Minnesota 2025-2026 Regular Session

Minnesota House Bill HF2700 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	1.1 A bill for an act
2	2	1.2 relating to consumer protection; modifying the Minnesota Consumer Data Privacy
3	3	1.3 Act to make consumer health data a form of sensitive data; adding additional
4	4	1.4 protections for sensitive data; amending Minnesota Statutes 2024, sections
5	5	1.5 325M.11; 325M.12; 325M.16, subdivision 2; 325M.18; 325M.20; proposing coding
6	6	1.6 for new law in Minnesota Statutes, chapter 325M; repealing Minnesota Statutes
7	7	1.7 2024, section 325M.17.
8	8	1.8BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
9	9	1.9 Section 1. Minnesota Statutes 2024, section 325M.11, is amended to read:
10	10	1.10 325M.11 DEFINITIONS.
11	11	1.11 (a) For purposes of sections 325M.10 to 325M.21, the following terms have the meanings
12	12	1.12given.
13	13	1.13 (b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
14	14	1.14control with another legal entity. For purposes of this paragraph, "control" or "controlled"
15	15	1.15means: ownership of or the power to vote more than 50 percent of the outstanding shares
16	16	1.16of any class of voting security of a company; control in any manner over the election of a
17	17	1.17majority of the directors or of individuals exercising similar functions; or the power to
18	18	1.18exercise a controlling influence over the management of a company.
19	19	1.19 (c) "Authenticate" means to use reasonable means to determine that a request to exercise
20	20	1.20any of the rights under section 325M.14, subdivision 1, paragraphs (b) to (h), is being made
21	21	1.21by or rightfully on behalf of the consumer who is entitled to exercise the rights with respect
22	22	1.22to the personal data at issue.
23	23	1.23 (d) "Biometric data" means data generated by automatic measurements of an individual's
24	24	1.24biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other
25	25	1Section 1.
26	26	REVISOR VH/HL 25-0404303/11/25
27	27	State of Minnesota
28	28	This Document can be made available
29	29	in alternative formats upon request
30	30	HOUSE OF REPRESENTATIVES
31	31	H. F. No. 2700
32	32	NINETY-FOURTH SESSION
33	33	Authored by Elkins, Scott, Feist, Smith, Bahner and others03/24/2025
34	34	The bill was read for the first time and referred to the Committee on Judiciary Finance and Civil Law 2.1unique biological patterns or characteristics that are used to identify a specific individual.
35	35	2.2Biometric data does not include:
36	36	2.3 (1) a digital or physical photograph;
37	37	2.4 (2) an audio or video recording; or
38	38	2.5 (3) any data generated from a digital or physical photograph, or an audio or video
39	39	2.6recording, unless the data is generated to identify a specific individual.
40	40	2.7 (e) "Child" has the meaning given in United States Code, title 15, section 6501.
41	41	2.8 (f) "Consent" means any freely given, specific, informed, and unambiguous indication
42	42	2.9of the consumer's wishes by which the consumer signifies agreement to the processing of
43	43	2.10personal data relating to the consumer. Acceptance of a general or broad terms of use or
44	44	2.11similar document that contains descriptions of personal data processing along with other,
45	45	2.12unrelated information does not constitute consent. Hovering over, muting, pausing, or closing
46	46	2.13a given piece of content does not constitute consent. A consent is not valid when the
47	47	2.14consumer's indication has been obtained by a dark pattern. A consumer may revoke consent
48	48	2.15previously given, consistent with sections 325M.10 to 325M.21.
49	49	2.16 (g) "Consumer" means a natural person who is a Minnesota resident acting only in an
50	50	2.17individual or household context. Consumer does not include a natural person acting in a
51	51	2.18commercial or employment context.
52	52	2.19 (h) "Controller" means the natural or legal person who, alone or jointly with others,
53	53	2.20determines the purposes and means of the processing of personal data.
54	54	2.21 (i) "Decisions that produce legal or similarly significant effects concerning the consumer"
55	55	2.22means decisions made by the controller that result in the provision or denial by the controller
56	56	2.23of financial or lending services, housing, insurance, education enrollment or opportunity,
57	57	2.24criminal justice, employment opportunities, health care services, or access to essential goods
58	58	2.25or services.
59	59	2.26 (j) "Dark pattern" means a user interface designed or manipulated with the substantial
60	60	2.27effect of subverting or impairing user autonomy, decision making, or choice.
61	61	2.28 (k) "Deidentified data" means data that cannot reasonably be used to infer information
62	62	2.29about or otherwise be linked to an identified or identifiable natural person or a device linked
63	63	2.30to an identified or identifiable natural person, provided that the controller that possesses the
64	64	2.31data:
65	65	2Section 1.
66	66	REVISOR VH/HL 25-0404303/11/25 3.1 (1) takes reasonable measures to ensure that the data cannot be associated with a natural
67	67	3.2person;
68	68	3.3 (2) publicly commits to process the data only in a deidentified fashion and not attempt
69	69	3.4to reidentify the data; and
70	70	3.5 (3) contractually obligates any recipients of the information to comply with all provisions
71	71	3.6of this paragraph.
72	72	3.7 (l) "Delete" means to remove or destroy information so that it is not maintained in human-
73	73	3.8or machine-readable form and cannot be retrieved or utilized in the ordinary course of
74	74	3.9business.
75	75	3.10 (m) "Genetic information" has the meaning given in section 13.386, subdivision 1.
