RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 14, 2026

Minnesota Consumer Data Privacy Act (MCDPA) AI Compliance 2026

Most state privacy laws give consumers the right to opt out of AI profiling. Minnesota goes a step further: consumers can ask why your algorithm decided what it decided, and request a human review. If your AI product scores, ranks, or denies Minnesota consumers, that's a different compliance bar than CCPA or VCDPA.

Jul 31, 2026
Mandatory 30-day cure period sunsets — enforcement becomes fully discretionary
Right to Question
Consumers can demand an explanation and human review of AI profiling decisions
Data Inventory
Controllers must maintain a written, current record of what data they process and why

Does MCDPA Apply to Your AI Product?

MCDPA applies to businesses that conduct business in Minnesota or produce products or services targeted to Minnesota residents and that, during a calendar year, either:

  • Control or process the personal data of 100,000 or more Minnesota consumers, excluding data controlled solely to complete a payment transaction, OR
  • Control or process personal data of 25,000 or more consumers and derive over 25% of gross revenue from the sale of personal data

As with other newer state laws, there's no revenue-only floor — an AI product with a large free tier can cross the consumer-count threshold well before it's generating meaningful revenue. Nonprofits and higher-education institutions carry exemptions that most for-profit AI SaaS companies don't get.

The Right to Question: Minnesota's Standout Provision

Most comprehensive state privacy laws stop at giving consumers a right to opt out of profiling used for decisions with legal or similarly significant effects — credit, employment, housing, insurance, healthcare, education. MCDPA adds something closer to a GDPR-style explanation right: consumers can question the result of that profiling and, where feasible, request to be informed of steps they could take to secure a different outcome, along with access to a human reviewer of the decision.

For AI companies, this means an opt-out toggle alone doesn't satisfy Minnesota's bar. You need an operational path for a Minnesota consumer to say "explain this decision" and get a substantive response — which means your model or scoring system needs to produce human-legible factors, not just a numeric output, for any decision that falls into a legal-or-similarly-significant-effect category.

The Data Inventory Requirement

MCDPA requires controllers to maintain a written data inventory — a current, internal record of what categories of personal data the business processes, the purposes for processing, and (in practice) where that data lives and moves. This is an internal accountability document, distinct from the privacy notice you publish externally.

Categories of personal data processed

Including data used as model inputs, training data derived from user activity, and inferred/derived attributes your AI system generates.

Purpose of processing for each category

Tied to the actual business function — profiling, personalization, fraud detection, model training — not a generic catch-all.

Data flow and storage locations

Where the data is stored and which internal systems or third-party AI vendors touch it.

Currency requirement

The inventory has to stay current as your data processing changes — a document from launch that never gets updated as you add new AI features doesn't meet the bar.

If your AI product routes user data through multiple vendors — a foundation-model API, a vector database, an analytics pipeline — the inventory needs to reflect that whole chain, not just your first-party database schema.

The Cure Period Clock Is Almost Out

MCDPA's first year included a mandatory 30-day cure period: before pursuing an enforcement action, the Attorney General had to give notice and a chance to fix the violation. That mandatory right sunsets one year after the law's July 31, 2025 effective date — July 31, 2026.

After that date, offering a cure opportunity becomes entirely discretionary. Companies that have been treating MCDPA as a lower-priority compliance item because "we'd get a chance to fix it" are running out of runway to make that assumption.

MCDPA Compliance Checklist for AI Companies

1. Threshold and Scope
  • Count Minnesota consumers in your user base against the 100,000 threshold
  • Calculate whether you cross 25,000 consumers + 25% revenue from data sales
  • Confirm whether a nonprofit or higher-ed exemption applies
2. Profiling Opt-Out and Right to Question
  • Identify every AI decision producing a legal or similarly significant effect
  • Build a clear opt-out mechanism for profiling feeding those decisions
  • Build a process for consumers to question a specific decision and receive an explanation
  • Provide access to human review of contested automated decisions
3. Data Inventory
  • Document categories of personal data processed, including AI-derived/inferred data
  • Map data flow across first-party systems and third-party AI vendors
  • Assign an owner responsible for keeping the inventory current
  • Update the inventory when you add new AI features or vendors, not on a fixed annual cycle only
4. Enforcement Readiness
  • Don't rely on the cure period after July 31, 2026 — treat compliance gaps as immediately actionable
  • Retain documentation the AG could request during an investigation
  • Confirm consumer rights request handling meets response-time requirements

See where your AI product is exposed

RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.

Scan Your Product for Free →

Frequently Asked Questions

How is MCDPA different from CCPA or VCDPA for AI companies?

CCPA and VCDPA generally stop at an opt-out right for profiling used in significant decisions. MCDPA adds a right to question the result of that profiling and, where feasible, request a human review and information about how to obtain a different outcome — closer to GDPR's explanation rights than typical US state law. MCDPA also uniquely requires a maintained internal data inventory, which CCPA and VCDPA don't explicitly mandate as a standalone document.

We already built CCPA opt-out infrastructure — is that enough for MCDPA?

It's a start but not sufficient. Your opt-out mechanism covers part of the MCDPA obligation, but you still need a separate operational path for consumers to question a specific automated decision and get a substantive, human-reviewed explanation, plus the internal data inventory MCDPA requires that most CCPA compliance programs don't produce as a standalone artifact.

What happens after the cure period sunsets on July 31, 2026?

The Minnesota Attorney General retains full enforcement authority without any obligation to notify a business and offer a fix-it window first. Practically, this means a violation discovered after that date can move straight to an enforcement posture rather than triggering a 30-day grace period, so gaps identified now should be treated as time-sensitive rather than something to address on a rolling basis.

Related Guides