1.1 A bill for an act
1.2 relating to consumer protection; modifying the Minnesota Consumer Data Privacy
1.3 Act to make consumer health data a form of sensitive data; adding additional
1.4 protections for sensitive data; amending Minnesota Statutes 2024, sections
1.5 325M.11; 325M.12; 325M.16, subdivision 2; 325M.18; 325M.20; proposing coding
1.6 for new law in Minnesota Statutes, chapter 325M; repealing Minnesota Statutes
1.7 2024, section 325M.17.
1.8BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
1.9 Section 1. Minnesota Statutes 2024, section 325M.11, is amended to read:
1.10 325M.11 DEFINITIONS.
1.11 (a) For purposes of sections 325M.10 to 325M.21, the following terms have the meanings
1.12given.
1.13 (b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
1.14control with another legal entity. For purposes of this paragraph, "control" or "controlled"
1.15means: ownership of or the power to vote more than 50 percent of the outstanding shares
1.16of any class of voting security of a company; control in any manner over the election of a
1.17majority of the directors or of individuals exercising similar functions; or the power to
1.18exercise a controlling influence over the management of a company.
1.19 (c) "Authenticate" means to use reasonable means to determine that a request to exercise
1.20any of the rights under section 325M.14, subdivision 1, paragraphs (b) to (h), is being made
1.21by or rightfully on behalf of the consumer who is entitled to exercise the rights with respect
1.22to the personal data at issue.
1.23 (d) "Biometric data" means data generated by automatic measurements of an individual's
1.24biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other
1Section 1.
REVISOR VH/HL 25-0404303/11/25
State of Minnesota
This Document can be made available
in alternative formats upon request
HOUSE OF REPRESENTATIVES
H. F. No. 2700
NINETY-FOURTH SESSION
Authored by Elkins, Scott, Feist, Smith, Bahner and others03/24/2025
The bill was read for the first time and referred to the Committee on Judiciary Finance and Civil Law 2.1unique biological patterns or characteristics that are used to identify a specific individual.
2.2Biometric data does not include:
2.3 (1) a digital or physical photograph;
2.4 (2) an audio or video recording; or
2.5 (3) any data generated from a digital or physical photograph, or an audio or video
2.6recording, unless the data is generated to identify a specific individual.
2.7 (e) "Child" has the meaning given in United States Code, title 15, section 6501.
2.8 (f) "Consent" means any freely given, specific, informed, and unambiguous indication
2.9of the consumer's wishes by which the consumer signifies agreement to the processing of
2.10personal data relating to the consumer. Acceptance of a general or broad terms of use or
2.11similar document that contains descriptions of personal data processing along with other,
2.12unrelated information does not constitute consent. Hovering over, muting, pausing, or closing
2.13a given piece of content does not constitute consent. A consent is not valid when the
2.14consumer's indication has been obtained by a dark pattern. A consumer may revoke consent
2.15previously given, consistent with sections 325M.10 to 325M.21.
2.16 (g) "Consumer" means a natural person who is a Minnesota resident acting only in an
2.17individual or household context. Consumer does not include a natural person acting in a
2.18commercial or employment context.
2.19 (h) "Controller" means the natural or legal person who, alone or jointly with others,
2.20determines the purposes and means of the processing of personal data.
2.21 (i) "Decisions that produce legal or similarly significant effects concerning the consumer"
2.22means decisions made by the controller that result in the provision or denial by the controller
2.23of financial or lending services, housing, insurance, education enrollment or opportunity,
2.24criminal justice, employment opportunities, health care services, or access to essential goods
2.25or services.
2.26 (j) "Dark pattern" means a user interface designed or manipulated with the substantial
2.27effect of subverting or impairing user autonomy, decision making, or choice.
2.28 (k) "Deidentified data" means data that cannot reasonably be used to infer information
2.29about or otherwise be linked to an identified or identifiable natural person or a device linked
2.30to an identified or identifiable natural person, provided that the controller that possesses the
2.31data:
2Section 1.
REVISOR VH/HL 25-0404303/11/25 3.1 (1) takes reasonable measures to ensure that the data cannot be associated with a natural
3.2person;
3.3 (2) publicly commits to process the data only in a deidentified fashion and not attempt
3.4to reidentify the data; and
3.5 (3) contractually obligates any recipients of the information to comply with all provisions
3.6of this paragraph.
3.7 (l) "Delete" means to remove or destroy information so that it is not maintained in human-
3.8or machine-readable form and cannot be retrieved or utilized in the ordinary course of
3.9business.
3.10 (m) "Genetic information" has the meaning given in section 13.386, subdivision 1.
