Minnesota’s New Consumer Data Privacy Act

Minnesota’s New Consumer Data Privacy Act: What It Means for Insurance Agencies and Brokers

On July 31, 2025, the Minnesota Consumer Data Privacy Act (MCDPA) officially went into effect, introducing one of the most comprehensive consumer data protection frameworks in the country. For insurance agencies and brokers who operate in Minnesota or engage with Minnesota residents, the law brings significant new compliance obligations that will reshape data handling practices, documentation requirements, and how CRMs and dialers must function.

Who Is Affected?

The MCDPA applies to businesses that:

  • Control or process data of at least 100,000 Minnesota consumers annually (excluding payment processing data), or

  • Process data for 25,000 or more consumers and derive 25% or more of gross revenue from selling personal data.

While small businesses (as defined by the U.S. Small Business Administration) are exempt from many requirements, that exemption does not apply if the business sells sensitive personal data, which includes health-related information often handled in the insurance industry.

Key Requirements for Insurance Professionals

1. Mandatory Documentation and Privacy Disclosures

Insurance agencies must now maintain:

  • A public-facing privacy notice that clearly states:

    • What personal data is collected and why

    • Whether that data is sold or shared

    • What rights consumers have and how to exercise them

    • How long data is retained

    • Contact information for privacy concerns

  • A data inventory and mapping system documenting:

    • What categories of data are collected

    • Data flow and storage points

    • Third-party vendors receiving or processing data

  • Internal privacy policies and procedures, including assigned roles and processes for handling consumer requests, data security, and regulatory audits.

These documentation requirements go beyond typical compliance checklists. Agencies must be prepared to produce detailed records to the Minnesota Attorney General upon request, particularly for high-risk data activities.

2. Data Minimization and Risk Assessments

Insurance agencies will need to ensure that they only collect data that is strictly necessary for business purposes. For example, gathering medical history, household income, or family details must be directly tied to an insurance-related process.

Additionally, if your agency engages in:

  • Targeted advertising

  • Sale of consumer data

  • Automated decision-making

  • Profiling that impacts eligibility or pricing

you must conduct formal data protection assessments and document the rationale, risks, and mitigation steps for each.

3. Consumer Rights and Your Response Workflows

Under the MCDPA, Minnesota residents can:

  • Request access to their data

  • Request deletion or correction

  • Opt out of targeted advertising and profiling

  • Obtain a list of third parties with whom their data was shared

  • Challenge automated decisions

Agencies must be able to respond to these requests within 45 days, with a streamlined system in place to verify identity, locate the data, and fulfill the request—or justify a denial.

Penalties for Non-Compliance

Enforcement lies solely with the Minnesota Attorney General. Violations can result in civil penalties of up to $7,500 per violation. Businesses have a 30-day “right to cure” period to fix violations, but this grace period expires after January 31, 2026.

After that date, agencies must be fully compliant, with no additional warning period required.

CRM and Dialer Implications: What We Must Do

As a CRM and VoIP dialer TLDCRM provides support for insurance professionals and it is our responsibility to:

  1. Maintain secure data storage and ensure access controls comply with least-privilege principles. Clients can control who has access to data utilizing the roles and abilities features of TLD
  2. Log user access and changes to consumer records for auditing purposes. These reports can track who has access to PII and protected fields for clear and accurate tracking
  3. Enable compliance by providing written documentation, upon request, including internal data maps, processing purposes, and data retention schedules.

Other States with Similar Laws

Minnesota joins a growing number of states enacting comprehensive privacy legislation, including:

  • California (CCPA/CPRA) – The most well-known law with consumer rights and opt-out obligations

  • Virginia (VCDPA) – Includes data assessments and consent-based sensitive data handling

  • Colorado (CPA) – Introduced similar profiling and targeted advertising controls

  • Connecticut, Utah, Texas, Oregon, and Florida – All have privacy laws either active or taking effect between 2024–2025

While the core rights are similar, each state has unique thresholds, exemptions, and procedural requirements—making compliance a multi-state challenge for national insurance providers and their tech partners.

Next Steps for Agencies

If your agency does business in Minnesota, now is the time to:

  • Conduct a privacy compliance audit

  • Update your privacy policies and procedures

  • Engage your CRM/dialer provider to ensure system-level support for data rights

  • Train staff on how to handle consumer requests

  • Document all policies and data flows to prepare for potential audits


Compliance is no longer optional. Minnesota’s new law sets a higher standard for consumer data transparency and protection—especially in industries like insurance that handle sensitive personal information. Ensuring that your agency—and your technology partners—are aligned with these expectations is critical to protecting both your clients and your business.

Let us know if you’d like help reviewing your current data practices or upgrading your CRM workflows to meet MCDPA standards.

Link to full text of the MCDPA HERE.