This bill amends the Minnesota Consumer Data Privacy Act to enhance protections for consumer health data by classifying it as sensitive data. It introduces key definitions, such as "health data" and "geofence," and specifies that sensitive data includes health data, biometric data, and genetic information. The bill outlines the conditions for obtaining consumer consent for data processing and clarifies consumer rights regarding their personal data. It also expands the scope of the law to include legal entities conducting business in Minnesota and introduces exclusions for information governed by existing health privacy laws like HIPAA. Notably, the bill repeals section 325M.17, which previously addressed small business requirements related to the sale of consumer sensitive data.

Additionally, the bill establishes new provisions for data collection, processing, and sharing, emphasizing the need for consumer consent and reasonable security practices. It prohibits the use of geofencing around healthcare entities without consent and mandates documentation of data privacy policies. The Attorney General is granted authority to issue warning letters for violations, allowing a 30-day period for compliance before enforcement actions. The bill also allows a single data protection assessment to cover multiple processing operations and clarifies that assessments for compliance with other laws may satisfy new requirements. The act is set to take effect on July 31, 2025, with a delayed compliance requirement for postsecondary institutions until July 31, 2029.

Statutes affected:
Introduction: 325M.11, 325M.12, 325M.16, 325M.18, 325M.20, 325M.17