This bill amends the Minnesota Consumer Data Privacy Act to enhance protections for consumer health data by classifying it as sensitive data. It introduces key definitions, such as "health data" and "geofence," and specifies that sensitive data includes health data, biometric data, and genetic information. The bill outlines the conditions for obtaining consumer consent for data processing and clarifies consumer rights regarding their personal data. It also modifies the law's scope to apply to entities conducting business in Minnesota that meet certain thresholds for personal data processing, while excluding information governed by existing health privacy laws like HIPAA. Notably, the bill repeals section 325M.17, which previously set requirements for small businesses regarding the sale of consumer sensitive data.

Additionally, the bill establishes specific requirements for the sale of sensitive data, mandating that entities obtain clear and distinct authorization from consumers before selling their data. It introduces geofence restrictions to prevent the tracking of health-related data near healthcare facilities and updates the responsibilities of data controllers to limit data collection and enhance data security practices. The bill also allows for data privacy assessments to qualify for compliance and subjects individuals who violate data privacy laws to enforcement actions by the attorney general. The enforcement process is clarified, requiring a warning letter before civil action is taken against violators, with the act set to take effect on July 31, 2025, and a delayed compliance date for postsecondary institutions until July 31, 2029.

Statutes affected:
Introduction: 325M.11, 325M.12, 325M.16, 325M.18, 325M.20, 325M.17