76	76	3.11 (n) "Geofence" means technology that uses global positioning coordinates, cell tower
77	77	3.12connectivity, cellular data, radio frequency identification, Wi-Fi data, or any other form of
78	78	3.13spatial or location detection to establish a virtual boundary, with an accuracy of more than
79	79	3.14three decimal degrees of latitude and longitude or the equivalent in an alternative geographic
80	80	3.15coordinate system, around the perimeter of a specific physical location or to locate a
81	81	3.16consumer within the virtual boundary.
82	82	3.17 (o) "Health care services or supplies" means any service, surgery, procedure, treatment,
83	83	3.18or product, including medication or medical devices, that a person may use to assess,
84	84	3.19measure, improve, or learn about a person's past, present, or future mental or physical health.
85	85	3.20 (p) "Health data" means personal data that identifies a consumer's past, present, or future
86	86	3.21mental or physical health status. For purposes of this definition, mental or physical health
87	87	3.22status includes but is not limited to:
88	88	3.23 (1) individual health conditions, treatments, diseases, or diagnoses;
89	89	3.24 (2) social, psychological, behavioral, and medical interventions;
90	90	3.25 (3) health-related surgeries or procedures;
91	91	3.26 (4) use or purchase of medication;
92	92	3.27 (5) bodily functions, vital signs, symptoms, or measurements of the information described
93	93	3.28in this paragraph;
94	94	3.29 (6) diagnoses or diagnostic testing, treatment, or medication;
95	95	3.30 (7) biometric data;
96	96	3.31 (8) genetic information;
97	97	3Section 1.
98	98	REVISOR VH/HL 25-0404303/11/25 4.1 (9) specific geolocation data that could reasonably indicate a consumer's seeking or
99	99	4.2obtaining past, present, or future health care services or supplies;
100	100	4.3 (10) data that identifies a consumer's seeking or obtaining health care services or supplies
101	101	4.4in the past, present, or future;
102	102	4.5 (11) data that identifies a consumer's seeking or obtaining information about health care
103	103	4.6services or supplies in the past, present, or future; or
104	104	4.7 (12) any information that is derived or extrapolated from personal data but that is not
105	105	4.8itself health data that a controller or processor uses by any means, including algorithms,
106	106	4.9machine learning, or profiling, to associate or identify a consumer with the data described
107	107	4.10in clauses (1) to (11), such as proxy, derivative, inferred, or emergent data.
108	108	4.11 (n) (q) "Identified or identifiable natural person" means a person who can be readily
109	109	4.12identified, directly or indirectly.
110	110	4.13 (o) (r) "Known child" means a person under circumstances where a controller has actual
111	111	4.14knowledge of, or willfully disregards, that the person is under 13 years of age.
112	112	4.15 (p) (s) "Personal data" means any information that is linked or reasonably linkable to
113	113	4.16an identified or identifiable natural person. Personal data does not include deidentified data
114	114	4.17or publicly available information. For purposes of this paragraph, "publicly available
115	115	4.18information" means information that (1) is lawfully made available from federal, state, or
116	116	4.19local government records or widely distributed media, or (2) a controller has a reasonable
117	117	4.20basis to believe has lawfully been made available to the general public.
118	118	4.21 (q) (t) "Process" or "processing" means any operation or set of operations that are
119	119	4.22performed on personal data or on sets of personal data, whether or not by automated means,
120	120	4.23including but not limited to the collection, use, storage, disclosure, analysis, deletion, or
121	121	4.24modification of personal data.
122	122	4.25 (r) (u) "Processor" means a natural or legal person who processes personal data on behalf
123	123	4.26of a controller.
124	124	4.27 (s) (v) "Profiling" means any form of automated processing of personal data to evaluate,
125	125	4.28analyze, or predict personal aspects related to an identified or identifiable natural person's
126	126	4.29economic situation, health, personal preferences, interests, reliability, behavior, location,
127	127	4.30or movements.
128	128	4.31 (t) (w) "Pseudonymous data" means personal data that cannot be attributed to a specific
129	129	4.32natural person without the use of additional information, provided that the additional
130	130	4.33information is kept separately and is subject to appropriate technical and organizational
131	131	4Section 1.
132	132	REVISOR VH/HL 25-0404303/11/25 5.1measures to ensure that the personal data are not attributed to an identified or identifiable
133	133	5.2natural person.
134	134	5.3 (u) (x) "Sale," "sell," or "sold" means the exchange of personal data for monetary or
135	135	5.4other valuable consideration by the controller to a third party. Sale does not include sharing
136	136	5.5as defined in this section. Sale does not include the following:
137	137	5.6 (1) the disclosure of personal data to a processor who processes the personal data on
138	138	5.7behalf of the controller;
139	139	5.8 (2) the disclosure of personal data to a third party for purposes of providing a product
140	140	5.9or service requested by the consumer;
141	141	5.10 (3) the disclosure or transfer of personal data to an affiliate of the controller;
142	142	5.11 (4) the disclosure of information that the consumer intentionally made available to the
143	143	5.12general public via a channel of mass media and did not restrict to a specific audience;
144	144	5.13 (5) the disclosure or transfer of personal data to a third party as an asset that is part of a
145	145	5.14completed or proposed merger, acquisition, bankruptcy, or other transaction in which the
146	146	5.15third party assumes control of all or part of the controller's assets; or
147	147	5.16 (6) the exchange of personal data between the producer of a good or service and
148	148	5.17authorized agents of the producer who sell and service the goods and services, to enable
149	149	5.18the cooperative provisioning of goods and services by both the producer and the producer's
150	150	5.19agents.
