Minnesota Consumer Data Privacy Act (MCDPA) HIPAA Exemption: What’s Covered and What Isn’t

MCDPA Applicability Criteria

The Minnesota Consumer Data Privacy Act (MCDPA) applies to organizations that conduct business in Minnesota or target Minnesota residents and meet specific data processing thresholds. In practice, this means controllers and processors that handle substantial volumes of personal data, or that monetize personal data, must comply with the statute’s consumer privacy obligations.

The MCDPA focuses on consumer-facing personal data rather than information that is truly de-identified or publicly available. When you are within scope, you must enable consumer data controls such as access, deletion, correction, and opt-out mechanisms for targeted advertising, the sale of personal data, and certain types of automated profiling.

The law applies alongside other regulatory compliance standards. If another sectoral regime comprehensively governs a particular dataset, the MCDPA typically yields at the data level (explained below), while remaining relevant to other datasets your organization processes.

HIPAA Exemption Scope

The MCDPA includes a targeted exemption for HIPAA-regulated information. Protected Health Information (PHI) created, received, maintained, or transmitted by HIPAA covered entities and business associates—when handled in compliance with HIPAA—is exempt from the MCDPA. HIPAA de-identified data is also excluded when it meets HIPAA’s de-identification requirements.

Public Health Data Authorization matters here. Collection, use, and disclosure for public health activities that are authorized by law—such as surveillance, investigation, and interventions—fall outside the MCDPA to the extent those activities are governed by HIPAA or other public health statutes.

However, the HIPAA exemption is not entity-wide. When a covered entity or business associate processes data outside the PHI context—for example, website analytics, mobile app telemetry, event sign-ups, or marketing lists not derived from treatment or payment operations—that data may be non-PHI and therefore subject to the MCDPA.

Data-Level Regulatory Exemptions

The MCDPA recognizes that some datasets are already regulated under sector-specific laws and exempts them at the data level. Common examples include:

• Financial data governed by the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations.
• Consumer report data handled in accordance with the Fair Credit Reporting Act (FCRA).
• Education records covered by the Family Educational Rights and Privacy Act (FERPA).
• Records regulated by 42 C.F.R. Part 2 (substance use disorder treatment records).
• Human subjects research conducted in compliance with the Common Rule or equivalent standards.
• Data collected, used, or disclosed for authorized public health activities, as noted above.
• De-identified data and publicly available information as defined by the MCDPA.

These carve-outs are narrow. They apply to the specified data and purposes, not to all processing by the organization. If you handle both exempt and non-exempt datasets, your MCDPA duties still apply to the latter.

Coverage of Non-HIPAA Data

Much health-adjacent data is not PHI and is therefore in scope. Examples include data from consumer wellness apps, employer wellness programs offered outside a group health plan, retail pharmacy loyalty programs, connected fitness devices, website cookies, IP addresses, advertising IDs, precise geolocation, and cross-context behavioral profiles. When such information can reasonably be linked to a person or household, the MCDPA treats it as personal data.

Some of this information will be sensitive consumer data, such as precise geolocation, genetic or biometric identifiers, or data revealing health conditions. Processing sensitive consumer data generally requires a clear, affirmative consent and heightened safeguards, including purpose limitation, data minimization, and robust security controls.

For marketing, the key question is whether the data was generated or used outside HIPAA’s treatment, payment, or health care operations. If so, expect MCDPA obligations to apply, including opt-out rights for targeted advertising and sales, transparency requirements, and honoring user signals if applicable.

Small Business Exemption Details

The MCDPA contains a small business exemption that references small-entity concepts familiar from federal standards. If your organization qualifies as a small business and does not exceed the law’s data processing thresholds, many controller-level obligations may not apply.

That said, the exemption is not a free pass. Small businesses should avoid selling sensitive consumer data without prior, opt-in consent and should implement reasonable security measures commensurate with the nature of the personal data processed. Even when exempt, adopting baseline privacy practices—data mapping, purpose specification, retention limits, and streamlined consumer request handling—reduces risk and prepares you for growth.

Enforcement and Compliance Mechanisms

Enforcement of the MCDPA rests with the Minnesota Attorney General. Minnesota Attorney General Enforcement actions may seek injunctive relief and civil penalties for violations, with discretion to consider factors like the number of affected consumers, the sensitivity of the data, and the controller’s remediation efforts. The statute does not create a general private right of action.

To comply, controllers should operationalize regulatory compliance standards: maintain accurate data inventories, publish clear privacy notices, obtain consent for sensitive consumer data where required, honor opt-outs for targeted advertising and sales, and implement processor contracts that allocate privacy and security responsibilities. For high-risk processing, conduct and document risk assessments and ensure technical and organizational security controls are risk-appropriate.

Key takeaways

• HIPAA-regulated PHI and HIPAA de-identified data are outside the MCDPA, but non-PHI processed by health-sector organizations is often covered.
• Data-level exemptions (e.g., GLBA, FCRA, FERPA, Part 2, Common Rule, authorized public health activities) are narrow and purpose-specific.
• Non-HIPAA health-adjacent data—especially sensitive consumer data like precise geolocation and biometrics—triggers stronger requirements and often consent.
• Small businesses may benefit from an exemption, but selling sensitive consumer data without prior consent and weak security remain high-risk.
• Build a compliance program around consumer data controls, transparent notices, consent governance, and defensible assessments to reduce enforcement exposure.

FAQs

What types of health information does the HIPAA exemption cover under MCDPA?

The exemption covers Protected Health Information (PHI) handled by HIPAA covered entities and business associates in compliance with HIPAA, as well as HIPAA de-identified data. It is a data-based carve-out: PHI is excluded, but other information the same organization processes outside HIPAA (e.g., marketing telemetry or website tracking) may still be covered by the MCDPA.

How does MCDPA define small business exemptions?

The MCDPA recognizes a small business exemption aligned with federal small-entity concepts and the law’s data processing thresholds. If you qualify and remain below the thresholds, many controller obligations may not apply; however, you should still obtain opt-in consent before selling sensitive consumer data and maintain reasonable security practices.

Is marketing data subject to MCDPA if not covered by HIPAA?

Yes. Marketing, analytics, and advertising data that are not PHI generally fall within the MCDPA. Expect transparency duties, consumer data controls (including opt-outs for targeted advertising and sales), and consent requirements for sensitive consumer data.

Who enforces compliance with the Minnesota Consumer Data Privacy Act?

The Minnesota Attorney General enforces the MCDPA. The AG may pursue investigations and remedies for noncompliance, while the statute does not provide a general private right of action.