Minnesota’s Consumer Data Privacy Act: How Minnesota Policy Can Freeze ICE Out

ICE Storms the Country

On January 6, 2026, President Trump deployed thousands of Immigration and Customs Enforcement (ICE) agents and personnel to Minneapolis, Minnesota, and unleashed massive chaos. Two US citizens, Renee Nicole Good and Alex Paretti, were killed while protesting against ICE. By early 2026, at least six individuals died at the hands of ICE agents, and over 70,000 immigrants had been detained nationwide. Despite Homeland Security Secretary Kristi Noem claiming that most of the detainees have committed crimes, the data points to a mere 26%-27% of detainees with criminal convictions. 

ICE relies heavily on data tracking to plan and target raids, which includes access to publicly available databases and sensitive personal data purchased from private companies. The Department of Homeland Security (DHS) has contracted with firms like Tangles and Webloc to buy cell phone location and social media data, allowing ICE to locate specific individuals and conduct large-scale arrests with ease. Although ICE attempts to mitigate data privacy risks in its Privacy Impact Assessments, these reports suggest that individuals may unknowingly share data.  

On February 12, the Trump administration announced the withdrawal of 700 ICE agents from Minnesota. Yet, with 2,000 agents still stationed in the state, concerns about safety and privacy persist. Border Czar Tom Homan reaffirmed that enforcement operations would continue in Minnesota and nationwide.

Organizations like the ACLU and EPIC have long challenged ICE’s secrecy around its surveillance tools. In Carpenter v. United States, the Supreme Court ruled that the government requires warrants for cell tower location data. In response to a recent ACLU lawsuit, ICE argued that this decision does not include information from business records or third-party disclosures. The validity of this argument is up in the air: surveillance and tracking are complicated issues and require nuanced answers. Increased access to data, by both companies and government agencies, opens new constitutional questions of what violates the 4th Amendment right to privacy. As tensions persist, more Americans are concerned about protecting their personal information. 

Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act became effective in July 2025, making Minnesota one of nineteen states that have passed extensive consumer data privacy laws. It enables Minnesotans to block their private information from data brokers. The Act protects six key consumer rights:

1. Knowing and accessing personal data processed by a controller

2. Correcting inaccurate personal data

3. Deleting personal data

4. Obtaining copies of personal data

5. Opting out of data processing for targeted advertisements, data sales, or profiling

6. Questioning how data is profiled

The most impactful rights are those that allow residents to delete information or opt out of data processing. Doing so limits the sale of personal data that may otherwise end up accessible to federal agencies, including ICE. Under the MCDPA, individuals can restrict data such as their name, address, location history, internet activity, and sensitive demographic details. Companies must respond to consumer requests within 45 days.

While small businesses are generally exempt, the MCDPA applies to entities that either: process data from at least 100,000 consumers annually, or earn at least 25% of revenue from data related to 25,000 or more consumers. Covered entities must be transparent about how they collect and use data. By clarifying privacy policies, the Act reduces uncertainty about how consumer information is handled. Certain exemptions apply, including for government agencies, financial institutions, and health or education data. Despite these limitations, the MCDPA marks a significant step toward greater privacy protection for Minnesotans.

The Act is enforced by the Minnesota Attorney General’s Office, which has dedicated staff for oversight. Violations can result in civil penalties of up to $7,500 per infraction. In response to ICE’s use of commercial data, Attorney General Keith Ellison urged residents to use their rights under the MCDPA to limit the availability of personal data that might otherwise be misused.

ICE Comes for Your Data  

ICE’s current data practices primarily rely on access to data collected for other purposes, including commercially obtained datasets, forensic extraction from seized devices, and information sharing with other government agencies. This approach has expanded the scale and precision of immigration enforcement while operating with limited public transparency.

In September 2025, ICE expanded its digital forensics capacity by activating a $2 million contract with Paragon Solutions, which provides remote access to mobile devices, followed shortly by an $11 million contract for Cellebrite forensic tools capable of unlocking and extracting data from phones in government custody. Procurement records describe these tools as necessary for ICE’s Cyber Crimes Center to conduct logical, file-system, physical, and password-level extractions from mobile devices. The Cyber Crimes Center operates within Homeland Security Investigations, the branch of ICE responsible for organized crime investigations rather than routine civil immigration enforcement.