3.11 (n) "Geofence" means technology that uses global positioning coordinates, cell tower
3.12connectivity, cellular data, radio frequency identification, Wi-Fi data, or any other form of
3.13spatial or location detection to establish a virtual boundary, with an accuracy of more than
3.14three decimal degrees of latitude and longitude or the equivalent in an alternative geographic
3.15coordinate system, around the perimeter of a specific physical location or to locate a
3.16consumer within the virtual boundary.
3.17 (o) "Health care services or supplies" means any service, surgery, procedure, treatment,
3.18or product, including medication or medical devices, that a person may use to assess,
3.19measure, improve, or learn about a person's past, present, or future mental or physical health.
3.20 (p) "Health data" means personal data that identifies a consumer's past, present, or future
3.21mental or physical health status. For purposes of this definition, mental or physical health
3.22status includes but is not limited to:
3.23 (1) individual health conditions, treatments, diseases, or diagnoses;
3.24 (2) social, psychological, behavioral, and medical interventions;
3.25 (3) health-related surgeries or procedures;
3.26 (4) use or purchase of medication;
3.27 (5) bodily functions, vital signs, symptoms, or measurements of the information described
3.28in this paragraph;
3.29 (6) diagnoses or diagnostic testing, treatment, or medication;
3.30 (7) biometric data;
3.31 (8) genetic information;
3Section 1.
REVISOR VH/HL 25-0404303/11/25 4.1 (9) specific geolocation data that could reasonably indicate a consumer's seeking or
4.2obtaining past, present, or future health care services or supplies;
4.3 (10) data that identifies a consumer's seeking or obtaining health care services or supplies
4.4in the past, present, or future;
4.5 (11) data that identifies a consumer's seeking or obtaining information about health care
4.6services or supplies in the past, present, or future; or
4.7 (12) any information that is derived or extrapolated from personal data but that is not
4.8itself health data that a controller or processor uses by any means, including algorithms,
4.9machine learning, or profiling, to associate or identify a consumer with the data described
4.10in clauses (1) to (11), such as proxy, derivative, inferred, or emergent data.
4.11 (n) (q) "Identified or identifiable natural person" means a person who can be readily
4.12identified, directly or indirectly.
4.13 (o) (r) "Known child" means a person under circumstances where a controller has actual
4.14knowledge of, or willfully disregards, that the person is under 13 years of age.
4.15 (p) (s) "Personal data" means any information that is linked or reasonably linkable to
4.16an identified or identifiable natural person. Personal data does not include deidentified data
4.17or publicly available information. For purposes of this paragraph, "publicly available
4.18information" means information that (1) is lawfully made available from federal, state, or
4.19local government records or widely distributed media, or (2) a controller has a reasonable
4.20basis to believe has lawfully been made available to the general public.
4.21 (q) (t) "Process" or "processing" means any operation or set of operations that are
4.22performed on personal data or on sets of personal data, whether or not by automated means,
4.23including but not limited to the collection, use, storage, disclosure, analysis, deletion, or
4.24modification of personal data.
4.25 (r) (u) "Processor" means a natural or legal person who processes personal data on behalf
4.26of a controller.
4.27 (s) (v) "Profiling" means any form of automated processing of personal data to evaluate,
4.28analyze, or predict personal aspects related to an identified or identifiable natural person's
4.29economic situation, health, personal preferences, interests, reliability, behavior, location,
4.30or movements.
4.31 (t) (w) "Pseudonymous data" means personal data that cannot be attributed to a specific
4.32natural person without the use of additional information, provided that the additional
4.33information is kept separately and is subject to appropriate technical and organizational
4Section 1.
REVISOR VH/HL 25-0404303/11/25 5.1measures to ensure that the personal data are not attributed to an identified or identifiable
5.2natural person.
5.3 (u) (x) "Sale," "sell," or "sold" means the exchange of personal data for monetary or
5.4other valuable consideration by the controller to a third party. Sale does not include sharing
5.5as defined in this section. Sale does not include the following:
5.6 (1) the disclosure of personal data to a processor who processes the personal data on
5.7behalf of the controller;
5.8 (2) the disclosure of personal data to a third party for purposes of providing a product
5.9or service requested by the consumer;
5.10 (3) the disclosure or transfer of personal data to an affiliate of the controller;
5.11 (4) the disclosure of information that the consumer intentionally made available to the
5.12general public via a channel of mass media and did not restrict to a specific audience;
5.13 (5) the disclosure or transfer of personal data to a third party as an asset that is part of a
5.14completed or proposed merger, acquisition, bankruptcy, or other transaction in which the
5.15third party assumes control of all or part of the controller's assets; or
5.16 (6) the exchange of personal data between the producer of a good or service and
5.17authorized agents of the producer who sell and service the goods and services, to enable
5.18the cooperative provisioning of goods and services by both the producer and the producer's
5.19agents.
