Does the Minnesota Consumer Data Privacy Act cover employment AI decisions?

Yes. Minnesota HF-4757 classifies AI-based employment profiling — including automated resume screening, candidate scoring, and interview analysis — as high-risk processing that requires a data protection assessment. Controllers must document the purpose, necessity, and risk of harm before deploying such systems, and employees and applicants retain the right to opt out of solely automated employment decisions.

When is a data protection assessment required in Minnesota?

Minnesota HF-4757 requires controllers to conduct data protection assessments before processing personal data in ways that present a reasonably foreseeable risk of harm to consumers. Mandatory triggers include: automated profiling that produces legal or significant effects, processing sensitive personal data, and AI-based decisions in employment, insurance, lending, or healthcare. Assessments must weigh the benefits of processing against the risks and document risk mitigation measures.

How do Colorado and Minnesota AI privacy requirements compare?

The two states take different approaches. Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205 and whose obligations begin January 1, 2027) is a disclosure-and-notice framework: it does not require data protection assessments or high-risk AI classification. Instead, deployers of automated decision-making technology (ADMT) that makes or substantially influences consequential decisions must give consumers interaction notice, disclose adverse outcomes within 30 days, allow data correction, and provide meaningful human review. Minnesota HF-4757 takes the opposite approach, embedding AI governance within broader consumer data privacy protections and requiring data protection assessments before processing that presents foreseeable risk — including automated profiling producing legal or significant effects.

Can Minnesota consumers opt out of AI profiling?

Last verified: April 21, 2026

Answer

Yes. Minnesota HF-4757 gives consumers the right to opt out of automated profiling decisions that produce legal or similarly significant effects. Controllers must honor opt-out requests within a reasonable time frame and may not deny goods, services, or employment opportunities solely because a consumer exercised this right. The opt-out right applies to profiling used in employment, lending, insurance, and similar high-stakes contexts.

Applicable Regulations

HF-4757

Minnesota Consumer Data Privacy Act (MCDPA)

enacted

Enacted May 24, 2024 as Chapter 121 of the 2024 Minnesota Session Laws, codified at Minnesota Statutes Chapter 325O. Effective July 31, 2025 with full enforcement (no cure period) from February 1, 2026. Applies to controllers and processors of personal data of Minnesota residents meeting the thresholds below. Grants consumers rights to access, correct, delete, and port personal data; to opt out of targeted advertising, data sales, and profiling; and — uniquely among state laws — to question the result of a profiling decision, receive the reason for that outcome, and request reevaluation if inaccurate data was used. Requires data protection assessments before processing personal data for targeted advertising, data sales, sensitive data, and profiling with heightened risk. Enforced exclusively by the Minnesota Attorney General; no private right of action.

Key Requirements

Core Consumer Rights Right to access, correct, delete, and obtain a portable copy of personal data. Right to know which third parties received data sales.

Opt-Out of Profiling and Targeted Advertising Consumers may opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

Profiling Challenge and Explanation Right When profiling produces legal or similarly significant effects, consumers may question the result, receive the reason for the outcome, and request reevaluation if inaccurate data was used. Covered decisions include housing, insurance, education, employment, healthcare, and financial services.

Data Protection Assessment Controllers must conduct and document data protection assessments before processing for targeted advertising, data sales, sensitive data, profiling with heightened risk, and other high-risk processing activities.

Privacy Notice Requirements Controllers must provide a privacy notice with a hyperlink labeled 'Your Privacy Rights' disclosing data categories, purposes, third-party disclosures, and opt-out mechanisms.

Attorney General Enforcement Only the Minnesota AG may enforce. A 30-day cure period applied through January 31, 2026; from February 1, 2026, no cure period — violations subject to immediate civil penalty action.

Effective: 2025-07-31 Penalties: Civil penalties of up to $7,500 per violation, enforceable by the Minnesota Attorney General. No private right of action. Court may also award injunctive relief and litigation costs. The 30-day cure period expired January 31, 2026; full enforcement without cure rights began February 1, 2026.

Full State Analysis

Minnesota AI Regulations

Where this lands operationally

Gridex turns the compliance or coverage question into operated workflow controls: intake, review points, audit trails, and the places a person stays in the decision.

Governed AI DeploymentRun AI inside real work with audit trails, human review points, and the operating controls underwriters and regulators expect.Managed Intake & QualificationCapture, qualify, and route incoming work with disclosure, consent, and human review built into the intake step.

Map This Workflow With Gridex

Use this research to identify the workflow, review points, and operating controls that would matter in your organization.

Map This Workflow With Gridex →