151	151	5.20 (v) (y) Sensitive data is a form of personal data. "Sensitive data" means:
152	152	5.21 (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical
153	153	5.22health condition or diagnosis, sexual orientation, or citizenship or immigration status;
154	154	5.23 (2) the processing of biometric data or genetic information for the purpose of uniquely
155	155	5.24identifying an individual;
156	156	5.25 (3) the personal data of a known child; or
157	157	5.26 (4) specific geolocation data; or
158	158	5.27 (5) health data.
159	159	5.28 (z) "Share" or "sharing" means to release, disclose, disseminate, divulge, make available,
160	160	5.29provide access to, license, or otherwise communicate orally, in writing, or by electronic or
161	161	5.30other means, personal data. Share includes selling as defined in this section. Sharing does
162	162	5.31not include:
163	163	5Section 1.
164	164	REVISOR VH/HL 25-0404303/11/25 6.1 (1) the disclosure of personal data by a controller to a processor when the sharing is to
165	165	6.2provide goods or services in a manner consistent with the purpose for which the health data
166	166	6.3was collected and that was disclosed to the consumer;
167	167	6.4 (2) the disclosure of personal data to a third party with whom the consumer has a direct
168	168	6.5relationship when:
169	169	6.6 (i) the disclosure is for purposes of providing a product or service requested by the
170	170	6.7consumer;
171	171	6.8 (ii) the controller or processor maintains control and ownership of the data; and
172	172	6.9 (iii) the third party uses the personal data only as directed by the controller or processor
173	173	6.10and consistent with the purpose consented to by the consumer; or
174	174	6.11 (3) the disclosure or transfer of personal data to a third party as an asset that is part of a
175	175	6.12merger, acquisition, bankruptcy, or other transaction in which the third party assumes control
176	176	6.13of all or part of the controller's or processor's assets and complies with the requirements
177	177	6.14and obligations in this chapter.
178	178	6.15 (w) (aa) "Specific geolocation data" means information derived from technology,
179	179	6.16including but not limited to global positioning system level latitude and longitude coordinates
180	180	6.17or other mechanisms, that directly identifies the geographic coordinates of a consumer or
181	181	6.18a device linked to a consumer with an accuracy of more than three decimal degrees of
182	182	6.19latitude and longitude or the equivalent in an alternative geographic coordinate system, or
183	183	6.20a street address derived from the coordinates. Specific geolocation data does not include
184	184	6.21the content of communications, the contents of databases containing street address
185	185	6.22information which are accessible to the public as authorized by law, or any data generated
186	186	6.23by or connected to advanced utility metering infrastructure systems or other equipment for
187	187	6.24use by a public utility.
188	188	6.25 (x) (bb) "Targeted advertising" means displaying advertisements to a consumer where
189	189	6.26the advertisement is selected based on personal data obtained or inferred from the consumer's
190	190	6.27activities over time and across nonaffiliated websites or online applications to predict the
191	191	6.28consumer's preferences or interests. Targeted advertising does not include:
192	192	6.29 (1) advertising based on activities within a controller's own websites or online
193	193	6.30applications;
194	194	6.31 (2) advertising based on the context of a consumer's current search query or visit to a
195	195	6.32website or online application;
196	196	6Section 1.
197	197	REVISOR VH/HL 25-0404303/11/25 7.1 (3) advertising to a consumer in response to the consumer's request for information or
198	198	7.2feedback; or
199	199	7.3 (4) processing personal data solely for measuring or reporting advertising performance,
200	200	7.4reach, or frequency.
201	201	7.5 (y) (cc) "Third party" means a natural or legal person, public authority, agency, or body
202	202	7.6other than the consumer, controller, processor, or an affiliate of the processor or the controller.
203	203	7.7 (z) (dd) "Trade secret" has the meaning given in section 325C.01, subdivision 5.
204	204	7.8 Sec. 2. Minnesota Statutes 2024, section 325M.12, is amended to read:
205	205	7.9 325M.12 SCOPE; EXCLUSIONS.
206	206	7.10 Subdivision 1.Scope.(a) Except as specified under section 325M.175, sections 325M.10
207	207	7.11to 325M.21 apply to legal entities that conduct business in Minnesota or produce products
208	208	7.12or services that are targeted to residents of Minnesota, and that satisfy one or more of the
209	209	7.13following thresholds:
210	210	7.14 (1) during a calendar year, controls or processes personal data of 100,000 consumers or
211	211	7.15more, excluding personal data controlled or processed solely for the purpose of completing
212	212	7.16a payment transaction; or
213	213	7.17 (2) derives over 25 percent of gross revenue from the sale of personal data and processes
214	214	7.18or controls personal data of 25,000 consumers or more.
215	215	7.19 (b) A controller or processor acting as a technology provider under section 13.32 shall
216	216	7.20comply with sections 13.32 and 325M.10 to 325M.21, except that when the provisions of
217	217	7.21section 13.32 conflict with sections 325M.10 to 325M.21, section 13.32 prevails.
