advertising. The law also establishes that companies must secure consent before they collect certain sensitive data (like specific location data or data that reveals mental or physical health condition, or citizenship or immigration status). The law also creates privacy protection standards for businesses that collect and process personal data of Minnesota residents.
Minnesotans can visit privacymn.com to learn more about their new rights under the MCDPA, and to find template forms they can use to enforce those rights. This page has more information about how to use those template forms.
The MCDPA requires companies subject to the law to provide a means for consumers to submit such forms asserting their rights. The means for submission can be a portal, email address, or may appear in some other form, but it must meet be secure and reliable, take into account the way consumers interact with the company and the need for secure and reliable communication of requests, and it must not require the creation of a new account.
Early Enforcement Efforts
Since the MCDPA went into effect, the Attorney General’s Office has taken significant steps to encourage compliance with the new law. The Office sent hundreds of education letters to companies and presented background on the law and resources related to compliance in various public facing settings.
The Office also prepared privacymn.com and a privacy-complaint portal. While the Office does not represent private individuals, each complaint submitted is reviewed by privacy attorneys. In the last six months, the Office received more than 200 complaints regarding the MCDPA. The nature of the complaints varied, but many involved consumers’ attempts to exercise new data rights under the MCDPA, including the “right to delete.”
The Office also sent dozens of warning letters to companies that identified problems with privacy policies, procedures for honoring consumer data rights, consent mechanisms for collecting sensitive data, and responses to universal opt-out signals. Generally, company responses have been productive and resulted in quick corrections.
Notice Period Ending
Until January 31, 2026, the Attorney General was required to provide notice of any believed violation 30 days in advance of bringing a lawsuit. This “notice period” sunsets on January 31, 2026, which means that the Attorney General no longer is required to provide notice and 30 days before bringing enforcement action. As such, the Office strongly encourages businesses within the scope of the MCDPA to review their practices to ensure compliance with the law.
Steps to Protect Your Personal Data
Minnesotans are encouraged to take steps to protect their personal data. Many everyday activities allow businesses access to information about you. In addition to the tips provided here, these steps can help you take control of your information with regard to apps and smart devices:
Be Cautious about New Apps and Smart Devices. Apps and smart devices have access to some of our most sensitive data. And some collect information that have nothing to do with their features or functionality. When you are downloading a new app, or buying a smart device, ask yourself key privacy questions: Why does the app or device collect your information? How does this app or device share your information – and with whom? Choose the option with the level of privacy that you prefer.
Delete Apps You No Longer Use. Get rid of apps that you no longer use. It saves space and stops the company from continually collecting data on you. It is also smart to delete any account you have with the company behind the app. The more accounts you have, the more at risk you are of having your personal information misused or stolen.
Secure Your Health Apps. Health and fitness apps can be useful for monitoring health and exercise but also could expose sensitive information to data brokers and marketing companies. Generally, laws that regulate healthcare data do not apply to these apps. Take steps to secure the apps so this information is being handled appropriately.
Review Settings. Review privacy settings regularly to control how your personal data is collected, used, and shared across platforms. This practice helps prevent unwanted exposure and aligns your digital footprint with your preferences.
Limit Location Permissions. Some apps have access to the mobile device’s location services and thus have access to the user’s approximate physical location. For apps that require access to location data to function, consider limiting this access to when the app is in use only.
Be Cautious with Signing into Apps with Social Network Accounts. Some apps are integrated with social network sites, which may allow for the app to collect information from your social network account and vice versa. Consider whether you are comfortable with this type of information sharing before you sign into an app via your social network account. Instead, you could use an email address and unique password.
Report Your Concerns. If you believe an app or device shared your personal information without your permission you should submit a report here.
