Minnesota Privacy Law (MNDPA) Compliance Guide for Small Businesses
Minnesota MNDPA took effect July 31, 2025. It applies to businesses processing data of 100,000+ Minnesota consumers and includes automated decision rights.
Minnesota Privacy Law (MNDPA): What Small Businesses Need to Know
The Minnesota Consumer Data Privacy Act (MNDPA) took effect July 31, 2025, and applies to any business processing the personal data of 100,000 or more Minnesota consumers in a calendar year — with no annual revenue threshold. A secondary trigger captures businesses processing data of 25,000 or more Minnesota consumers and deriving 25% or more of revenue from data sales (lower than the 50% used by most states). The Minnesota Attorney General is the sole enforcement authority. MNDPA's most distinctive feature is the right to question automated decisions — Minnesota consumers have the right to obtain information about, and request a human review of, decisions made about them by algorithms or AI systems that produce legal or similarly significant effects.
Does MNDPA Apply to My Business?
MNDPA applies to any person that conducts business in Minnesota or produces products or services targeted to Minnesota residents AND meets one of two thresholds:
- Controls or processes personal data of 100,000 or more Minnesota consumers during a calendar year, OR
- Controls or processes personal data of 25,000 or more Minnesota consumers AND derives more than 25% of gross revenue from the sale of personal data.
The threshold logic is OR, with no revenue floor under either path. Minnesota's 25% data sale revenue threshold is lower than the 50% used by California, Texas, Virginia, and most other states.
| Threshold | Minnesota MNDPA | CCPA/CPRA | Texas TDPSA |
|---|---|---|---|
| Revenue | None | $25M+ | None |
| Consumer count | 100,000 | 100,000 | 100,000 |
| Data sale alternative | 25K + 25% | 50% revenue share | 25K + 50% |
| Threshold logic | OR | OR | OR |
Minnesota accounts for roughly 1.7% of the US population. A national e-commerce store with approximately 5.9 million annual unique US visitors would, on a population basis, reach 100,000 Minnesota consumers.
What Does MNDPA Require?
MNDPA grants Minnesota consumers a comprehensive set of rights including a unique automated decision rights provision.
Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling. Plus the right to obtain information about and contest profiling decisions made by automated systems that produce legal or similarly significant effects. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests.
Disclosures you must publish. Privacy notice covering categories of data, purposes, third-party sharing, rights instructions, and information about any automated decision-making processes used.
Operational practices you must implement. Conduct data protection assessments for high-risk processing including profiling and algorithmic decision-making. Obtain affirmative opt-in consent for sensitive data processing. Establish reasonable security practices. MNDPA does not currently mandate honoring universal opt-out signals, though this may change through regulations.
How MNDPA Affects Small Businesses
For Shopify merchants, direct-to-consumer brands, and any business using AI or algorithmic tools for pricing, recommendations, customer segmentation, fraud detection, or credit decisions, the automated decision rights provision is the most operationally significant feature of MNDPA. If your store uses dynamic pricing, personalized recommendations driven by ML, or any algorithmic process that significantly affects consumers, you must disclose those processes in your privacy notice and respond to requests for information and human review.
The 25% data sale revenue secondary threshold (vs the more common 50%) makes MNDPA more expansive for businesses with ad tech monetization or affiliate revenue. Businesses that fall outside Texas TDPSA or Virginia VCDPA on the secondary threshold may still be in scope under Minnesota's lower bar.
The 100,000 primary consumer threshold means most businesses in scope under Virginia or Texas are also in scope under Minnesota, on a population-share basis. Multi-state privacy compliance programs should add Minnesota as a routine extension.
Key Differences from Other State Privacy Laws
MNDPA stands out from other state privacy laws on two distinctive features:
Right to question automated decisions. Minnesota grants consumers an explicit right to obtain information about and request human review of decisions made by automated systems that produce legal or similarly significant effects. This is the most developed automated decision rights provision in any current US state privacy law. It anticipates AI and algorithmic decision-making in consumer-facing businesses.