ICE’s access to extracted device data exists alongside the broad search authority exercised by the U.S. Customs and Border Protection at the border. Wired reports that CBP searched 14,899 electronic devices between April and June 2025, a 16.7 percent increase over the previous quarterly record set in early 2022. These searches range from basic manual review of a device’s contents to advanced searches using forensic tools to copy large volumes of data, including deleted files and metadata. While overall device searches have increased, the number of advanced forensic searches has remained relatively stable.

Beyond device searches, ICE increasingly relies on data it does not collect directly. Reporting indicates that ICE has accessed nationwide insurance-claims databases and license-plate reader networks, without publicly explaining how these datasets are used. ICE has also sought access to sensitive government-held records. On April 7, 2025, the IRS and ICE entered into a Memorandum of Understanding permitting limited information sharing for immigration-related criminal investigations. Despite internal legal objections, the IRS disclosed tens of thousands of taxpayer records to ICE later that year. In November 2025, a federal judge blocked further disclosures, finding the agreement likely unlawful and inconsistent with longstanding taxpayer privacy protections.

ICE’s enforcement model depends on repurposed, person-level data originally collected for commercial, administrative, or unrelated government functions, raising persistent questions about notice, consent, and legal limits on downstream government use.

ICE’s reliance on commercially obtained data, interagency records, and forensic extraction tools has reshaped immigration enforcement. Rather than depending primarily on direct, individualized surveillance, ICE can identify individuals, infer associations, and plan enforcement actions using location data, communications metadata, license-plate reader databases, and information extracted from seized devices. This data-driven approach enables enforcement actions to be conducted more efficiently and at a greater scale while reducing reliance on prolonged physical surveillance.

Because enforcement decisions may draw on data generated through everyday activities—such as mobile app use, travel, and online communication—individuals can become targets without any direct interaction with immigration authorities. This dynamic contributes to chilling effects within immigrant communities, discouraging movement, online participation, and engagement with public life due to uncertainty about how personal data may be accessed, shared, or reused.

Individual Recourse

State-level privacy laws, including the MCDPA, can limit data use at the point of collection but cannot restrict federal agencies from acquiring or repurposing data once it enters lawful circulation. Data brokers and interagency arrangements allow personal information to circulate widely and often invisibly—disproportionately affecting individuals with limited resources or digital literacy. The Illinois Biometric Information Privacy Act (BIPA) demonstrates a stronger approach: requiring explicit consent, limiting retention, and empowering individuals to sue violators directly. By contrast, the MCDPA lacks a private right of action, functioning primarily as an upstream regulatory measure rather than a downstream enforcement barrier.

While individuals have little recourse to ensure their digital safety, there are practical steps one can take to minimize the risk: 

• Minimizing data shared during account creation

• Using strong passwords and two-factor authentication

• Disabling unnecessary app permissions and location services

• Using encrypted communication tools

• Regularly reviewing privacy settings and deleting unused accounts

The Minnesota Attorney General’s consumer alert on January 15, 2026, echoes these strategies, emphasizing that exercising MCDPA rights—especially data deletion—can reduce one’s digital footprint and exposure to surveillance.

Businesses Tread Carefully

Businesses increasingly operate at the intersection of consumer data practices and immigration enforcement, with direct implications for public trust. Survey data shows that while companies continue to expand personal data collection, consumers remain deeply concerned about how their data is used and shared, particularly with government agencies. Many consumers report distrust in corporate data practices and reluctance to share personal information, even as business leaders underestimate the extent of these concerns. 

As awareness of corporate collaboration with ICE grows, reputational risk has become a material consideration alongside legal compliance. Reporting and organizing guides describe how communities identify corporate ties to ICE by tracing contracts, subsidies, political donations, and indirect partnerships through public records and procurement databases. These efforts have supported consumer boycotts and worker-led campaigns that have successfully pressured companies to sever ICE-related contracts or logistical support.

This creates tension for businesses. Privacy laws and consumer expectations encourage transparency and data minimization, but the lack of clear federal limits on data sharing with immigration authorities allows companies to meet formal legal requirements without meaningfully reducing downstream harm.

Conclusion 

Minnesota’s Consumer Data Privacy Act gives residents tools to limit how companies collect and sell their personal information. But once that data is lawfully transferred, state law does little to restrict how federal agencies use it. As immigration enforcement becomes increasingly data-driven, the limits of state privacy protections become clear. Proposed federal legislation targeting data brokerage reflects growing recognition of this gap, but unless Congress imposes clearer limits on government access, privacy safeguards will remain strongest at the point of collection—and weakest at the point of enforcement.

*The views expressed in this article do not represent the views of Santa Clara University.