218	218	7.22 Subd. 2.Exclusions.(a) Sections 325M.10 to 325M.21 do not apply to the following
219	219	7.23entities, activities, or types of information:
220	220	7.24 (1) a government entity, as defined by section 13.02, subdivision 7a;
221	221	7.25 (2) a federally recognized Indian tribe;
222	222	7.26 (3) information that meets the definition of:
223	223	7.27 (i) protected health information, as defined by and for purposes of the Health Insurance
224	224	7.28Portability and Accountability Act of 1996, Public Law 104-191, and related regulations,
225	225	7.29if it is maintained by a covered entity or business associate subject to that law and its related
226	226	7.30regulations;
227	227	7Sec. 2.
228	228	REVISOR VH/HL 25-0404303/11/25 8.1 (ii) health records, as defined in section 144.291, subdivision 2, if it is maintained by a
229	229	8.2provider or other entity subject to the Minnesota Health Records Act;
230	230	8.3 (iii) patient identifying information for purposes of Code of Federal Regulations, title
231	231	8.442, part 2, established pursuant to United States Code, title 42, section 290dd-2;
232	232	8.5 (iv) identifiable private information for purposes of the federal policy for the protection
233	233	8.6of human subjects, Code of Federal Regulations, title 45, part 46; identifiable private
234	234	8.7information that is otherwise information collected as part of human subjects research
235	235	8.8pursuant to the good clinical practice guidelines issued by the International Council for
236	236	8.9Harmonisation; the protection of human subjects under Code of Federal Regulations, title
237	237	8.1021, parts 50 and 56; or personal data used or shared in research conducted in accordance
238	238	8.11with one or more of the requirements set forth in this paragraph;
239	239	8.12 (v) information and documents created for purposes of the federal Health Care Quality
240	240	8.13Improvement Act of 1986, Public Law 99-660, and related regulations; or
241	241	8.14 (vi) patient safety work product for purposes of Code of Federal Regulations, title 42,
242	242	8.15part 3, established pursuant to United States Code, title 42, sections 299b-21 to 299b-26;
243	243	8.16 (4) information that is derived from any of the health care-related information listed in
244	244	8.17clause (3), but that has been deidentified in accordance with the requirements for
245	245	8.18deidentification set forth in Code of Federal Regulations, title 45, part 164;
246	246	8.19 (5) information originating from, and intermingled to be indistinguishable with, any of
247	247	8.20the health care-related information listed in clause (3) that is maintained by:
248	248	8.21 (i) a covered entity or business associate, as defined by the Health Insurance Portability
249	249	8.22and Accountability Act of 1996, Public Law 104-191, and related regulations;
250	250	8.23 (ii) a health care provider, as defined in section 144.291, subdivision 2; or
251	251	8.24 (iii) a program or a qualified service organization, as defined by Code of Federal
252	252	8.25Regulations, title 42, part 2, established pursuant to United States Code, title 42, section
253	253	8.26290dd-2;
254	254	8.27 (6) information that is:
255	255	8.28 (i) maintained by an entity that meets the definition of health care provider under Code
256	256	8.29of Federal Regulations, title 45, section 160.103, to the extent that the entity maintains the
257	257	8.30information in the manner required of covered entities with respect to protected health
258	258	8.31information for purposes of the Health Insurance Portability and Accountability Act of
259	259	8.321996, Public Law 104-191, and related regulations;
260	260	8Sec. 2.
261	261	REVISOR VH/HL 25-0404303/11/25 9.1 (ii) included in a limited data set, as described under Code of Federal Regulations, title
262	262	9.245, part 164.514(e), to the extent that the information is used, disclosed, and maintained in
263	263	9.3the manner specified by that part;
264	264	9.4 (iii) maintained by, or maintained to comply with the rules or orders of, a self-regulatory
265	265	9.5organization as defined by United States Code, title 15, section 78c(a)(26);
266	266	9.6 (iv) originated from, or intermingled with, information described in clause (9) and that
267	267	9.7a licensed residential mortgage originator, as defined under section 58.02, subdivision 19,
268	268	9.8or residential mortgage servicer, as defined under section 58.02, subdivision 20, collects,
269	269	9.9processes, uses, or maintains in the same manner as required under the laws and regulations
270	270	9.10specified in clause (9); or
271	271	9.11 (v) originated from, or intermingled with, information described in clause (9) and that
272	272	9.12a nonbank financial institution, as defined by section 46A.01, subdivision 12, collects,
273	273	9.13processes, uses, or maintains in the same manner as required under the laws and regulations
274	274	9.14specified in clause (9);
275	275	9.15 (7) information used only for public health activities and purposes, as described under
276	276	9.16Code of Federal Regulations, title 45, part 164.512;
277	277	9.17 (8) an activity involving the collection, maintenance, disclosure, sale, communication,
278	278	9.18or use of any personal data bearing on a consumer's credit worthiness, credit standing, credit
279	279	9.19capacity, character, general reputation, personal characteristics, or mode of living by a
280	280	9.20consumer reporting agency, as defined in United States Code, title 15, section 1681a(f), by
281	281	9.21a furnisher of information, as set forth in United States Code, title 15, section 1681s-2, who
282	282	9.22provides information for use in a consumer report, as defined in United States Code, title
283	283	9.2315, section 1681a(d), and by a user of a consumer report, as set forth in United States Code,
284	284	9.24title 15, section 1681b, except that information is only excluded under this paragraph to the
285	285	9.25extent that the activity involving the collection, maintenance, disclosure, sale, communication,
286	286	9.26or use of the information by the agency, furnisher, or user is subject to regulation under the
287	287	9.27federal Fair Credit Reporting Act, United States Code, title 15, sections 1681 to 1681x, and
288	288	9.28the information is not collected, maintained, used, communicated, disclosed, or sold except
289	289	9.29as authorized by the Fair Credit Reporting Act;
290	290	9.30 (9) personal data collected, processed, sold, or disclosed pursuant to the federal
291	291	9.31Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations, if the
292	292	9.32collection, processing, sale, or disclosure is in compliance with that law;
293	293	9Sec. 2.
