AI Compliance for HR & Recruiting Firms in Minnesota

Last verified: March 24, 2026

Regulatory Status

HF-4757

Minnesota Consumer Data Privacy Act (MCDPA)

enacted

Enacted May 24, 2024 as Chapter 121 of the 2024 Minnesota Session Laws, codified at Minnesota Statutes Chapter 325O. Effective July 31, 2025 with full enforcement (no cure period) from February 1, 2026. Applies to controllers and processors of personal data of Minnesota residents meeting the thresholds below. Grants consumers rights to access, correct, delete, and port personal data; to opt out of targeted advertising, data sales, and profiling; and — uniquely among state laws — to question the result of a profiling decision, receive the reason for that outcome, and request reevaluation if inaccurate data was used. Requires data protection assessments before processing personal data for targeted advertising, data sales, sensitive data, and profiling with heightened risk. Enforced exclusively by the Minnesota Attorney General; no private right of action.

Effective: 2025-07-31 View Bill Text →

Key Requirements

Core Consumer Rights Right to access, correct, delete, and obtain a portable copy of personal data. Right to know which third parties received data sales.

Opt-Out of Profiling and Targeted Advertising Consumers may opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

Profiling Challenge and Explanation Right When profiling produces legal or similarly significant effects, consumers may question the result, receive the reason for the outcome, and request reevaluation if inaccurate data was used. Covered decisions include housing, insurance, education, employment, healthcare, and financial services.

Data Protection Assessment Controllers must conduct and document data protection assessments before processing for targeted advertising, data sales, sensitive data, profiling with heightened risk, and other high-risk processing activities.

Privacy Notice Requirements Controllers must provide a privacy notice with a hyperlink labeled 'Your Privacy Rights' disclosing data categories, purposes, third-party disclosures, and opt-out mechanisms.

Attorney General Enforcement Only the Minnesota AG may enforce. A 30-day cure period applied through January 31, 2026; from February 1, 2026, no cure period — violations subject to immediate civil penalty action.

Insurance Implications

Relevant policy types: EPL, E&O, Cyber, D&O

Compliance Gaps to Address

No bias audit or disparate impact testing of hiring AI tools

No applicant notification that AI is used in screening or scoring

Lack of documentation linking AI outputs to adverse employment decisions

Unaware of AI exclusion endorsements in EPL or E&O policies

Other Industries in This State

Marketing Agencies Real Estate Education

This Industry in Other States

Illinois Colorado Texas

View All State Regulations View Full Industry Guide

Map This Workflow With Gridex →

Need to map a governed hiring workflow?

Discuss the Workflow →

Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.