Minnesota quietly did something no US state had done before. Buried inside the Minnesota Consumer Data Privacy Act (MCDPA), which took effect on July 31, 2025, is a single sentence that represents a significant shift in how American privacy law thinks about organizational accountability.
A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.
It is the first time any US state has written a data inventory mandate directly into statute, not as a best practice, not as implied good hygiene, but as an explicit legal obligation. Minnesota is the first state to require businesses to maintain such data inventories.
And even if your business never processes a single Minnesota resident's data, this requirement deserves your full attention.
What the MCDPA actually requires
Who it applies to
The Act applies to legal entities that conduct business in Minnesota or produce products or services targeted to Minnesota residents and, during a calendar year, control or process personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
It also covers entities that derive over 25 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more.
Importantly, unlike many other state privacy laws, Minnesota's law applies to nonprofits beginning July 31, 2029, making it one of the few states to eventually regulate nonprofit organizations under privacy law.
The inventory obligation itself
The MCDPA does not specify a format, a tool, or a minimum set of fields for the data inventory. What it does do is tie the inventory directly to the security obligation.
The inventory must cover the data "that must be managed" to exercise reasonable security practices — meaning it needs to reflect what you actually hold, not just what you think you hold.
The Minnesota Attorney General's Office may request a copy of the data inventory, which means it is a live compliance document with real enforcement exposure, not an internal worksheet that lives in a drawer.
The documentation layer on top
The MCDPA adds another novel obligation that amplifies the inventory requirement: covered entities are required to document and maintain a copy of the policies and procedures adopted to comply with the law, including, as applicable, the contact responsible for implementing the respective policies and procedures, how the business will comply with data subject access requests, required security practices (including the data inventory), and retention policies and practices.
Your inventory doesn't just need to exist, it needs to sit inside a documented, maintained compliance framework.
Why the inventory requirement is smarter than it looks
At first glance, requiring a data inventory as part of a security obligation might seem like a technicality. It isn't.
It reflects a sophisticated legal theory: you cannot protect data you don't know you have, and you cannot claim to have reasonable security practices if you have no visibility into what you're supposed to be protecting.
A modern data inventory is not just a spreadsheet. It is a living map that tells you what personal data you hold, where it lives, who can access it, how it flows, and why you keep it.
This single source of truth has compounding compliance value across every obligation in the MCDPA, and far beyond it:
Consumer rights fulfillment. When a Minnesota consumer submits an access or deletion request, you have 45 days to respond. Without a current inventory, locating all the places that consumer's data lives across your systems is a fire drill. With one, it becomes a workflow.
Data minimization. The MCDPA requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data are processed. You cannot enforce minimization against data you haven't mapped.
Third-party disclosure rights. Minnesota gives consumers a right that most other states don't: the right to obtain a list of specific third parties to whom the controller has disclosed the consumer's personal data, or if that is not possible, a list of specific third parties to whom the controller has disclosed any consumer's personal data. Answering this request accurately requires an inventory that tracks data flows to third parties, not just data categories.
Sensitive data consent. Covered businesses must obtain consent from the data subject before processing sensitive personal information, which includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, and precise geolocation. Knowing which of your data assets contain sensitive categories, which requires an inventory, is the precondition for managing consent correctly.
Breach response. If a datastore is exposed, your inventory tells you which data classes and populations were affected, accelerating containment, notification, and regulator communications. This is not a theoretical benefit: breach notification timelines are tight, and regulators expect precise answers about what data was involved.
Why this matters far beyond Minnesota
Here is the part that should get the attention of every privacy professional regardless of whether they have a single Minnesota user in their system: this requirement signals a direction of travel for US privacy law as a whole, and that direction is toward operational accountability.
It is already implied everywhere else
Even in states that have not written the data inventory mandate into statute, the practical impossibility of complying with privacy law without a current inventory is self-evident. Consider what you need a data inventory to do in any state with a comprehensive privacy law:
- Respond to consumer access, correction, deletion, and portability requests within statutory deadlines
- Honor opt-out signals (including the GPC) by knowing which data flows constitute a "sale" or "sharing"
- Conduct data protection assessments for high-risk processing activities
- Enforce data retention limits — you can't delete data on schedule if you don't know where it is
- Execute processor and vendor agreements that accurately describe the data being transferred
- Produce accurate privacy notices disclosing the categories of data you collect and the purposes for which you process it
The MCDPA made explicit what every other state law implies. The gap between those states and Minnesota is one of language, not of practical compliance reality.
It is already the international standard
For any organization with GDPR exposure, the data inventory requirement is already a lived reality.
Article 30 of the GDPR has required Records of Processing Activities (RoPA) since 2018, a comprehensive, maintained inventory of all processing activities including categories of data, purposes, retention periods, and international transfers.
While the MCDPA's data inventory requirement is groundbreaking for US law, its lack of specificity means businesses must proactively interpret and implement it, drawing on best practices from GDPR and other state laws.
If your organization has already built a GDPR-compliant RoPA, you have the foundation for MCDPA compliance and for the wave of inventory obligations that US state law is heading toward. If you haven't, Minnesota just gave you a legal reason to start, and every other privacy obligation you carry gave you ten more.
What a compliant data inventory actually looks like
The MCDPA doesn't prescribe a format, but a defensible, practical inventory for MCDPA compliance, and for broader multistate compliance readiness, should address the following dimensions for each category of personal data you process:
What you have: Data categories (name, email, health data, biometric data, financial information, precise geolocation, etc.), data sources (collected directly, received from third parties, derived), and whether the data falls into a sensitive category under applicable law.
Where it lives: Systems, databases, cloud environments, third-party platforms, and processors that hold or can access the data.
Why you have it: The specific business purposes for which the data was collected, and whether those purposes have been disclosed to consumers in your privacy notice.
Who has access to it: Internal teams, third-party processors, and any entities to whom you sell or share the data — including for targeted advertising purposes.
How long you keep it: Retention periods by data category and the legal or business justification for each retention period.
What security controls apply: The administrative, technical, and physical controls protecting each category of data, which is precisely what the MCDPA links the inventory obligation to.
This is not a one-time exercise. The inventory must be maintained, meaning it needs to update when you launch new products, onboard new vendors, change your processing purposes, or modify your retention practices.
The enforcement picture
The Minnesota Attorney General has exclusive enforcement authority under the MCDPA. There is no private right of action. Violations are subject to civil penalties of up to $7,500 per violation.
The cure period that gave businesses a grace window, the warning letter requirement, expired January 31, 2026. That means the AG can now initiate enforcement without first issuing a warning notice.
The MCDPA included funding for the office to hire four new attorneys as well as an investigator who will primarily focus on the enforcement of this legislation, which is an unusually concrete signal of enforcement intent.
Where Dastra comes in
This is precisely the compliance challenge that Dastra was built for. A data inventory mandate like the MCDPA's is only manageable at scale if you have tooling that makes inventory creation, maintenance, and governance a continuous operational capability rather than a periodic manual project.
Dastra's data mapping & ROPA features lets you build and maintain a living record of your processing activities, tied directly to your privacy notices, your data subject request workflows, your vendor contracts, and your data protection assessments.
When Minnesota's AG requests your inventory, it should take minutes to generate with our export features, not weeks to reconstruct. When a new state law adds an obligation that traces back to knowing what data you hold, you should already have the answer.
Even if you're outside Minnesota, the direction of travel is clear: more states are adopting operational privacy obligations that demand real visibility and control. The data inventory is not a Minnesota problem. It is the foundation of modern privacy compliance, and Minnesota just made that official.
Still not convinced? Check out our article "31 compelling reasons to use software for your RoPA"