5.20 (v) (y) Sensitive data is a form of personal data. "Sensitive data" means:
5.21 (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical
5.22health condition or diagnosis, sexual orientation, or citizenship or immigration status;
5.23 (2) the processing of biometric data or genetic information for the purpose of uniquely
5.24identifying an individual;
5.25 (3) the personal data of a known child; or
5.26 (4) specific geolocation data; or
5.27 (5) health data.
5.28 (z) "Share" or "sharing" means to release, disclose, disseminate, divulge, make available,
5.29provide access to, license, or otherwise communicate orally, in writing, or by electronic or
5.30other means, personal data. Share includes selling as defined in this section. Sharing does
5.31not include:
5Section 1.
REVISOR VH/HL 25-0404303/11/25 6.1 (1) the disclosure of personal data by a controller to a processor when the sharing is to
6.2provide goods or services in a manner consistent with the purpose for which the health data
6.3was collected and that was disclosed to the consumer;
6.4 (2) the disclosure of personal data to a third party with whom the consumer has a direct
6.5relationship when:
6.6 (i) the disclosure is for purposes of providing a product or service requested by the
6.7consumer;
6.8 (ii) the controller or processor maintains control and ownership of the data; and
6.9 (iii) the third party uses the personal data only as directed by the controller or processor
6.10and consistent with the purpose consented to by the consumer; or
6.11 (3) the disclosure or transfer of personal data to a third party as an asset that is part of a
6.12merger, acquisition, bankruptcy, or other transaction in which the third party assumes control
6.13of all or part of the controller's or processor's assets and complies with the requirements
6.14and obligations in this chapter.
6.15 (w) (aa) "Specific geolocation data" means information derived from technology,
6.16including but not limited to global positioning system level latitude and longitude coordinates
6.17or other mechanisms, that directly identifies the geographic coordinates of a consumer or
6.18a device linked to a consumer with an accuracy of more than three decimal degrees of
6.19latitude and longitude or the equivalent in an alternative geographic coordinate system, or
6.20a street address derived from the coordinates. Specific geolocation data does not include
6.21the content of communications, the contents of databases containing street address
6.22information which are accessible to the public as authorized by law, or any data generated
6.23by or connected to advanced utility metering infrastructure systems or other equipment for
6.24use by a public utility.
6.25 (x) (bb) "Targeted advertising" means displaying advertisements to a consumer where
6.26the advertisement is selected based on personal data obtained or inferred from the consumer's
6.27activities over time and across nonaffiliated websites or online applications to predict the
6.28consumer's preferences or interests. Targeted advertising does not include:
6.29 (1) advertising based on activities within a controller's own websites or online
6.30applications;
6.31 (2) advertising based on the context of a consumer's current search query or visit to a
6.32website or online application;
6Section 1.
REVISOR VH/HL 25-0404303/11/25 7.1 (3) advertising to a consumer in response to the consumer's request for information or
7.2feedback; or
7.3 (4) processing personal data solely for measuring or reporting advertising performance,
7.4reach, or frequency.
7.5 (y) (cc) "Third party" means a natural or legal person, public authority, agency, or body
7.6other than the consumer, controller, processor, or an affiliate of the processor or the controller.
7.7 (z) (dd) "Trade secret" has the meaning given in section 325C.01, subdivision 5.
7.8 Sec. 2. Minnesota Statutes 2024, section 325M.12, is amended to read:
7.9 325M.12 SCOPE; EXCLUSIONS.
7.10 Subdivision 1.Scope.(a) Except as specified under section 325M.175, sections 325M.10
7.11to 325M.21 apply to legal entities that conduct business in Minnesota or produce products
7.12or services that are targeted to residents of Minnesota, and that satisfy one or more of the
7.13following thresholds:
7.14 (1) during a calendar year, controls or processes personal data of 100,000 consumers or
7.15more, excluding personal data controlled or processed solely for the purpose of completing
7.16a payment transaction; or
7.17 (2) derives over 25 percent of gross revenue from the sale of personal data and processes
7.18or controls personal data of 25,000 consumers or more.
7.19 (b) A controller or processor acting as a technology provider under section 13.32 shall
7.20comply with sections 13.32 and 325M.10 to 325M.21, except that when the provisions of
7.21section 13.32 conflict with sections 325M.10 to 325M.21, section 13.32 prevails.
