What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·MCDPA

Minnesota (MCDPA) Privacy Law Compliance

The Minnesota Consumer Data Privacy Act (effective July 31, 2025) adds two distinctive consumer rights not in any other US state: (1) the right to obtain a meaningful explanation of profiling-based decisions; and (2) the right to have profiling-based decisions reviewed by a human. This is the closest the US has come to GDPR Article 22 protections.

Statute

Minnesota Consumer Data Privacy Act

Minn. Stat. §325O et seq.

Effective

Jul 31, 2025 (most controllers)

Jul 31, 2029 (small businesses + post-secondary)

Enforcer

Minnesota Attorney General

(exclusive)

Consumer rights

10 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Controllers that conduct business in Minnesota OR produce products/services targeted to Minnesota residents
AND one of: (a) control or process personal data of 100,000+ Minnesota consumers (excluding payment-only); OR (b) derive over 25% of gross revenue from sale of personal data AND control/process data of 25,000+ consumers

Exemptions

State + local government, financial institutions subject to GLBA
HIPAA PHI + BA processing, non-profits providing emergency services
Small businesses (effective July 31, 2029)
Employment + B2B data fully exempt
FCRA, DPPA, FERPA in context

Consumer rights (10)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Right to meaningful profiling explanation

Obtain a meaningful explanation of how a profiling-based decision was reached, including key factors + their effect

Right to human review of profiling decisions

Have a profiling-based decision producing legal or similarly significant effects reviewed by a human reviewer

Business obligations (10)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Children & teen consent

Opt-in consent before selling or sharing data of minors (age threshold varies 13–16)

Opt-in for sensitive data

Affirmative consent before sensitive data processing

Data inventory + retention schedule

Maintain a documented inventory of personal data processed + a retention schedule

Required privacy notice elements

Categories of personal data processed
Purpose of processing + retention period for each category
Categories shared + categories of third parties
Rights + how to exercise + appeal
Statement of profiling, profiling-decision explanation, + human review rights (where applicable)
Sale + targeted advertising disclosure + opt-out
Statement of UOOM (GPC) recognition

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Common compliance pitfalls

⚠ AI / automated-decision workflows lack human-review path

Any ML-driven decision affecting credit, employment, insurance, housing, education, healthcare access requires a documented human-review fallback in Minnesota. If your scoring engine has no human-review path, you have a compliance gap.

⚠ Profiling explanation must be 'meaningful'

Generic 'we use ML to make decisions' fails. The explanation must include key factors AND their effect. For complex models this requires SHAP-style feature attribution or analogous interpretability.

⚠ Data inventory + retention schedule are mandatory

Minnesota explicitly requires a maintained inventory + retention schedule — not just a policy claim. AG can request the inventory on subpoena.

FAQ

What's special about Minnesota?

Minnesota is the only US state with a right to meaningful explanation of profiling decisions AND a right to human review — closely tracking GDPR Article 22. AI-heavy SaaS, fintech, insurtech, healthtech must build explanation + human-review workflows now.

When does Minnesota apply to my small business?

If you qualify as a small business under the SBA definition (industry-specific), MCDPA does not apply until July 31, 2029. Otherwise effective July 31, 2025.

How does Minnesota differ from Colorado?

Adds the profiling explanation + human review rights, requires explicit data inventory + retention schedule, adds explicit small-business deferment. Otherwise very similar (rights, structure, UOOM).

Grade your Minnesota privacy policy in 20 seconds

Paste your privacy policy and we'll score it against MCDPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Minnesota