Member Login
Search

FOCUS ON NEW LAWS: Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act (MCDPA) goes into effect on July 31, 2025. This new law regulates how certain businesses collect, use, and manage personal data belonging to Minnesota residents. As questions have arisen about its impact on ambulatory surgery centers (ASCs), MNASCA invited privacy expert Michael Cohen—counsel at Lathrop GPM and a recognized leader in data privacy law—to provide clarity during our May 23, 2025 Member Forum. Below is a summary of his presentation to MNASCA members.
 
Does the MCDPA Apply to ASCs?
In most cases, no—at least not for data already covered by HIPAA. The MCDPA includes several important exemptions that apply to health care organizations.
 
Who Must Comply?
The MCDPA applies to businesses that either:
  • Control or process the personal data of 100,000 or more Minnesota consumers annually (excluding payment transactions), or
  • Derive over 25% of their revenue from the sale of personal data and process the data of 25,000 or more consumers
Key Exemptions
The following types of data are exempt from the MCDPA:
  1. Protected Health Information (PHI) under HIPAA
  2. Health Records under the Minnesota Health Records Act
  3. Substance Use Treatment Records protected by 42 CFR Part 2
  4. Intermingled Data that cannot be reasonably separated from exempt health data
  5. Data Managed by HIPAA-Covered Entities or Business Associates, provided it's handled in accordance with HIPAA standards
As a result, most clinical data managed by ASCs will not be subject to MCDPA requirements.
 
What Data May Still Be Covered?
ASCs may still need to comply with MCDPA for non-HIPAA-regulated data, such as:
  • Website tracking and analytics (cookies, visitor data)
  • Patient satisfaction surveys or marketing forms not tied to care
  • HR and job applicant data
  • Email marketing or third-party vendor contact lists
Other Provisions of the MCDPA
The MCDPA establishes specific consumer rights, outlines business obligations for data management, and sets enforcement mechanisms to ensure compliance.
 
Consumer Rights
  • Right to access, correct, or delete personal data
  • Right to know how data is used
Business Obligations
  • Provide a secure method for submitting data requests
  • Respond to requests within 45 days (with one 45-day extension allowed)
  • Maintain records of all data requests for 2 years
  • Update privacy policies to meet legal standards
  • Maintain a data inventory and adopt data minimization practices
  • Conduct data protection assessments for processing sensitive data
Enforcement
  • Enforced solely by the Minnesota Attorney General
  • Businesses have an “opportunity to cure” violations until January 31, 2026
  • No private right of action
Recommended Next Steps
To prepare for the MCDPA, ASCs should begin evaluating their data practices and take the following steps as needed:
  • Assess applicability: Determine whether your organization falls under the scope of the MCDPA.
  • Identify non-exempt data: Review the types of personal data your ASC collects that may not be covered by HIPAA or other exemptions.
  • Update your privacy policy: Ensure your website privacy notice includes all required disclosures under the MCDPA.
  • Build or refine a data inventory: Catalog the personal data your organization collects, stores, and shares, and document related compliance efforts.
  • Establish internal processes: Create procedures for receiving, verifying, and responding to consumer data requests within required timeframes.
  • Implement a security program: Develop a written information security plan that aligns with best practices for protecting personal data.
  • Review third-party agreements: Reevaluate contracts with vendors and service providers to ensure they meet MCDPA compliance standards.
Taking these steps now will help ASCs mitigate risk and ensure readiness ahead of the law’s July 31, 2025, effective date.
 
Additional Resources For questions about compliance, MNASCA members are encouraged to consult with legal counsel or reach out to Michael Cohen directly:
 
Michael Cohen, Counsel
Lathrop GPM LLP
Direct: 612.632.3345
[email protected]