294	294	REVISOR VH/HL 25-0404303/11/25 10.1 (10) personal data collected, processed, sold, or disclosed pursuant to the federal Driver's
295	295	10.2Privacy Protection Act of 1994, United States Code, title 18, sections 2721 to 2725, if the
296	296	10.3collection, processing, sale, or disclosure is in compliance with that law;
297	297	10.4 (11) personal data regulated by the federal Family Educational Rights and Privacy Act,
298	298	10.5United States Code, title 20, section 1232g, and implementing regulations;
299	299	10.6 (12) personal data collected, processed, sold, or disclosed pursuant to the federal Farm
300	300	10.7Credit Act of 1971, as amended, United States Code, title 12, sections 2001 to 2279cc, and
301	301	10.8implementing regulations, Code of Federal Regulations, title 12, part 600, if the collection,
302	302	10.9processing, sale, or disclosure is in compliance with that law;
303	303	10.10 (13) data collected or maintained:
304	304	10.11 (i) in the course of an individual acting as a job applicant to or an employee, owner,
305	305	10.12director, officer, medical staff member, or contractor of a business if the data is collected
306	306	10.13and used solely within the context of the role;
307	307	10.14 (ii) as the emergency contact information of an individual under item (i) if used solely
308	308	10.15for emergency contact purposes; or
309	309	10.16 (iii) that is necessary for the business to retain to administer benefits for another individual
310	310	10.17relating to the individual under item (i) if used solely for the purposes of administering those
311	311	10.18benefits;
312	312	10.19 (14) personal data collected, processed, sold, or disclosed pursuant to the Minnesota
313	313	10.20Insurance Fair Information Reporting Act in sections 72A.49 to 72A.505;
314	314	10.21 (15) data collected, processed, sold, or disclosed as part of a payment-only credit, check,
315	315	10.22or cash transaction where no data about consumers, as defined in section 325M.11, are
316	316	10.23retained;
317	317	10.24 (16) a state or federally chartered bank or credit union, or an affiliate or subsidiary that
318	318	10.25is principally engaged in financial activities, as described in United States Code, title 12,
319	319	10.26section 1843(k);
320	320	10.27 (17) information that originates from, or is intermingled so as to be indistinguishable
321	321	10.28from, information described in clause (8) and that a person licensed under chapter 56 collects,
322	322	10.29processes, uses, or maintains in the same manner as is required under the laws and regulations
323	323	10.30specified in clause (8);
324	324	10.31 (18) an insurance company, as defined in section 60A.02, subdivision 4, an insurance
325	325	10.32producer, as defined in section 60K.31, subdivision 6, a third-party administrator of
326	326	10Sec. 2.
327	327	REVISOR VH/HL 25-0404303/11/25 11.1self-insurance, or an affiliate or subsidiary of any entity identified in this clause that is
328	328	11.2principally engaged in financial activities, as described in United States Code, title 12,
329	329	11.3section 1843(k), except that this clause does not apply to a person that, alone or in
330	330	11.4combination with another person, establishes and maintains a self-insurance program that
331	331	11.5does not otherwise engage in the business of entering into policies of insurance;
332	332	11.6 (19) a small business, as defined by the United States Small Business Administration
333	333	11.7under Code of Federal Regulations, title 13, part 121, except that a small business identified
334	334	11.8in this clause is subject to section 325M.17;
335	335	11.9 (20) (19) a nonprofit organization that is established to detect and prevent fraudulent
336	336	11.10acts in connection with insurance; and
337	337	11.11 (21) (20) an air carrier subject to the federal Airline Deregulation Act, Public Law
338	338	11.1295-504, only to the extent that an air carrier collects personal data related to prices, routes,
339	339	11.13or services and only to the extent that the provisions of the Airline Deregulation Act preempt
340	340	11.14the requirements of sections 325M.10 to 325M.21.
341	341	11.15 (b) Controllers that are in compliance with the Children's Online Privacy Protection Act,
342	342	11.16United States Code, title 15, sections 6501 to 6506, and implementing regulations, shall be
343	343	11.17deemed compliant with any obligation to obtain parental consent under sections 325M.10
344	344	11.18to 325M.21 section 325M.16, subdivision 2, paragraph (g).
345	345	11.19Sec. 3. Minnesota Statutes 2024, section 325M.16, subdivision 2, is amended to read:
346	346	11.20 Subd. 2.Use of data.(a) A controller must limit the collection of personal data to what
347	347	11.21is adequate, relevant, and reasonably necessary in relation to the purposes for which the
348	348	11.22data are processed, which must be disclosed to the consumer.
349	349	11.23 (b) Except as provided in sections 325M.10 to 325M.21, a controller may not process
350	350	11.24personal data for purposes that are not reasonably necessary to, or compatible with, the
351	351	11.25purposes for which the personal data are processed, as disclosed to the consumer, unless
352	352	11.26the controller obtains the consumer's consent.