7.22 Subd. 2.Exclusions.(a) Sections 325M.10 to 325M.21 do not apply to the following
7.23entities, activities, or types of information:
7.24 (1) a government entity, as defined by section 13.02, subdivision 7a;
7.25 (2) a federally recognized Indian tribe;
7.26 (3) information that meets the definition of:
7.27 (i) protected health information, as defined by and for purposes of the Health Insurance
7.28Portability and Accountability Act of 1996, Public Law 104-191, and related regulations,
7.29if it is maintained by a covered entity or business associate subject to that law and its related
7.30regulations;
7Sec. 2.
REVISOR VH/HL 25-0404303/11/25 8.1 (ii) health records, as defined in section 144.291, subdivision 2, if it is maintained by a
8.2provider or other entity subject to the Minnesota Health Records Act;
8.3 (iii) patient identifying information for purposes of Code of Federal Regulations, title
8.442, part 2, established pursuant to United States Code, title 42, section 290dd-2;
8.5 (iv) identifiable private information for purposes of the federal policy for the protection
8.6of human subjects, Code of Federal Regulations, title 45, part 46; identifiable private
8.7information that is otherwise information collected as part of human subjects research
8.8pursuant to the good clinical practice guidelines issued by the International Council for
8.9Harmonisation; the protection of human subjects under Code of Federal Regulations, title
8.1021, parts 50 and 56; or personal data used or shared in research conducted in accordance
8.11with one or more of the requirements set forth in this paragraph;
8.12 (v) information and documents created for purposes of the federal Health Care Quality
8.13Improvement Act of 1986, Public Law 99-660, and related regulations; or
8.14 (vi) patient safety work product for purposes of Code of Federal Regulations, title 42,
8.15part 3, established pursuant to United States Code, title 42, sections 299b-21 to 299b-26;
8.16 (4) information that is derived from any of the health care-related information listed in
8.17clause (3), but that has been deidentified in accordance with the requirements for
8.18deidentification set forth in Code of Federal Regulations, title 45, part 164;
8.19 (5) information originating from, and intermingled to be indistinguishable with, any of
8.20the health care-related information listed in clause (3) that is maintained by:
8.21 (i) a covered entity or business associate, as defined by the Health Insurance Portability
8.22and Accountability Act of 1996, Public Law 104-191, and related regulations;
8.23 (ii) a health care provider, as defined in section 144.291, subdivision 2; or
8.24 (iii) a program or a qualified service organization, as defined by Code of Federal
8.25Regulations, title 42, part 2, established pursuant to United States Code, title 42, section
8.26290dd-2;
8.27 (6) information that is:
8.28 (i) maintained by an entity that meets the definition of health care provider under Code
8.29of Federal Regulations, title 45, section 160.103, to the extent that the entity maintains the
8.30information in the manner required of covered entities with respect to protected health
8.31information for purposes of the Health Insurance Portability and Accountability Act of
8.321996, Public Law 104-191, and related regulations;
8Sec. 2.
REVISOR VH/HL 25-0404303/11/25 9.1 (ii) included in a limited data set, as described under Code of Federal Regulations, title
9.245, part 164.514(e), to the extent that the information is used, disclosed, and maintained in
9.3the manner specified by that part;
9.4 (iii) maintained by, or maintained to comply with the rules or orders of, a self-regulatory
9.5organization as defined by United States Code, title 15, section 78c(a)(26);
9.6 (iv) originated from, or intermingled with, information described in clause (9) and that
9.7a licensed residential mortgage originator, as defined under section 58.02, subdivision 19,
9.8or residential mortgage servicer, as defined under section 58.02, subdivision 20, collects,
9.9processes, uses, or maintains in the same manner as required under the laws and regulations
9.10specified in clause (9); or
9.11 (v) originated from, or intermingled with, information described in clause (9) and that
9.12a nonbank financial institution, as defined by section 46A.01, subdivision 12, collects,
9.13processes, uses, or maintains in the same manner as required under the laws and regulations
9.14specified in clause (9);
9.15 (7) information used only for public health activities and purposes, as described under
9.16Code of Federal Regulations, title 45, part 164.512;
9.17 (8) an activity involving the collection, maintenance, disclosure, sale, communication,
9.18or use of any personal data bearing on a consumer's credit worthiness, credit standing, credit
9.19capacity, character, general reputation, personal characteristics, or mode of living by a
9.20consumer reporting agency, as defined in United States Code, title 15, section 1681a(f), by
9.21a furnisher of information, as set forth in United States Code, title 15, section 1681s-2, who
9.22provides information for use in a consumer report, as defined in United States Code, title
9.2315, section 1681a(d), and by a user of a consumer report, as set forth in United States Code,
9.24title 15, section 1681b, except that information is only excluded under this paragraph to the
9.25extent that the activity involving the collection, maintenance, disclosure, sale, communication,
9.26or use of the information by the agency, furnisher, or user is subject to regulation under the
9.27federal Fair Credit Reporting Act, United States Code, title 15, sections 1681 to 1681x, and
9.28the information is not collected, maintained, used, communicated, disclosed, or sold except
9.29as authorized by the Fair Credit Reporting Act;
9.30 (9) personal data collected, processed, sold, or disclosed pursuant to the federal
9.31Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations, if the
9.32collection, processing, sale, or disclosure is in compliance with that law;
9Sec. 2.
