This bill amends the Minnesota Consumer Data Privacy Act to enhance protections for consumer health data by classifying it as sensitive data. It introduces key definitions, such as "health data," which includes personal information related to a consumer's mental or physical health, and "geofence," which pertains to location tracking technology. The bill specifies that sensitive data encompasses health data, biometric data, and genetic information, and clarifies the terms "share" and "sharing" to ensure consumers are informed about data disclosures. The law applies to entities operating in Minnesota that meet certain thresholds for processing personal data, while also excluding information already protected under existing health privacy laws like HIPAA.

Additionally, the bill mandates that data controllers limit data collection to necessary information, obtain consumer consent for processing sensitive data, and implement strong data security practices. It introduces restrictions on sharing health data and selling sensitive data, requiring consent for these actions. The legislation also outlines responsibilities for small businesses regarding consumer data, emphasizing the prohibition of selling sensitive data or sharing health data without consent. Enforcement mechanisms are established, allowing the attorney general to issue warnings and pursue civil actions against violators. The act is set to take effect on January 1, 2027, with a delayed compliance date for postsecondary institutions until July 31, 2029.

Statutes affected:
Introduction: 325M.11, 325M.12, 325M.16, 325M.18, 325M.20, 325M.17
1st Engrossment: 325M.11, 325M.12, 325M.16, 325M.18, 325M.20
2nd Engrossment: 325M.11, 325M.12, 325M.16, 325M.17, 325M.18, 325M.20