Minnesota Consumer Data Privacy Act (MNDPA)
Minnesota's comprehensive privacy law effective July 31, 2025 — notable as one of the first state statutes to explicitly classify neural data (BCIs, EEG, neurotechnology) as sensitive data requiring opt-in consent.
Overview
The Minnesota Consumer Data Privacy Act (HF 2309, 2024), codified at Minn. Stat. Sec. 325O.01 et seq., took effect on July 31, 2025. MNDPA is a modern, comprehensive privacy law best known for being one of the first US statutes to explicitly treat neural data — information collected from brain-computer interfaces, EEG headsets, and neurotechnology devices — as a protected sensitive-data category alongside race, religion, and biometric identifiers.
Applicability requires that a controller, in a calendar year, process personal data of 100,000 or more Minnesota consumers, or 25,000 or more consumers while deriving over 25% of gross revenue from the sale of personal data. The 25% data-sale revenue threshold sits below Virginia's 50%, capturing more ad-tech and data-broker adjacent businesses.
Exemptions follow the Virginia family: government entities, HIPAA, GLBA, non-profits, higher-education, and data covered by FCRA, DPPA, FERPA, and COPPA. Employee and B2B data remain out of scope.
Consumer Rights
Minnesota provides the full Virginia-family rights bundle: access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling with significant effects, and right to appeal.
Sensitive data — expanded definition, unique to Minnesota (and Colorado via amendment):
- Racial or ethnic origin, religious beliefs
- Mental or physical health diagnosis
- Sexual orientation, citizenship or immigration status
- Genetic data and biometric data processed for identification
- Data of children under 13
- Precise geolocation
- Neural data — collected from:
- Brain-computer interfaces (BCIs)
- EEG headsets (e.g., Neuralink, Muse, Emotiv)
- Neurotechnology devices that measure or monitor brain/neural activity
- Neurofeedback platforms
All sensitive data — including neural data — requires opt-in consent before processing and triggers a mandatory DPIA.
Compliance Requirements
Controllers must publish a privacy notice, honor DSRs within 45 days (extendable +45 days), conduct DPIAs for heightened-risk processing including all neural-data activities, and execute processor contracts. UOOM / GPC recognition is mandatory.
Cure Period + Enforcement
The Minnesota Attorney General has exclusive enforcement authority — no private right of action. Violators receive a 30-day cure period. Civil penalties reach up to $7,500 per violation.
The short cure period means compliance with sensitive-data and neural-data obligations must be ready at go-live, not remediated reactively.
How Inori Addresses This
Inori's v1.2 privacy.mdx lists Minnesota with its July 31, 2025 effective date. Our /api/dsar endpoint handles the full rights bundle with a 45-day SLA. The middleware.ts respectGpc helper honors Sec-GPC: 1, satisfying the UOOM mandate.
Inori does not collect neural data as part of COI compliance workflows, so the neural-data consent gate is not currently triggered for our platform. Should Inori expand into vendor-screening modalities that incorporate biometric signals, the existing opt-in consent infrastructure for sensitive data would extend to neural categories. Hard-purge via cron at 90 days closes the deletion lifecycle.
Related Concepts
- CPA (Colorado) — Colorado added neural-data protection via amendment; the other state with explicit coverage
- VCDPA — Virginia baseline from which MNDPA's structure descends
- Global Privacy Control (GPC) — Browser signal MNDPA requires
See how Inori handles minnesota consumer data privacy act (mndpa)
Try our free COI checker first, or start a free trial of the full platform.