This bill amends the Minnesota Consumer Data Privacy Act to enhance protections for consumer health data by classifying it as sensitive data. It introduces key definitions, such as "health data," which refers to personal data identifying a consumer's mental or physical health status, and "geofence," which pertains to location-based technology. The bill specifies that sensitive data includes health data, biometric data, and genetic information, and outlines the conditions for valid consumer consent, emphasizing consumer autonomy in data processing. It also clarifies the scope of the Act, applying to entities in Minnesota that meet certain thresholds for personal data processing while excluding specific information governed by federal regulations, such as protected health information under the Health Insurance Portability and Accountability Act.

Additionally, the bill establishes new requirements for data controllers, mandating valid consumer authorization before selling sensitive data, distinct from consent for processing. It prohibits the use of geofencing around healthcare entities to track consumers without consent and requires controllers to limit data collection to necessary information. The bill also introduces enforcement mechanisms, allowing the attorney general to enforce compliance against non-controllers and repeals previous requirements for small businesses regarding consumer sensitive data sales. The enforcement provisions include a warning letter before civil action and a civil penalty of up to $7,500 for violations. The act is set to take effect on July 31, 2025, with a delayed compliance date for postsecondary institutions until July 31, 2029.

Statutes affected:
Introduction: 325M.11, 325M.12, 325M.16, 325M.18, 325M.20, 325M.17