Does the Minnesota Consumer Data Privacy Act cover employment AI decisions?

Last verified: April 21, 2026

Answer

Yes. Minnesota HF-4757 classifies AI-based employment profiling — including automated resume screening, candidate scoring, and interview analysis — as high-risk processing that requires a data protection assessment. Controllers must document the purpose, necessity, and risk of harm before deploying such systems, and employees and applicants retain the right to opt out of solely automated employment decisions.

Applicable Regulations

HF-4757

Minnesota Consumer Data Privacy Act (MCDPA)

enacted

Enacted May 24, 2024 as Chapter 121 of the 2024 Minnesota Session Laws, codified at Minnesota Statutes Chapter 325O. Effective July 31, 2025 with full enforcement (no cure period) from February 1, 2026. Applies to controllers and processors of personal data of Minnesota residents meeting the thresholds below. Grants consumers rights to access, correct, delete, and port personal data; to opt out of targeted advertising, data sales, and profiling; and — uniquely among state laws — to question the result of a profiling decision, receive the reason for that outcome, and request reevaluation if inaccurate data was used. Requires data protection assessments before processing personal data for targeted advertising, data sales, sensitive data, and profiling with heightened risk. Enforced exclusively by the Minnesota Attorney General; no private right of action.

Key Requirements

Core Consumer Rights Right to access, correct, delete, and obtain a portable copy of personal data. Right to know which third parties received data sales.
Opt-Out of Profiling and Targeted Advertising Consumers may opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Profiling Challenge and Explanation Right When profiling produces legal or similarly significant effects, consumers may question the result, receive the reason for the outcome, and request reevaluation if inaccurate data was used. Covered decisions include housing, insurance, education, employment, healthcare, and financial services.
Data Protection Assessment Controllers must conduct and document data protection assessments before processing for targeted advertising, data sales, sensitive data, profiling with heightened risk, and other high-risk processing activities.
Privacy Notice Requirements Controllers must provide a privacy notice with a hyperlink labeled 'Your Privacy Rights' disclosing data categories, purposes, third-party disclosures, and opt-out mechanisms.
Attorney General Enforcement Only the Minnesota AG may enforce. A 30-day cure period applied through January 31, 2026; from February 1, 2026, no cure period — violations subject to immediate civil penalty action.
Effective: 2025-07-31 Penalties: Civil penalties of up to $7,500 per violation, enforceable by the Minnesota Attorney General. No private right of action. Court may also award injunctive relief and litigation costs. The 30-day cure period expired January 31, 2026; full enforcement without cure rights began February 1, 2026.

Industry Context

HR & Recruiting Firms

Staffing agencies, recruiting firms, and HR technology providers that use AI for candidate sourcing, resume screening, interview analysis, and employment decision support. These firms face heightened regulatory scrutiny because AI in hiring directly affects individuals' economic opportunities.

Typical Compliance Gaps

No bias audit or disparate impact testing of hiring AI tools
No applicant notification that AI is used in screening or scoring
Lack of documentation linking AI outputs to adverse employment decisions
Unaware of AI exclusion endorsements in EPL or E&O policies

Full State Analysis

Minnesota AI Regulations

Where this lands operationally

Gridex turns the compliance or coverage question into operated workflow controls: intake, review points, audit trails, and the places a person stays in the decision.

Governed AI DeploymentRun AI inside real work with audit trails, human review points, and the operating controls underwriters and regulators expect.Managed Intake & QualificationCapture, qualify, and route incoming work with disclosure, consent, and human review built into the intake step.

Discuss a Governed Hiring Workflow

Use this research to identify the workflow, review points, and operating controls that would matter in your organization.

Discuss a Governed Hiring Workflow

Related Questions

  • Can Minnesota consumers opt out of AI profiling? Yes. Minnesota HF-4757 gives consumers the right to opt out of automated profiling decisions that produce legal or similarly significant effects. Controllers must honor opt-out requests within a reasonable time frame and may not deny goods, services, or employment opportunities solely because a consumer exercised this right. The opt-out right applies to profiling used in employment, lending, insurance, and similar high-stakes contexts.
  • Can I use AI for hiring in Illinois? Yes, but two distinct Illinois laws apply. HB-3773 (effective January 1, 2026) amended the Illinois Human Rights Act to prohibit employers from using AI that discriminates against protected classes or uses zip codes as a proxy, and it requires notice to employees that AI is being used in employment decisions (recruitment, hiring, promotion, discipline, tenure, or terms and conditions). Separately, the Illinois Artificial Intelligence Video Interview Act (PA 101-0260, 820 ILCS 42), in effect since 2020, applies specifically when AI analyzes applicant video interviews: employers must notify the applicant, explain how the AI works, obtain written consent, limit video sharing to necessary evaluators, delete videos within 30 days of an applicant's request, and — per the 2022 amendment (PA 102-47) — report applicant racial/ethnicity data annually to DCEO. If AI hiring tools also capture biometric identifiers (e.g., facial geometry from video), the separate Illinois Biometric Information Privacy Act (BIPA) creates additional consent and liability obligations. Illinois employers using AI for any form of employment decision should map their process against all three regimes.
  • How do Colorado and Minnesota AI privacy requirements compare? The two states take different approaches. Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205 and whose obligations begin January 1, 2027) is a disclosure-and-notice framework: it does not require data protection assessments or high-risk AI classification. Instead, deployers of automated decision-making technology (ADMT) that makes or substantially influences consequential decisions must give consumers interaction notice, disclose adverse outcomes within 30 days, allow data correction, and provide meaningful human review. Minnesota HF-4757 takes the opposite approach, embedding AI governance within broader consumer data privacy protections and requiring data protection assessments before processing that presents foreseeable risk — including automated profiling producing legal or significant effects.
Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.