Minnesota Consumer Data Privacy Act: HIPAA Covered Entity Exemption Explained

MCDPA Applicability Criteria

The Minnesota Consumer Data Privacy Act (MCDPA) applies to organizations that conduct business in Minnesota or target Minnesota residents and meet certain data-processing thresholds. Specifically, it covers entities that process the personal data of at least 100,000 consumers in a year (excluding payment-only processing) or process data on at least 25,000 consumers while deriving over 25% of gross revenue from data sales. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

These thresholds determine whether you must implement MCDPA’s duties and honor consumer rights. Payment-only transactions are expressly excluded from the count, which can materially affect grocery, hospitality, ticketing, and other high-volume businesses. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Exempt Entities under MCDPA

MCDPA contains limited entity-level exclusions. If your organization falls into one of these categories, the Act (generally) does not apply to you, though other laws still may. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

• Government entities and federally recognized Indian tribes. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))
• State- or federally chartered banks and credit unions, and certain financial affiliates. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))
• Insurance companies/producers and specified related entities. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))
• Small businesses (subject to separate limits on selling sensitive data). ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))
• Nonprofits established to detect and prevent insurance fraud. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))
• Certain self-regulatory organizations (for example, national securities exchanges). ([ag.state.mn.us](https://www.ag.state.mn.us/Data-Privacy/Exemptions/?utm_source=openai))
• Air carriers, to the extent preempted by the Airline Deregulation Act. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

HIPAA Covered Entity Exemption Details

Under MCDPA, there is no blanket exclusion for all activities of HIPAA covered entities or business associates. Instead, the law exempts specific health data categories and contexts—most importantly Protected Health Information (PHI)—and certain mixed-data scenarios when handled under HIPAA standards. This is often described as a “HIPAA covered entity exemption,” but it functions as a data-level carve‑out, not a universal entity-level pass. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Protected Health Information (PHI)

PHI, as defined by HIPAA and its regulations, is outside MCDPA’s scope. If you process PHI, that data is exempt from MCDPA because HIPAA governs it. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Derived and Deidentified Health Data

Information derived from exempt health data that has been deidentified in accordance with HIPAA’s deidentification standards remains excluded. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Intermingled Health Information

When exempt health information is intermingled and indistinguishable from other data, and is maintained by a HIPAA covered entity, business associate, health care provider, or certain 42 C.F.R. Part 2 programs, it is excluded. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Information Maintained “as PHI” by Providers

Data maintained by a health care provider in the same manner required for PHI—such as applying equivalent safeguards—also falls outside MCDPA’s scope. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Public Health Activities

Data used solely for public health activities and purposes identified in HIPAA (45 C.F.R. 164.512) is excluded from MCDPA. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Non-HIPAA Data under MCDPA

Many data sets held by health sector organizations are not PHI and therefore remain subject to MCDPA. Examples include website analytics, cookie identifiers, marketing and prospect lists, event registrations, and data collected by consumer health and wellness apps outside a HIPAA-covered relationship. Because such information can include health inferences, it may qualify as “sensitive data,” requiring opt‑in consent before processing. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))

Conversely, certain data falls outside MCDPA even if you are otherwise covered—such as payment-only transactions and employment-context data (when used solely in that context). Be sure to categorize your data carefully to determine which obligations apply. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M.12))

Consumer Data Rights Provisions

Consumers have robust, state-level Consumer Data Access Rights under MCDPA, including the right to access, correct, delete, and exercise Personal Data Portability for data they previously provided. You must also provide a list of specific third parties to whom a consumer’s data was disclosed (or an organization-wide list if not tracked per consumer). ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))

• Data Sales Opt-Out and Targeted Advertising Restrictions: Consumers can opt out of data sales, targeted advertising, and certain profiling. You must honor a universal opt-out mechanism (opt‑out preference signal). ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))
• Profiling transparency: If profiling has legal or similarly significant effects, consumers can question outcomes, review data used, and seek correction with re-evaluation. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))
• Timelines and appeals: You must respond within 45 days (one 45‑day extension allowed), provide appeal rights, and maintain appeal records for 24 months. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))

Enforcement and Penalties

Minnesota Attorney General Enforcement is exclusive—there is no private right of action. The AG may seek injunctions and civil penalties up to $7,500 per violation, and recover litigation expenses when the state prevails. A 30‑day right to cure applies only through January 31, 2026. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))

Compliance Timeline and Requirements

The MCDPA took effect on July 31, 2025, with postsecondary institutions regulated by the Office of Higher Education not required to comply until July 31, 2029. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))

Operationally, you must implement written data privacy policies, maintain a data inventory and appropriate security measures, and identify a chief privacy officer or responsible privacy lead. You must also conduct data privacy and protection assessments for targeted advertising, sales of personal data, sensitive data processing, and certain high‑risk profiling, and be prepared to provide those assessments to the AG upon request. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))

Additional duties include processing sensitive data only with consent, honoring opt‑out preference signals, providing clear privacy notices (including categories of third parties that receive data), and executing controller‑processor contracts that set instructions, confidentiality, and deletion/return terms. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/cite/325M/full))

FAQs

What qualifies as a HIPAA covered entity exemption under the MCDPA?

MCDPA exempts PHI and several related categories when handled under HIPAA’s framework. That includes PHI itself, certain deidentified or intermingled health information maintained by covered entities, business associates, or providers, and data used solely for HIPAA‑recognized public health activities. It is a data‑level carve‑out, not a universal entity exemption.

How does MCDPA address non-HIPAA regulated data?

Non‑HIPAA data—like website analytics, marketing audiences, and consumer health information collected outside a HIPAA relationship—generally falls under MCDPA. If it qualifies as sensitive data (for example, health condition or diagnosis), you must obtain opt‑in consent before processing and honor opt‑out signals for sales and targeted advertising.

What are the consumer rights granted by the MCDPA?

Consumers can access, correct, delete, and port data they provided, opt out of sales, targeted advertising, and certain profiling, question impactful profiling decisions, and request a list of specific third parties that received their data. You must respond within 45 days, provide an appeal path, and keep appeal records for 24 months.

When does the Minnesota Consumer Data Privacy Act take effect?

The Act became effective on July 31, 2025. Postsecondary institutions regulated by the Office of Higher Education have a later compliance date of July 31, 2029.