The Minnesota Consumer Data Privacy Act (MCDPA): A New Era for Data Rights

The Minnesota Consumer Data Privacy Act (MCDPA), effective July 31, 2025, marks a pivotal moment for consumer privacy in the state, establishing stringent requirements for businesses and granting unprecedented rights to residents over their personal data. Provisions related to postsecondary institutions will take effect on July 31, 2029.

Scope and Applicability The MCDPA applies to legal entities that conduct business in Minnesota or target products and services to Minnesota residents and meet specific thresholds:

• Control or process the personal data of 100,000 or more Minnesota consumers in a calendar year, excluding data processed solely for payment transactions.
• Derive over 25% of gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers.
• Certain technology providers under Minnesota Statute Section 13.32 (Educational Data) must also comply.

Exemptions The law includes exemptions for government entities, Indian tribes, state or federally chartered banks, insurance companies, and healthcare providers (for HIPAA-regulated data). Notably, Minnesota is one of the few states, alongside Texas and Nebraska, that exempts small businesses as defined by the U.S. Small Business Administration, although these businesses cannot sell sensitive data without prior consumer consent. Unlike many other state privacy laws, the MCDPA does not exempt institutions of higher education and has narrower exemptions for non-profits, potentially subjecting many non-profit organizations to its requirements.

Consumer Rights Minnesota consumers gain several robust rights, many consistent with other state data privacy regimes, but some are unique:

• Right to Know/Access: Confirm whether personal data is being processed and access categories of data and processing purposes.
• Right to Correction: Correct inaccuracies in personal data.
• Right to Deletion: Request deletion of personal and sensitive information collected about them.
• Right to Data Portability: Obtain a copy of personal data in a portable and readily usable format for easy transmission.
• Right to Opt-Out: Opt-out of the processing of personal data for targeted advertising, the sale of personal data, or profiling that leads to automated decisions with legal or significant effects. This includes a right to a universal opt-out system.
• Right to a List of Third Parties: Request a list of specific third parties to whom personal data was sold or disclosed.
• Unique Right to Question Profiling: Consumers have the unique right to question the results of profiling decisions, be informed of the reason for the decision, and know what actions they could take to secure a different decision. This is particularly relevant for automated decisions affecting employment, housing, education, financial services, or other significant opportunities.
• Enhanced Protections for Children and Teenagers: Businesses must obtain parental or legal guardian permission before selling personal data or using data for targeted advertising for children under 16. For consumers aged 13-16, opt-in consent is required for targeted advertising or data sale.

Business Obligations The MCDPA imposes several obligations on controllers and processors:

• Privacy Notices: Provide a reasonably accessible, clear, and meaningful online privacy notice on their homepage, disclosing data categories, purposes, consumer rights, third-party sharing, retention policies, and contact information. Material changes to the notice must be electronically notified to consumers, offering a chance to withdraw consent.
• Data Security Measures: Implement and maintain reasonable administrative, technical, and physical data security practices to protect personal data's confidentiality, integrity, and accessibility, appropriate for the data volume and type.
• Data Collection Limits: Limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" for disclosed purposes.
• Consent Management: Obtain opt-in consent before processing sensitive personal data. An easy method to revoke consent must be provided.
• Data Processing Agreements: Controllers and processors must enter into binding written contracts detailing data processing, confidentiality, data return/deletion, and subcontractor requirements.
• Data Protection Assessments: Conduct and document data protection assessments for high-risk processing activities like targeted advertising, data sales, sensitive data processing, or profiling that presents a heightened risk of harm to consumers.
• Data Inventory: Minnesota is the first state to mandate that covered entities create and maintain a data inventory, detailing collected data categories and their purposes.
• Chief Privacy Officer: Appoint a chief privacy officer or other individual responsible for directing the controller's MCDPA compliance policies and procedures.
• Non-Discrimination: Prohibit processing personal data in a manner that unlawfully discriminates against consumers based on protected characteristics.

Enforcement and Penalties The Minnesota Attorney General has exclusive enforcement authority; there is no private right of action for consumers.

• Warning Letter and Cure Period: Before an action, the Attorney General will issue a warning letter identifying violations, giving the controller/processor 30 days to cure. This cure provision is designed to help businesses adapt and expires on January 31, 2026.
• Penalties: If uncured, the Attorney General may recover up to $7,500 in civil penalties per violation. The Attorney General's Office has received funding to hire new attorneys and an investigator specifically for MCDPA enforcement.