353	353	11.27 (c) A controller shall establish, implement, and maintain reasonable administrative,
354	354	11.28technical, and physical data security practices to protect the confidentiality, integrity, and
355	355	11.29accessibility of personal data, including the maintenance of an inventory of the data that
356	356	11.30must be managed to exercise these responsibilities. The data security practices shall be
357	357	11.31appropriate to the volume and nature of the personal data at issue.
358	358	11.32 (d) Except as otherwise provided in sections 325M.10 to 325M.21, A controller may
359	359	11.33not process sensitive data concerning a consumer without obtaining the consumer's consent,
360	360	11Sec. 3.
361	361	REVISOR VH/HL 25-0404303/11/25 12.1or, in the case of the processing of except with the consumer's consent to the processing for
362	362	12.2a specified purpose.
363	363	12.3 (e) A controller may not share a consumer's sensitive data with any party other than the
364	364	12.4consumer except with the consumer's consent to the specified sharing.
365	365	12.5 (f) A consumer's consent to share sensitive data under paragraph (e) must be separate
366	366	12.6and distinct from a consumer's consent to process the consumer's health data under paragraph
367	367	12.7(d). A consent under this subdivision must be obtained prior to the processing or sharing,
368	368	12.8as applicable, of the sensitive data. Any request for consent under this subdivision must
369	369	12.9clearly and conspicuously disclose:
370	370	12.10 (1) the categories of sensitive data processed or shared, as applicable;
371	371	12.11 (2) the purpose of the processing or sharing, as applicable, of the sensitive data, including
372	372	12.12the specific ways in which it will be used;
373	373	12.13 (3) the categories of entities with which the sensitive data is shared; and
374	374	12.14 (4) how the consumer can withdraw consent from future processing or sharing of the
375	375	12.15consumer's sensitive data.
376	376	12.16 (g) A controller may not process personal data concerning a known child, without
377	377	12.17obtaining consent from the child's parent or lawful guardian, in accordance with the
378	378	12.18requirement of the Children's Online Privacy Protection Act, United States Code, title 15,
379	379	12.19sections 6501 to 6506, and its implementing regulations, rules, and exemptions.
380	380	12.20 (e) (h) A controller shall provide an effective mechanism for a consumer, or, in the case
381	381	12.21of the processing of personal data concerning a known child, the child's parent or lawful
382	382	12.22guardian, to revoke previously given consent under this subdivision. The mechanism provided
383	383	12.23shall be at least as easy as the mechanism by which the consent was previously given. Upon
384	384	12.24revocation of consent, a controller shall cease to process the applicable data as soon as
385	385	12.25practicable, but not later than 15 days after the receipt of the request.
386	386	12.26 (f) (i) A controller may not process the personal data of a consumer for purposes of
387	387	12.27targeted advertising, or sell the consumer's personal data, without the consumer's consent,
388	388	12.28under circumstances where the controller knows that the consumer is between the ages of
389	389	12.2913 and 16.
390	390	12.30 (g) (j) A controller may not retain personal data that is no longer relevant and reasonably
391	391	12.31necessary in relation to the purposes for which the data were collected and processed, unless
392	392	12.32retention of the data is otherwise required by law or permitted under section 325M.19.
393	393	12Sec. 3.
394	394	REVISOR VH/HL 25-0404303/11/25 13.1 Sec. 4. [325M.175] REQUIREMENTS FOR THE SALE OF SENSITIVE DATA.
395	395	13.2 Subdivision 1.Scope; exclusions.(a) Notwithstanding section 325M.12, subdivision
396	396	13.31, a legal entity must comply with sections 325M.10 to 325M.21 as if it were a controller
397	397	13.4or processor if that legal entity:
398	398	13.5 (1) conducts business in Minnesota or produces products or services that are targeted to
399	399	13.6residents of Minnesota; and
400	400	13.7 (2) is a controller or processor of sensitive data.
401	401	13.8 (b) The requirements and restrictions specific to sensitive data in this section are in
402	402	13.9addition to the requirements and restrictions in sections 325M.10 to 325M.21 for personal
403	403	13.10data generally, including the requirements for sensitive data under section 325M.16,
404	404	13.11subdivision 2, paragraphs (d) to (f).
405	405	13.12 (c) The exclusions in section 325M.12, subdivision 2, apply to this section.
406	406	13.13 Subd. 2.Requirements specific to the sale of sensitive data.(a) It is unlawful for any
407	407	13.14person to sell or offer to sell a consumer's sensitive data without first obtaining valid
408	408	13.15authorization from the consumer. The sale of a consumer's sensitive data must be consistent
409	409	13.16with the valid authorization signed by the consumer. This authorization must be separate
410	410	13.17and distinct from a consent obtained by a controller to process or share sensitive data under
411	411	13.18section 325M.16, subdivision 2, paragraphs (d) to (f).
412	412	13.19 (b) A valid authorization to sell a consumer's sensitive data is a document consistent
413	413	13.20with this subdivision and must be written in plain language. A valid authorization to sell a
414	414	13.21consumer's sensitive data must contain the following:
415	415	13.22 (1) the specific sensitive data, concerning the specific consumer, that the person intends
416	416	13.23to sell;
417	417	13.24 (2) the name and contact information of the person collecting and selling the sensitive
418	418	13.25data;
419	419	13.26 (3) the name and contact information of the person purchasing the sensitive data from
420	420	13.27the seller identified in clause (2);
421	421	13.28 (4) a description of the purpose for the sale, including how the sensitive data will be
422	422	13.29gathered and how it will be used by the purchaser identified in clause (3) when sold;
423	423	13.30 (5) a statement that the provision of goods or services to the consumer may not be
424	424	13.31conditioned on the consumer signing the valid authorization;
425	425	13Sec. 4.
