This bill amends the Minnesota Consumer Data Privacy Act to enhance protections for consumer health data by classifying it as sensitive data. It introduces key definitions, such as "health data" and "geofence," and specifies that sensitive data includes health data, biometric data, and genetic information. The bill outlines the conditions for obtaining consumer consent for data processing and clarifies consumer rights regarding their personal data. It also modifies the scope of the law to include legal entities conducting business in Minnesota and introduces exclusions for information governed by existing health privacy laws like HIPAA. Notably, the bill repeals section 325M.17, which previously outlined specific requirements for small businesses regarding the sale of consumer sensitive data.

Additionally, the bill imposes new requirements on data controllers, mandating valid consumer authorization before selling sensitive data, distinct from consent for processing. It prohibits the use of geofencing around healthcare entities for tracking health data and clarifies compliance with the Children's Online Privacy Protection Act. The enforcement mechanisms are strengthened, allowing the Attorney General to enforce compliance against individuals violating data protection laws. The bill establishes a warning letter process before civil action and sets penalties for violations, with the act taking effect on July 31, 2025, and a delayed compliance date for postsecondary institutions until July 31, 2029.

Statutes affected:
Introduction: 325M.11, 325M.12, 325M.16, 325M.18, 325M.20, 325M.17