State AGs and Consumer Protection: What We Learned From…Minnesota

In the latest installment of our AG webinar series, we had the opportunity to speak with long-time consumer protection enforcers of the Minnesota Attorney General’s Office (MN AGO or Office). Jessica Whitney and James Canady, Deputy Attorneys General and co-leads of the Consumer Protection Section, shared insights on Minnesota’s consumer protection laws and priorities. We were also joined by Sarah Doktori and Noah Lewellen, Assistant Attorneys General in the Office’s Privacy Unit, who discussed data privacy and the first six months of the Minnesota Consumer Data Privacy Act (MCDPA or Act). Here is what we learned from our guest speakers.

Consumer Protection Priorities

Consumer protection is a primary focus of the MN AGO, expanding significantly in recent years. The Consumer Protection Section comprises eight divisions that cover areas such as consumer fraud and deceptive practices, antitrust, charities, privacy, wage theft, civil rights, and more, and is charged with consumer education, complaint intake, investigations, and enforcement.

When determining priorities, the MN AGO considers factors such as the number of individuals affected, the severity of the harm, areas in which the Office has expertise, and the priorities set by the Attorney General, an elected official. In addition, where the Office identifies regulatory gaps—such as areas not addressed by federal legislation, including data privacy—the states, including the MN AGO, may step in to address those issues.

When seeking remedies, the highest priorities are consumer restitution, where applicable, and injunctive relief designed to address the behavior in question. The Office can seek civil penalties up to $25,000 per violation of the state’s general consumer protection statutes.

Data Privacy and the MCDPA

Statutory Scope and Enforcement Framework

The MCDPA establishes consumer rights and imposes corresponding obligations on covered businesses. Violations of the Act may result in civil penalties of up to $7,500 per violation. To be subject to the Act as a controller, an entity must process personal data relating to at least 100,000 consumers in addition to meeting other applicability requirements. It also applies to some entities related to a percentage of revenue. The Act largely exempts small businesses, except for when sales of sensitive data are involved.

Enforcement authority under the Act rests exclusively with the MN AGO, which currently has six attorneys and an investigator in its Privacy Unit, but in many cases the Unit works collaboratively with other states.  According to Lewellen, from an enforcement perspective, the MCDPA is ​“nice and clear” (compared to UDAP litigation) because it avoids debates over what is fair or unfair and instead turns on straightforward compliance questions, such as whether a company is processing data rights requests as required. The challenge for the MN AGO has therefore not been identifying violations, but prioritizing targets and allocating enforcement resources in a smart, strategic way.

Priorities, Outreach, and Engagement

Lewellen explained that prioritization has focused on emergent problems, companies that are uncooperative or unwilling to comply, and entities that simply do not respond to the MN AGO without some additional ​“nudge.” The Office also emphasized that privacy enforcement is an area where legal analysis alone is insufficient, requiring reliance on technologists and people with other expertise to ensure compliance with the law.

The MN AGO has been focusing on outreach to industry, attorneys, and consumers regarding the Act and has a number of public-facing resources available, including a data privacy complaint form and rights requests templates. The Office has been actively communicating with entities where potential issues are identified, remaining open to dialogue and engagement. The MN AGO said that generally speaking, those businesses have been willing to make changes to privacy notices or other privacy practices once concerns were raised. Prior to January 31, 2026, the Office relied on letters to notify entities of violations and provided a statutorily mandated 30 day opportunity to cure before initiating enforcement. Although the requirement for a formal cure period has now expired, the MN AGO indicated that similar letters may still be used as a tool, but that formal notice letters will be rare, and that the Office will continue to rely primarily on informal outreach, such as emails or phone calls, as an initial point of contact. The Office described this as an opportunity for companies to engage off the record, without being required to submit a formal written response or verified answers, before the state issues a broad civil investigative demand.

Consumer Complaints and Responses

Since July 2025, Minnesotans have submitted more than 200 complaints related to the Act, including data rights requests, allegations of improper data use, and reports of data breaches—a significant volume for Minnesota, particularly given that the complaints arise under a single statute. The MN AGO noted that the quality and caliber of the complaints from consumers often come from a dedicated group of individuals (and repeat complainants) who are interested not only in their rights but in testing the boundaries of companies’ privacy procedures.

The MN AGO employs a range of graduated responses when addressing complaints received under the Act, beginning with education and informal engagement. In some cases, the Office focuses on educating consumers, such as directing consumers to template request forms available on the Office’s website. In other instances, the Office may educate businesses, particularly where noncompliance appears to stem from outdated practices—for example, when a business does not accept complaints from Minnesota consumers because its privacy policy has not been updated since the law took effect. The MN AGO also facilitates dispute mediation by sharing information received from a consumer with the business and requesting a response.

Where concerns appear systemic, the MN AGO may escalate its response by issuing a communication to a business referred to as violation, notice, or enforcement letters. These letters typically include education, outreach, and enforcement information; identify specific provisions of the Act with which a privacy notice or business practice may not comply; request that the business assess whether it is subject to the statute; and seek a meeting—often within 30 days—to discuss the issues, provide guidance, and understand the company’s position.  Recipients of the enforcement letters have been most frequently in the retail sector, followed by data brokers, and then to a lesser extent, to technology, insurance, and nonprofit entities. In more limited circumstances, the MN AGO may issue a civil investigative demand, a form of pre litigation discovery supported by a minimally descriptive statement of the Office’s reasonable belief in its authority, which has been used primarily to address emergent issues or particularly recalcitrant entities that fail to respond meaningfully to notice letters.

Enforcement as the MCDPA Matures

The MN AGO explained that the core goal of the MCDPA—as with all statutes they enforce—is to promote good behavior, not to surprise or ambush. Enforcement efforts are focused on areas where there is real, meaningful harm to consumers, particularly structural issues that undermine the ability to exercise statutory rights. A key example is the failure to honor universal opt out mechanisms, which the Office views as a technical but critical tool designed to make consumer choice reasonable and meaningful. The MN AGO also prioritizes violations involving sensitive data as defined in Minnesota statute—such as precise geolocation, health data, or other sensitive personal information—especially where such data is processed, stored, or misused without the significant affirmative consent required by law. These focus areas generally align with enforcement priorities across other states at a high-level.

Now that the law has been in effect for some time, the expectation is compliance, and entities are more likely than in prior months to receive enforcement letters or civil investigative demands. Businesses are expected to be actively assessing their data privacy practices and operationalizing compliance, particularly if they are implicated as controllers or processors under the statute. The Office views failures to respond to consumer rights requests, to maintain compliant privacy notices, to honor universal opt out mechanisms, or to implement internal structures for handling consumer complaints as increasingly concerning at this stage.

Key MN AGO Messages for Businesses

• Don’t ignore communications from attorneys general offices. Have mechanisms in place to flag and respond to such complaints.
• Be honest and forthright—particularly where AG requests are overbroad or impractical—recognizing that enforcers do not always understand a company’s internal systems.
• Early cooperation can help focus investigations, reduce the scope of discovery, and facilitate resolution before remedies, penalties, and fees escalate.
• Demonstrating compliance efforts—especially by fixing issues without requiring court intervention—can meaningfully mitigate enforcement burdens, while stonewalling or noncooperation significantly increases the likelihood that the Office will seek to compel compliance.
• “Do the math” in regard to the MCDPA: with penalties of up to $7,500 per violation, counsel should help clients weigh the comparatively lower cost of compliance against the potentially far greater cost of noncompliance.