REVISOR VH/HL 25-0404303/11/25 10.1 (10) personal data collected, processed, sold, or disclosed pursuant to the federal Driver's
10.2Privacy Protection Act of 1994, United States Code, title 18, sections 2721 to 2725, if the
10.3collection, processing, sale, or disclosure is in compliance with that law;
10.4 (11) personal data regulated by the federal Family Educational Rights and Privacy Act,
10.5United States Code, title 20, section 1232g, and implementing regulations;
10.6 (12) personal data collected, processed, sold, or disclosed pursuant to the federal Farm
10.7Credit Act of 1971, as amended, United States Code, title 12, sections 2001 to 2279cc, and
10.8implementing regulations, Code of Federal Regulations, title 12, part 600, if the collection,
10.9processing, sale, or disclosure is in compliance with that law;
10.10 (13) data collected or maintained:
10.11 (i) in the course of an individual acting as a job applicant to or an employee, owner,
10.12director, officer, medical staff member, or contractor of a business if the data is collected
10.13and used solely within the context of the role;
10.14 (ii) as the emergency contact information of an individual under item (i) if used solely
10.15for emergency contact purposes; or
10.16 (iii) that is necessary for the business to retain to administer benefits for another individual
10.17relating to the individual under item (i) if used solely for the purposes of administering those
10.18benefits;
10.19 (14) personal data collected, processed, sold, or disclosed pursuant to the Minnesota
10.20Insurance Fair Information Reporting Act in sections 72A.49 to 72A.505;
10.21 (15) data collected, processed, sold, or disclosed as part of a payment-only credit, check,
10.22or cash transaction where no data about consumers, as defined in section 325M.11, are
10.23retained;
10.24 (16) a state or federally chartered bank or credit union, or an affiliate or subsidiary that
10.25is principally engaged in financial activities, as described in United States Code, title 12,
10.26section 1843(k);
10.27 (17) information that originates from, or is intermingled so as to be indistinguishable
10.28from, information described in clause (8) and that a person licensed under chapter 56 collects,
10.29processes, uses, or maintains in the same manner as is required under the laws and regulations
10.30specified in clause (8);
10.31 (18) an insurance company, as defined in section 60A.02, subdivision 4, an insurance
10.32producer, as defined in section 60K.31, subdivision 6, a third-party administrator of
10Sec. 2.
REVISOR VH/HL 25-0404303/11/25 11.1self-insurance, or an affiliate or subsidiary of any entity identified in this clause that is
11.2principally engaged in financial activities, as described in United States Code, title 12,
11.3section 1843(k), except that this clause does not apply to a person that, alone or in
11.4combination with another person, establishes and maintains a self-insurance program that
11.5does not otherwise engage in the business of entering into policies of insurance;
11.6 (19) a small business, as defined by the United States Small Business Administration
11.7under Code of Federal Regulations, title 13, part 121, except that a small business identified
11.8in this clause is subject to section 325M.17;
11.9 (20) (19) a nonprofit organization that is established to detect and prevent fraudulent
11.10acts in connection with insurance; and
11.11 (21) (20) an air carrier subject to the federal Airline Deregulation Act, Public Law
11.1295-504, only to the extent that an air carrier collects personal data related to prices, routes,
11.13or services and only to the extent that the provisions of the Airline Deregulation Act preempt
11.14the requirements of sections 325M.10 to 325M.21.
11.15 (b) Controllers that are in compliance with the Children's Online Privacy Protection Act,
11.16United States Code, title 15, sections 6501 to 6506, and implementing regulations, shall be
11.17deemed compliant with any obligation to obtain parental consent under sections 325M.10
11.18to 325M.21 section 325M.16, subdivision 2, paragraph (g).
11.19Sec. 3. Minnesota Statutes 2024, section 325M.16, subdivision 2, is amended to read:
11.20 Subd. 2.Use of data.(a) A controller must limit the collection of personal data to what
11.21is adequate, relevant, and reasonably necessary in relation to the purposes for which the
11.22data are processed, which must be disclosed to the consumer.
11.23 (b) Except as provided in sections 325M.10 to 325M.21, a controller may not process
11.24personal data for purposes that are not reasonably necessary to, or compatible with, the
11.25purposes for which the personal data are processed, as disclosed to the consumer, unless
11.26the controller obtains the consumer's consent.
