Minnesota
Code/Regulations
Effective Date: July 31, 2025 (Postsecondary institutions July 31, 2029)
Details
Threshold
Legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and
(1) During a calendar year, controls or processes personal data of 100,000 consumers or more (excluding data processed for payment transactions);
or
(2) Derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
Entities that are Small Businesses as defined by the US Small Business Administration and conduct business in Minnesota may not sell a consumer's sensitive personal information without the consumer's prior consent.
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Physical or mental health diagnosis; and
- Sexual orientation.
In addition, Minnesota’s definition also includes:
- Specific geolocation data; and
- Personal data of a known child.
Definition of "Personal Data"
Linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include deidentified data or publicly available information. Does not include people acting in an employment or commercial context.
Definition of "Sale, "sell," or "sold"
Exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Data-Protection Assessments
Required for targeted advertising, sale of personal data, processing of sensitive data, data that presents a heightened risk of harm to consumers, and certain profiling.
Opt-In Consent Required for Processing Sensitive Data
Yes
Consumer Rights to Request Access, Confirm Processing, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads/Sharing
Yes
Consumer Right to Opt Out of Certain Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
Yes
Data of Minors
COPPA exception; obtain parental consent to process personal data concerning a known child
GLBA Exemption
Yes (data-level)
HIPAA Exemption
Yes (data-level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context.
Nonprofit Exemption
Only to the effect that it detects and prevents fraudulent acts in connection with insurance.
Private Right of Action
No
Cure Period
30 days
Cure Period Expiration
January 31, 2026
Enforcement Authority/Damages
Attorney General, not more than $7,500 for each violation.
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.