Statewide Cybersecurity Initiatives and the Threat Landscape

Minnesota is actively combating a "relentless wave of cyber attacks" targeting state and local governments, educational institutions, healthcare, and private industry almost daily. In response, Minnesota IT Services (MNIT) and the Minnesota Cybersecurity Task Force have launched a comprehensive Whole-of-State Cybersecurity Plan.

Goals of the Whole-of-State Cybersecurity Plan

1. Mature cyber capabilities throughout the state: Provide services, resources, equipment, and training, starting with baseline assessments, to help organizations achieve an acceptable level of security.
2. Increase participation in programs and services known to work: Expand the use of advanced cybersecurity detection and defensive tools and capabilities by including new participants in successful existing programs.
3. Collaborate and share information throughout the state: Expand threat intelligence sharing, analysis, and collaboration statewide, using a model similar to U.S. Department of Homeland Security Fusion Centers to consolidate cybersecurity information.
4. Strengthen the cyber-resiliency of critical infrastructure: Prioritize enhancing the cybersecurity of local government critical infrastructure, initially focusing on creating and delivering foundational cybersecurity services for water and wastewater systems operated by local and Tribal governments in Minnesota.

This plan is funded by $18 million in federal funds from the State and Local Cybersecurity Grant Program (SLCGP) and $5.5 million in state matching funds from the Minnesota Legislature, totaling $23.5 million. At least 80% of this funding is directed toward programming, with 25% specifically designated for rural areas.

Key Initiatives and Responses by MNIT

• Cyber Navigators: MNIT has expanded its Cyber Navigator Team to provide technical support, guidance, and threat intelligence sharing to smaller government agencies and partners across the state.
• Cyber Risk Quantification (CRQ): MNIT uses a CRQ tool to help state agency leaders make informed, data-driven decisions about cybersecurity investments by translating risks into financial terms.
• Login.mn.gov: A new secure, single login solution for public-facing state services is being implemented, aiming to simplify access while enhancing security through identity proofing and multi-factor authentication. All state digital services requiring public sharing of private data must use this enterprise solution by July 1, 2027.
• Cybersecurity Incident Reporting Law: A new state law, effective December 1, 2024, mandates that public agencies report cybersecurity incidents to MNIT within a tight 72-hour window (24 hours for criminal justice systems). This law led to a significant increase in reported incidents, revealing a more dangerous cyber threat environment than previously understood. From December 2024, the state received 186 reports, and in 2024, MNIT's Security Operations Center (SOC) detected or received reports of 5,224 cyber incidents, with malware being the most frequent (3,672 incidents), followed by compromised passwords and social engineering. There was a 1,500 percent surge in reported malware incidents compared to the previous year.
• Education and Awareness: MNIT conducts public and internal campaigns, including "Cybersecurity Awareness Month" (October 2024), to educate residents and state employees on best practices like recognizing phishing, using strong passwords, and multi-factor authentication.
• Collaboration: MNIT partners with the Minnesota National Guard (including the Cyber Coordination Cell (C3)), the Minnesota Fusion Center, FBI, CISA, and other state and federal agencies to coordinate resources, share threat intelligence, and respond to cyber threats.

Notable Cyberattack and Ransomware Incidents in Minnesota

Minnesota has experienced several high-profile cyberattacks and ransomware situations demonstrating the persistent threat:

• City of St. Paul Ransomware Attack (July 2025): The city suffered a ransomware attack that forced the proactive shutdown of its IT systems, severely disrupting services. Hackers, identified as "Interlock," posted 43 gigabytes of stolen data on the dark web after the city refused to pay a ransom. Recovery efforts were ongoing "weeks" after the incident.
• Mower County Ransomware Attack (June 2025): Mower County confirmed a ransomware attack on its computer network where HIPAA-protected data from the County Health and Human Services Department was acquired by hackers. Systems have been restored, and affected individuals are being notified.
• City of North St. Paul Police Department Attack (August 2025): An attack on the police department may have compromised sensitive data, prompting city leaders to engage a forensic analysis firm.
• Fraser Child and Family Center Data Breach (June 2024): This Minnesota healthcare provider experienced a data breach where an unauthorized third party accessed or copied files, potentially affecting up to 67,000 patients and exposing sensitive information like Social Security numbers and medical data.
• CrowdStrike Global IT Outage (July 2024): A global outage caused by cybersecurity vendor CrowdStrike disrupted critical State of Minnesota operations, with MNIT quickly working to restore systems.
• Private Industry Incidents: Manufacturers in Minnesota have reported ransomware attacks costing significant amounts to recover, sometimes covered by insurance. Wire fraud incidents have also led to substantial financial losses.