11.27 (c) A controller shall establish, implement, and maintain reasonable administrative,
11.28technical, and physical data security practices to protect the confidentiality, integrity, and
11.29accessibility of personal data, including the maintenance of an inventory of the data that
11.30must be managed to exercise these responsibilities. The data security practices shall be
11.31appropriate to the volume and nature of the personal data at issue.
11.32 (d) Except as otherwise provided in sections 325M.10 to 325M.21, A controller may
11.33not process sensitive data concerning a consumer without obtaining the consumer's consent,
11Sec. 3.
REVISOR VH/HL 25-0404303/11/25 12.1or, in the case of the processing of except with the consumer's consent to the processing for
12.2a specified purpose.
12.3 (e) A controller may not share a consumer's sensitive data with any party other than the
12.4consumer except with the consumer's consent to the specified sharing.
12.5 (f) A consumer's consent to share sensitive data under paragraph (e) must be separate
12.6and distinct from a consumer's consent to process the consumer's health data under paragraph
12.7(d). A consent under this subdivision must be obtained prior to the processing or sharing,
12.8as applicable, of the sensitive data. Any request for consent under this subdivision must
12.9clearly and conspicuously disclose:
12.10 (1) the categories of sensitive data processed or shared, as applicable;
12.11 (2) the purpose of the processing or sharing, as applicable, of the sensitive data, including
12.12the specific ways in which it will be used;
12.13 (3) the categories of entities with which the sensitive data is shared; and
12.14 (4) how the consumer can withdraw consent from future processing or sharing of the
12.15consumer's sensitive data.
12.16 (g) A controller may not process personal data concerning a known child, without
12.17obtaining consent from the child's parent or lawful guardian, in accordance with the
12.18requirement of the Children's Online Privacy Protection Act, United States Code, title 15,
12.19sections 6501 to 6506, and its implementing regulations, rules, and exemptions.
12.20 (e) (h) A controller shall provide an effective mechanism for a consumer, or, in the case
12.21of the processing of personal data concerning a known child, the child's parent or lawful
12.22guardian, to revoke previously given consent under this subdivision. The mechanism provided
12.23shall be at least as easy as the mechanism by which the consent was previously given. Upon
12.24revocation of consent, a controller shall cease to process the applicable data as soon as
12.25practicable, but not later than 15 days after the receipt of the request.
12.26 (f) (i) A controller may not process the personal data of a consumer for purposes of
12.27targeted advertising, or sell the consumer's personal data, without the consumer's consent,
12.28under circumstances where the controller knows that the consumer is between the ages of
12.2913 and 16.
12.30 (g) (j) A controller may not retain personal data that is no longer relevant and reasonably
12.31necessary in relation to the purposes for which the data were collected and processed, unless
12.32retention of the data is otherwise required by law or permitted under section 325M.19.
12Sec. 3.
REVISOR VH/HL 25-0404303/11/25 13.1 Sec. 4. [325M.175] REQUIREMENTS FOR THE SALE OF SENSITIVE DATA.
13.2 Subdivision 1.Scope; exclusions.(a) Notwithstanding section 325M.12, subdivision
13.31, a legal entity must comply with sections 325M.10 to 325M.21 as if it were a controller
13.4or processor if that legal entity:
13.5 (1) conducts business in Minnesota or produces products or services that are targeted to
13.6residents of Minnesota; and
13.7 (2) is a controller or processor of sensitive data.
13.8 (b) The requirements and restrictions specific to sensitive data in this section are in
13.9addition to the requirements and restrictions in sections 325M.10 to 325M.21 for personal
13.10data generally, including the requirements for sensitive data under section 325M.16,
13.11subdivision 2, paragraphs (d) to (f).
13.12 (c) The exclusions in section 325M.12, subdivision 2, apply to this section.
13.13 Subd. 2.Requirements specific to the sale of sensitive data.(a) It is unlawful for any
13.14person to sell or offer to sell a consumer's sensitive data without first obtaining valid
13.15authorization from the consumer. The sale of a consumer's sensitive data must be consistent
13.16with the valid authorization signed by the consumer. This authorization must be separate
13.17and distinct from a consent obtained by a controller to process or share sensitive data under
13.18section 325M.16, subdivision 2, paragraphs (d) to (f).