426	426	REVISOR VH/HL 25-0404303/11/25 14.1 (6) a statement that the consumer has a right to revoke the valid authorization at any
427	427	14.2time and a description of how to submit a revocation of the valid authorization;
428	428	14.3 (7) a statement that the consumer's sensitive data sold pursuant to the valid authorization
429	429	14.4may be subject to redisclosure by the purchaser and may no longer be protected by this
430	430	14.5section;
431	431	14.6 (8) an expiration date for the valid authorization that expires one year from when the
432	432	14.7consumer signs the valid authorization; and
433	433	14.8 (9) the signature of the consumer and date.
434	434	14.9 (c) An authorization is not valid if the document has any of the following defects:
435	435	14.10 (1) the expiration date has passed;
436	436	14.11 (2) the authorization does not contain all of the information required under this
437	437	14.12subdivision;
438	438	14.13 (3) the authorization has been revoked by the consumer;
439	439	14.14 (4) the authorization has been combined with other documents to create a compound
440	440	14.15authorization; or
441	441	14.16 (5) the provision of goods or services to the consumer is conditioned on the consumer
442	442	14.17signing the authorization.
443	443	14.18 (d) A copy of the signed valid authorization must be provided to the consumer.
444	444	14.19 (e) The seller and purchaser of the sensitive data must retain a copy of all valid
445	445	14.20authorizations for sale of sensitive data for six years from the date of its signature or the
446	446	14.21date when it was last in effect, whichever is later.
447	447	14.22Sec. 5. [325M.178] GEOFENCE RESTRICTIONS.
448	448	14.23 It is unlawful for any person to implement a geofence around an entity that provides
449	449	14.24in-person health care services or supplies where the geofence is used to:
450	450	14.25 (1) identify or track a consumer seeking health care services or supplies;
451	451	14.26 (2) collect health data from a consumer; or
452	452	14.27 (3) send notifications, messages, or advertisements to a consumer related to the
453	453	14.28consumer's health data or health care services or supplies.
454	454	14Sec. 5.
455	455	REVISOR VH/HL 25-0404303/11/25 15.1 Sec. 6. Minnesota Statutes 2024, section 325M.18, is amended to read:
456	456	15.2 325M.18 DATA PRIVACY POLICIES; DATA PRIVACY AND PROTECTION
457	457	15.3ASSESSMENTS.
458	458	15.4 (a) A controller must document and maintain a description of the policies and procedures
459	459	15.5the controller has adopted to comply with sections 325M.10 to 325M.21. The description
460	460	15.6must include, where applicable:
461	461	15.7 (1) the name and contact information for the controller's chief privacy officer or other
462	462	15.8individual with primary responsibility for directing the policies and procedures implemented
463	463	15.9to comply with the provisions of sections 325M.10 to 325M.21; and
464	464	15.10 (2) a description of the controller's data privacy policies and procedures which reflect
465	465	15.11the requirements in section sections 325M.16 and, where applicable, 325M.175, and any
466	466	15.12policies and procedures designed to:
467	467	15.13 (i) reflect the requirements of sections 325M.10 to 325M.21 in the design of the
468	468	15.14controller's systems;
469	469	15.15 (ii) identify and provide personal data to a consumer as required by sections 325M.10
470	470	15.16to 325M.21;
471	471	15.17 (iii) establish, implement, and maintain reasonable administrative, technical, and physical
472	472	15.18data security practices to protect the confidentiality, integrity, and accessibility of personal
473	473	15.19data, including the maintenance of an inventory of the data that must be managed to exercise
474	474	15.20the responsibilities under this item;
475	475	15.21 (iv) limit the collection of personal data to what is adequate, relevant, and reasonably
476	476	15.22necessary in relation to the purposes for which the data are processed;
477	477	15.23 (v) prevent the retention of personal data that is no longer relevant and reasonably
478	478	15.24necessary in relation to the purposes for which the data were collected and processed, unless
479	479	15.25retention of the data is otherwise required by law or permitted under section 325M.19; and
480	480	15.26 (vi) identify and remediate violations of sections 325M.10 to 325M.21.
481	481	15.27 (b) A controller must conduct and document a data privacy and protection assessment
482	482	15.28for each of the following processing activities involving personal data:
483	483	15.29 (1) the processing of personal data for purposes of targeted advertising;
484	484	15.30 (2) the sale of personal data;
485	485	15.31 (3) the processing, sharing, or sale of sensitive data;
486	486	15Sec. 6.
487	487	REVISOR VH/HL 25-0404303/11/25 16.1 (4) any processing activities involving personal data that present a heightened risk of
488	488	16.2harm to consumers; and
489	489	16.3 (5) the processing of personal data for purposes of profiling, where the profiling presents
490	490	16.4a reasonably foreseeable risk of:
491	491	16.5 (i) unfair or deceptive treatment of, or disparate impact on, consumers;
492	492	16.6 (ii) financial, physical, or reputational injury to consumers;
493	493	16.7 (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or
494	494	16.8concerns, of consumers, where the intrusion would be offensive to a reasonable person; or
495	495	16.9 (iv) other substantial injury to consumers.
