Preparing for the Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act (MCDPA), effective July 31, 2025, introduces new data protection requirements for businesses that collect or process personal data. Designed to give Minnesota residents greater control over their information, the law outlines consumer rights and business obligations. 

This guide covers the key provisions of the MCDPA, the steps business owners and website operators need to take to ensure compliance, and how Creed can assist with implementing a cookie-consent mechanism on your website.

The Minnesota Consumer Data Privacy Act is a comprehensive data privacy law designed to protect the personal information of Minnesota residents. Signed into law in May 2024 by Governor Tim Walz, it positions Minnesota among the growing number of states enacting robust data privacy regulations. The law grants consumers specific rights over their personal data and imposes obligations on businesses regarding data collection and processing.

Key Provisions of the MCDPA

Consumer Rights: Minnesota residents are afforded several rights, including:

• Right to Access: Individuals can request access to their personal data held by businesses.
  
• Right to Correct: Consumers can request corrections to inaccurate personal data.
  
• Right to Delete: Individuals have the right to request the deletion of their personal data.
  
• Right to Data Portability: Consumers can obtain a copy of their personal data in a portable format.
  
• Right to Opt-Out: Individuals can opt out of the processing of their personal data for purposes such as targeted advertising or the sale of personal data.
  

Business Obligations:

• Transparency: Businesses must provide clear privacy notices detailing their data collection and processing practices.
  
• Data Minimization: Collect only data that is necessary and relevant for the intended purpose.
  
• Security Measures: Implement reasonable security practices to protect personal data.
  
• Consent for Sensitive Data: Obtain explicit consent before processing sensitive personal data.
  
• Applicability: The MCDPA applies to businesses that: Control or process personal data of at least 100,000 consumers annually; OR Derive over 25% of gross revenue from the sale of personal data and process data of at least 25,000 consumers.
  

Steps to Prepare for the MCDPA

To ensure compliance with the MCDPA by its effective date, consider the following steps:

1. Conduct a Data Inventory: Identify and document the personal data your organization collects, processes, and stores. Understand the flow of data within your systems and with third parties.
   
2. Update Privacy Policies: Revise your privacy policies to reflect MCDPA requirements. Clearly inform consumers about their rights and how your organization collects, uses, and shares personal data.
   
3. Implement Data Subject Request Procedures: Establish processes to handle consumer requests regarding their data rights, ensuring responses within the mandated 45-day timeframe.
   
4. Review and Update Contracts: Ensure contracts with data processors include terms that require compliance with the MCDPA, outlining responsibilities and data protection measures.
   
5. Conduct Data Protection Assessments: For activities involving targeted advertising, the sale of personal data, or the processing of sensitive data, perform assessments to evaluate and mitigate risks to consumer privacy.
   
6. Implement Consent Mechanisms: Where required, particularly for sensitive data, establish clear methods for obtaining and managing consumer consent.
   
7. Train Employees: Educate staff about the MCDPA, emphasizing their roles in maintaining compliance and protecting consumer data.
   

Implementing Cookie Consent on Your Website

Cookies are small data files used to track and store user information on websites. Under the MCDPA, obtaining user consent before deploying non-essential cookies is essential to respect consumer privacy rights.

Steps to Set Up Cookie Consent

1. Conduct a Cookie Audit: Identify the types of cookies your website uses, categorizing them as essential or non-essential.
   
2. Choose a Consent Management Platform (CMP): Utilize tools like CookieYes, Osano, or OneTrust to manage cookie consent effectively.
   
3. Design a Cookie Banner: Create a banner that informs users about cookie usage and seeks their consent. Ensure it aligns with your website’s design and provides clear options to accept or decline cookies.
   
4. Implement Granular Consent Options: Allow users to choose which types of cookies they consent to, enhancing transparency and control.
   
5. Maintain Consent Records: Keep detailed records of user consents to demonstrate compliance in case of audits or legal inquiries.
   

How Creed Can Assist

Navigating the complexities of data privacy compliance can be challenging, but you don’t have to do it alone. Creed Interactive specializes in creating user-friendly, compliant websites and can assist in implementing effective cookie consent mechanisms tailored to your needs.

Services Offered by Creed 

• Custom Cookie Consent Solutions: Designing and integrating cookie banners that align with your brand and comply with the MCDPA.
  
• Employee Training: Offering training sessions to educate your team on data privacy best practices and compliance requirements.
  
• Ongoing Compliance Support: Providing continuous monitoring and updates to your website’s privacy features to adapt to evolving regulations.
  

Partnering with Creed ensures your website not only meets MCDPA requirements but also builds trust and transparency with your users.

With the July 31, 2025, effective date approaching, now is the time to take proactive steps: understand the law, make the right changes, and prepare your business to confidently navigate what’s ahead.

---