13.19 (b) A valid authorization to sell a consumer's sensitive data is a document consistent
13.20with this subdivision and must be written in plain language. A valid authorization to sell a
13.21consumer's sensitive data must contain the following:
13.22 (1) the specific sensitive data, concerning the specific consumer, that the person intends
13.23to sell;
13.24 (2) the name and contact information of the person collecting and selling the sensitive
13.25data;
13.26 (3) the name and contact information of the person purchasing the sensitive data from
13.27the seller identified in clause (2);
13.28 (4) a description of the purpose for the sale, including how the sensitive data will be
13.29gathered and how it will be used by the purchaser identified in clause (3) when sold;
13.30 (5) a statement that the provision of goods or services to the consumer may not be
13.31conditioned on the consumer signing the valid authorization;
13Sec. 4.
REVISOR VH/HL 25-0404303/11/25 14.1 (6) a statement that the consumer has a right to revoke the valid authorization at any
14.2time and a description of how to submit a revocation of the valid authorization;
14.3 (7) a statement that the consumer's sensitive data sold pursuant to the valid authorization
14.4may be subject to redisclosure by the purchaser and may no longer be protected by this
14.5section;
14.6 (8) an expiration date for the valid authorization that expires one year from when the
14.7consumer signs the valid authorization; and
14.8 (9) the signature of the consumer and date.
14.9 (c) An authorization is not valid if the document has any of the following defects:
14.10 (1) the expiration date has passed;
14.11 (2) the authorization does not contain all of the information required under this
14.12subdivision;
14.13 (3) the authorization has been revoked by the consumer;
14.14 (4) the authorization has been combined with other documents to create a compound
14.15authorization; or
14.16 (5) the provision of goods or services to the consumer is conditioned on the consumer
14.17signing the authorization.
14.18 (d) A copy of the signed valid authorization must be provided to the consumer.
14.19 (e) The seller and purchaser of the sensitive data must retain a copy of all valid
14.20authorizations for sale of sensitive data for six years from the date of its signature or the
14.21date when it was last in effect, whichever is later.
14.22Sec. 5. [325M.178] GEOFENCE RESTRICTIONS.
14.23 It is unlawful for any person to implement a geofence around an entity that provides
14.24in-person health care services or supplies where the geofence is used to:
14.25 (1) identify or track a consumer seeking health care services or supplies;
14.26 (2) collect health data from a consumer; or
14.27 (3) send notifications, messages, or advertisements to a consumer related to the
14.28consumer's health data or health care services or supplies.
14Sec. 5.
REVISOR VH/HL 25-0404303/11/25 15.1 Sec. 6. Minnesota Statutes 2024, section 325M.18, is amended to read:
15.2 325M.18 DATA PRIVACY POLICIES; DATA PRIVACY AND PROTECTION
15.3ASSESSMENTS.
15.4 (a) A controller must document and maintain a description of the policies and procedures
15.5the controller has adopted to comply with sections 325M.10 to 325M.21. The description
15.6must include, where applicable:
15.7 (1) the name and contact information for the controller's chief privacy officer or other
15.8individual with primary responsibility for directing the policies and procedures implemented
15.9to comply with the provisions of sections 325M.10 to 325M.21; and
15.10 (2) a description of the controller's data privacy policies and procedures which reflect
15.11the requirements in section sections 325M.16 and, where applicable, 325M.175, and any
15.12policies and procedures designed to:
15.13 (i) reflect the requirements of sections 325M.10 to 325M.21 in the design of the
15.14controller's systems;
15.15 (ii) identify and provide personal data to a consumer as required by sections 325M.10
15.16to 325M.21;
15.17 (iii) establish, implement, and maintain reasonable administrative, technical, and physical
15.18data security practices to protect the confidentiality, integrity, and accessibility of personal
15.19data, including the maintenance of an inventory of the data that must be managed to exercise
15.20the responsibilities under this item;
15.21 (iv) limit the collection of personal data to what is adequate, relevant, and reasonably
15.22necessary in relation to the purposes for which the data are processed;
15.23 (v) prevent the retention of personal data that is no longer relevant and reasonably
15.24necessary in relation to the purposes for which the data were collected and processed, unless
15.25retention of the data is otherwise required by law or permitted under section 325M.19; and
15.26 (vi) identify and remediate violations of sections 325M.10 to 325M.21.
15.27 (b) A controller must conduct and document a data privacy and protection assessment
15.28for each of the following processing activities involving personal data:
15.29 (1) the processing of personal data for purposes of targeted advertising;
15.30 (2) the sale of personal data;
15.31 (3) the processing, sharing, or sale of sensitive data;
15Sec. 6.
REVISOR VH/HL 25-0404303/11/25 16.1 (4) any processing activities involving personal data that present a heightened risk of
16.2harm to consumers; and
16.3 (5) the processing of personal data for purposes of profiling, where the profiling presents
16.4a reasonably foreseeable risk of:
16.5 (i) unfair or deceptive treatment of, or disparate impact on, consumers;
16.6 (ii) financial, physical, or reputational injury to consumers;
16.7 (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or
16.8concerns, of consumers, where the intrusion would be offensive to a reasonable person; or
16.9 (iv) other substantial injury to consumers.