496	496	16.10 (c) A data privacy and protection assessment must take into account the type of personal
497	497	16.11data to be processed by the controller, including the extent to which the personal data are
498	498	16.12sensitive data, and the context in which the personal data are to be processed.
499	499	16.13 (d) A data privacy and protection assessment must identify and weigh the benefits that
500	500	16.14may flow directly and indirectly from the processing to the controller, consumer, other
501	501	16.15stakeholders, and the public against the potential risks to the rights of the consumer associated
502	502	16.16with the processing, as mitigated by safeguards that can be employed by the controller to
503	503	16.17reduce the potential risks. The use of deidentified data and the reasonable expectations of
504	504	16.18consumers, as well as the context of the processing and the relationship between the controller
505	505	16.19and the consumer whose personal data will be processed, must be factored into this
506	506	16.20assessment by the controller.
507	507	16.21 (e) A data privacy and protection assessment must include the description of policies
508	508	16.22and procedures required by paragraph (a).
509	509	16.23 (f) As part of a civil investigative demand, the attorney general may request, in writing,
510	510	16.24that a controller disclose any data privacy and protection assessment that is relevant to an
511	511	16.25investigation conducted by the attorney general. The controller must make a data privacy
512	512	16.26and protection assessment available to the attorney general upon a request made under this
513	513	16.27paragraph. The attorney general may evaluate the data privacy and protection assessments
514	514	16.28for compliance with sections 325M.10 to 325M.21. Data privacy and protection assessments
515	515	16.29are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure
516	516	16.30of a data privacy and protection assessment pursuant to a request from the attorney general
517	517	16.31under this paragraph does not constitute a waiver of the attorney-client privilege or work
518	518	16.32product protection with respect to the assessment and any information contained in the
519	519	16.33assessment.
520	520	16Sec. 6.
521	521	REVISOR VH/HL 25-0404303/11/25 17.1 (g) Data privacy and protection assessments or risk assessments conducted by a controller
522	522	17.2for the purpose of compliance with other laws or regulations may qualify under this section
523	523	17.3if the assessments have a similar scope and effect.
524	524	17.4 (h) A single data protection assessment may address multiple sets of comparable
525	525	17.5processing operations that include similar activities.
526	526	17.6 Sec. 7. Minnesota Statutes 2024, section 325M.20, is amended to read:
527	527	17.7 325M.20 ATTORNEY GENERAL ENFORCEMENT .
528	528	17.8 (a) In the event that a controller or processor violates sections 325M.10 to 325M.21, the
529	529	17.9attorney general, prior to filing an enforcement action under paragraph (b), must provide
530	530	17.10the controller or processor with a warning letter identifying the specific provisions of sections
531	531	17.11325M.10 to 325M.21 the attorney general alleges have been or are being violated. If, after
532	532	17.1230 days of issuance of the warning letter, the attorney general believes the controller or
533	533	17.13processor has failed to cure any alleged violation, the attorney general may bring an
534	534	17.14enforcement action under paragraph (b). This paragraph expires January 31, 2026.
535	535	17.15 (b) The attorney general may bring a civil action against a controller or processor to
536	536	17.16enforce a provision of sections 325M.10 to 325M.21 in accordance with section 8.31. If the
537	537	17.17state prevails in an action to enforce sections 325M.10 to 325M.21, the state may, in addition
538	538	17.18to penalties provided by paragraph (c) or other remedies provided by law, be allowed an
539	539	17.19amount determined by the court to be the reasonable value of all or part of the state's litigation
540	540	17.20expenses incurred.
541	541	17.21 (c) Any controller or processor that violates sections 325M.10 to 325M.21 is subject to
542	542	17.22an injunction and liable for a civil penalty of not more than $7,500 for each violation.
543	543	17.23 (d) Nothing in sections 325M.10 to 325M.21 establishes a private right of action,
544	544	17.24including under section 8.31, subdivision 3a, for a violation of sections 325M.10 to 325M.21
545	545	17.25or any other law.
546	546	17.26 (e) A person that violates an applicable provision of sections 325M.10 to 325M.21, but
547	547	17.27that is not a controller or processor, is subject to enforcement by the attorney general under
548	548	17.28this section as if the person were a controller or processor.
549	549	17.29Sec. 8. REPEALER.
550	550	17.30 Minnesota Statutes 2024, section 325M.17, is repealed.
551	551	17Sec. 8.
552	552	REVISOR VH/HL 25-0404303/11/25 18.1 Sec. 9. EFFECTIVE DATE.
553	553	18.2 This act is effective July 31, 2025, except that postsecondary institutions regulated by
554	554	18.3the Office of Higher Education are not required to comply with this act until July 31, 2029.
555	555	18Sec. 9.
556	556	REVISOR VH/HL 25-0404303/11/25 325M.17 REQUIREMENTS FOR SMALL BUSINESSES.
557	557	(a) A small business, as defined by the United States Small Business Administration under Code
558	558	of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products
559	559	or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data
560	560	without the consumer's prior consent.
561	561	(b) Penalties and attorney general enforcement procedures under section 325M.20 apply to a
562	562	small business that violates this section.
563	563	1R
564	564	APPENDIX
565	565	Repealed Minnesota Statutes: 25-04043