Healthcare Cybersecurity

The healthcare industry in Minnesota is particularly vulnerable to cyberattacks due to rapid digital transformation and connected systems, including medical devices. The University of Minnesota's Center for Medical Device and Health Care Cybersecurity (CMDC) focuses on improving the security and safety of medical devices through collaborations with universities, industry, and government. Organizations like Mayo Clinic are also developing comprehensive HTM (Healthcare Technology Management) cybersecurity frameworks, defining goals such as establishing governance, programs, and training, aligning requirements to standards like NIST Cybersecurity Framework (CSF) and AAMI Cybersecurity Guidelines.

AI Governance

Minnesota is proactively addressing the responsible adoption of Artificial Intelligence (AI) in state government through initiatives like the Transparent Artificial Intelligence Governance Alliance (TAIGA). MNIT has published the state’s first Public Artificial Intelligence Services Security Standard in 2023 to guide responsible AI use and protect sensitive data, including policies for state employees using public AI tools like ChatGPT, Bing, and Bard. This is crucial given the reported "rogue AI usage and high-risk data processing" where many workers use AI contrary to company policy, sometimes submitting sensitive data.

Nonbank Financial Data Security

A separate Minnesota data security law, championed by the Minnesota Department of Commerce, took effect on August 1, 2024, for nonbank financial companies. This law requires these companies to develop cybersecurity programs, implement incident response plans, and notify Commerce of cybersecurity events affecting 500 or more consumers. Minnesota is the first state to pass all three model acts for nonbank financial services to provide consumer protections.

Cybersecurity Workforce and Education

Minnesota's cybersecurity job market is experiencing significant growth, particularly in the Minneapolis-St. Paul metropolitan region, which is home to major corporations like Target, UnitedHealth Group, and 3M.

• The Minneapolis cybersecurity job market is projected to see a 28% growth rate in roles by 2025.
• There's a significant talent shortage, with the state's workforce supply/demand ratio at 78%.
• Cybersecurity analysts in Minneapolis can expect a median salary of $124,380, with entry-level positions starting around $121,500.
• Prominent growth areas include cloud security, incident response, ethical hacking, AI-driven security, and machine learning applications.
• Educational Initiatives: Minnesota institutions offer a range of degree and certification programs. The Minnesota State IT Center of Excellence, hosted by Metropolitan State University, founded MN Cyber, which focuses entirely on growing the state’s cybersecurity workforce.
  • MN Cyber Academy provides training leading to certifications desired by employers.
  • MN Cyber Range is a world-class training and simulation platform using real-world scenarios.
  • Several colleges offer Associate of Applied Science (AAS) degrees in Cybersecurity, some with CAE-CD designation (Center for Academic Excellence in Cyber Defense) and online options, such as Century College, Riverland Community College, and Saint Paul College.
  • Metropolitan State University offers Bachelor of Science (BS) and combined BS+MS degrees in Cybersecurity, including online formats, with a focus on lab-based courses and in-depth understanding of contemporary issues.
  • Master's degrees are available from Walden University, Capella University, and Metropolitan State University, often online.
  • Cybersecurity certifications are offered by Century College, Lake Superior College, Metropolitan State University, and Saint Paul College.
  • Bootcamps, such as Nucamp's 15-week Cybersecurity Fundamentals program, offer comprehensive training in network defense and ethical hacking.
• Industry Events: The Minneapolis Technology Summit 2025 and Cybersecurity Conference are highlighted as key events for networking and learning about the latest trends in AI and cloud security.

Minnesota's integrated approach to data privacy and cybersecurity, through robust legislation, comprehensive statewide plans, and dedicated educational programs, aims to create a secure and resilient digital environment for all its constituents. The active pursuit of these initiatives, coupled with collaboration across various sectors, demonstrates the state's commitment to safeguarding sensitive information and critical infrastructure in an ever-evolving threat landscape.