This bill amends the Minnesota Consumer Data Privacy Act to enhance protections for consumer health data by classifying it as sensitive data. It introduces new definitions for "health data" and "geofence," and specifies that sensitive data includes health data, biometric data, and genetic information. The bill outlines consumer rights regarding personal data, including the ability to revoke consent and the requirement for clear and informed consent for data processing. It also clarifies the law's applicability to entities conducting business in Minnesota and includes exclusions for information governed by existing health privacy laws like HIPAA. Notably, the bill repeals a previous section related to small business exemptions, indicating a significant restructuring of the legal framework.

Additionally, the bill mandates that data controllers obtain valid authorization from consumers before selling sensitive data and requires transparency about the data being sold, the parties involved, and the purpose of the sale. It emphasizes reasonable security practices and compliance documentation, while also enhancing enforcement capabilities for the attorney general against individuals violating data protection laws. The effective date for the new provisions is set for July 31, 2025, with a delayed compliance requirement for postsecondary institutions until July 31, 2029. Penalties for violations can reach up to $7,500 per incident, and the attorney general must issue a warning letter before taking enforcement action.

Statutes affected:
Introduction: 325M.11, 325M.12, 325M.16, 325M.18, 325M.20, 325M.17