Minnesota's MCDPA includes an unusual mandate that businesses maintain a written data privacy program, including data inventory and retention schedules — not just a privacy notice.
Last reviewed 2026-06-19 · Risk rating rationale: 100,000-consumer threshold + written-program requirement raises the operational bar above the typical 'just publish a notice' baseline.
Find out in 10 seconds whether your site meets Minnesota's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Minnesota sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key Minnesota laws affecting websites
The statutes most likely to apply to a commercial website serving Minnesota residents. Click a citation to read the official text where available.
MCDPA
— Minnesota Consumer Data Privacy Act· Effective 2025
Applies to: Entities that conduct business in Minnesota or target Minnesota residents AND control or process data of 100,000+ Minnesota consumers (or 25,000+ with 25%+ revenue from data sale).
What your website must do
Privacy notice + standard rights enumeration
Maintain a documented data privacy program including data inventory and retention schedules
Honour Global Privacy Control
Opt-in consent for sensitive data
Opt-out of targeted ads, sale, and significant-decision profiling
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
MCDPA's written-program requirement is unusual — most state laws stop at the privacy notice. Compliance requires a documented internal program, not just an external policy.
Practical requirements for your website
Document a written data privacy program with inventory + retention
Privacy notice with rights enumeration
Honour GPC
Respond to rights requests within 45 days
Cookies and tracking
Federal law applies
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
No cookie banner mandate.
Practical requirements for your website
Honour GPC
Privacy choices link in footer
Accessibility (ADA + state)
Federal law applies
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
Federal ADA Title III applies.
Practical requirements for your website
WCAG 2.1 AA conformance
Cybersecurity and breach response
Federal law applies
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
Federal FTC Act applies.
Practical requirements for your website
Material connection disclosures
Email and SMS marketing
Federal law applies
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
Federal CAN-SPAM applies.
Practical requirements for your website
Standard CAN-SPAM compliance
AI regulation
Federal law applies
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
MCDPA covers profiling for significant decisions.
Practical requirements for your website
Profiling opt-out for significant decisions
Frequently asked questions about Minnesota website compliance
What does a 'written data privacy program' have to include under MCDPA?
At minimum: a data inventory (what categories of personal data you hold, where, for what purpose), retention schedules, named roles for privacy oversight, training, and a vendor management process. Best practice is to align with NIST Privacy Framework or ISO 27701 since other state laws (notably Tennessee's TIPA) recognize those as safe harbors.
Ready to check your own site against Minnesota's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-19. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Minnesota.