16.10 (c) A data privacy and protection assessment must take into account the type of personal
16.11data to be processed by the controller, including the extent to which the personal data are
16.12sensitive data, and the context in which the personal data are to be processed.
16.13 (d) A data privacy and protection assessment must identify and weigh the benefits that
16.14may flow directly and indirectly from the processing to the controller, consumer, other
16.15stakeholders, and the public against the potential risks to the rights of the consumer associated
16.16with the processing, as mitigated by safeguards that can be employed by the controller to
16.17reduce the potential risks. The use of deidentified data and the reasonable expectations of
16.18consumers, as well as the context of the processing and the relationship between the controller
16.19and the consumer whose personal data will be processed, must be factored into this
16.20assessment by the controller.
16.21 (e) A data privacy and protection assessment must include the description of policies
16.22and procedures required by paragraph (a).
16.23 (f) As part of a civil investigative demand, the attorney general may request, in writing,
16.24that a controller disclose any data privacy and protection assessment that is relevant to an
16.25investigation conducted by the attorney general. The controller must make a data privacy
16.26and protection assessment available to the attorney general upon a request made under this
16.27paragraph. The attorney general may evaluate the data privacy and protection assessments
16.28for compliance with sections 325M.10 to 325M.21. Data privacy and protection assessments
16.29are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure
16.30of a data privacy and protection assessment pursuant to a request from the attorney general
16.31under this paragraph does not constitute a waiver of the attorney-client privilege or work
16.32product protection with respect to the assessment and any information contained in the
16.33assessment.
16Sec. 6.
REVISOR VH/HL 25-0404303/11/25 17.1 (g) Data privacy and protection assessments or risk assessments conducted by a controller
17.2for the purpose of compliance with other laws or regulations may qualify under this section
17.3if the assessments have a similar scope and effect.
17.4 (h) A single data protection assessment may address multiple sets of comparable
17.5processing operations that include similar activities.
17.6 Sec. 7. Minnesota Statutes 2024, section 325M.20, is amended to read:
17.7 325M.20 ATTORNEY GENERAL ENFORCEMENT .
17.8 (a) In the event that a controller or processor violates sections 325M.10 to 325M.21, the
17.9attorney general, prior to filing an enforcement action under paragraph (b), must provide
17.10the controller or processor with a warning letter identifying the specific provisions of sections
17.11325M.10 to 325M.21 the attorney general alleges have been or are being violated. If, after
17.1230 days of issuance of the warning letter, the attorney general believes the controller or
17.13processor has failed to cure any alleged violation, the attorney general may bring an
17.14enforcement action under paragraph (b). This paragraph expires January 31, 2026.
17.15 (b) The attorney general may bring a civil action against a controller or processor to
17.16enforce a provision of sections 325M.10 to 325M.21 in accordance with section 8.31. If the
17.17state prevails in an action to enforce sections 325M.10 to 325M.21, the state may, in addition
17.18to penalties provided by paragraph (c) or other remedies provided by law, be allowed an
17.19amount determined by the court to be the reasonable value of all or part of the state's litigation
17.20expenses incurred.
17.21 (c) Any controller or processor that violates sections 325M.10 to 325M.21 is subject to
17.22an injunction and liable for a civil penalty of not more than $7,500 for each violation.
17.23 (d) Nothing in sections 325M.10 to 325M.21 establishes a private right of action,
17.24including under section 8.31, subdivision 3a, for a violation of sections 325M.10 to 325M.21
17.25or any other law.
17.26 (e) A person that violates an applicable provision of sections 325M.10 to 325M.21, but
17.27that is not a controller or processor, is subject to enforcement by the attorney general under
17.28this section as if the person were a controller or processor.
17.29Sec. 8. REPEALER.
17.30 Minnesota Statutes 2024, section 325M.17, is repealed.
17Sec. 8.
REVISOR VH/HL 25-0404303/11/25 18.1 Sec. 9. EFFECTIVE DATE.
18.2 This act is effective July 31, 2025, except that postsecondary institutions regulated by
18.3the Office of Higher Education are not required to comply with this act until July 31, 2029.
18Sec. 9.
REVISOR VH/HL 25-0404303/11/25 325M.17 REQUIREMENTS FOR SMALL BUSINESSES.
(a) A small business, as defined by the United States Small Business Administration under Code
of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products
or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data
without the consumer's prior consent.
(b) Penalties and attorney general enforcement procedures under section 325M.20 apply to a
small business that violates this section.
1R
APPENDIX
Repealed Minnesota Statutes: 25-04043