25% data sale revenue threshold. Lower than the 50% used by most states. Catches more businesses with ad tech and affiliate revenue.
Compared to California CCPA/CPRA, Minnesota grants more developed automated decision rights but no private right of action. Compared to Virginia VCDPA, Minnesota is structurally similar but adds the automated decision provisions and has a lower secondary data sale threshold. Compared to Iowa ICDPA, Minnesota is significantly more demanding.
How to Comply with MNDPA
If MNDPA applies to your business, the following steps establish a baseline.
- Confirm scope. Calculate annual Minnesota consumer count from analytics and customer records. Check whether you derive 25% or more of revenue from data sales with at least 25,000 Minnesota consumers.
- Inventory automated decision-making processes. Identify every algorithmic or AI-driven process in your business that affects consumers — dynamic pricing, recommendations, fraud detection, credit decisions, personalization. Document the inputs, the logic, and the impacts.
- Update your privacy notice with categories, purposes, third-party sharing, rights instructions, and information about automated decision-making processes.
- Add explicit opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
- Build a consumer rights request workflow including the right to question automated decisions. Provide a method for consumers to request information and human review.
- Build a denial appeals process with timely written response.
- Implement opt-in consent for sensitive data.
- Conduct data protection assessments for high-risk processing including profiling and algorithmic decision-making.
- Document reasonable security practices appropriate to data volume.
MNDPA Enforcement and Penalties
The Minnesota Attorney General has exclusive enforcement authority for MNDPA. There is no private right of action — Minnesota consumers cannot sue businesses directly. The AG may seek civil penalties of up to $7,500 per violation, plus reasonable expenses incurred in investigation.
MNDPA includes a 30-day cure period before formal enforcement during a transitional period. After the transitional period, cure opportunities are discretionary. The Minnesota AG has signaled that automated decision-making compliance will be an enforcement priority given the law's distinctive provisions in this area.
Frequently Asked Questions
When does Minnesota's privacy law take effect?
Minnesota's Consumer Data Privacy Act (MNDPA) took effect July 31, 2025. The Minnesota Attorney General is the sole enforcement authority.
Does MNDPA have a revenue threshold?
No. MNDPA applies based on consumer data volume only: 100,000 or more Minnesota consumers annually, or 25,000 or more consumers if 25% or more of revenue comes from data sales. There is no annual revenue minimum.
What is unique about MNDPA's automated decision rights?
Minnesota grants consumers the right to obtain information about and request human review of decisions made by automated systems that produce legal or similarly significant effects. This applies to AI-driven pricing, recommendations, fraud detection, credit decisions, and similar processes. It is the most developed automated decision rights provision in any current US state privacy law.
Does MNDPA require honoring universal opt-out signals?
Not currently. Unlike California, Colorado, and Connecticut, Minnesota does not mandate honoring GPC or other universal opt-out browser signals. This may change through future regulations.
What are the penalties for MNDPA violations?
The Minnesota AG can seek civil penalties of up to $7,500 per violation, plus reasonable investigation costs. There is no private right of action. A 30-day cure period applies during the transitional period after the effective date.
Does MNDPA apply to my Shopify store?
MNDPA applies if you process personal data from 100,000 or more Minnesota consumers annually, or 25,000 with significant data sale revenue. If you use AI or algorithmic tools that affect consumers — including dynamic pricing or personalized recommendations — pay particular attention to the automated decision rights provisions even if your consumer count is below the threshold today.
Check if MNDPA applies to your business → Take the free 5-minute quiz
This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.
When does Minnesota's privacy law take effect?
Does MNDPA have a revenue threshold?
What is unique about MNDPA's automated decision rights?
Does MNDPA require honoring universal opt-out signals?
What are the penalties for MNDPA violations?
Does MNDPA apply to my Shopify store?
Find out which laws apply to your business
Take Purview's free 5-minute compliance quiz. No credit card required.
Take the Free Quiz