Minnesota Governor Tim Walz has signed into law HF 4757, bringing extensive data privacy protections to the state.
The Minnesota Consumer Data Privacy Act, which goes into effect on July 31, 2025, includes specific provisions regarding biometrics. It restricts the processing of biometric data or genetic information for the purpose of uniquely identifying an individual without obtaining the consumer’s consent. This is part of a broader definition of “sensitive data,” which also includes information revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, and specific geolocation data.
Beyond biometrics, the Act introduces comprehensive privacy protections for consumers. It applies to businesses operating in Minnesota or targeting Minnesota residents if they control or process the personal data of at least 100,000 consumers or derive more than 25 percent of their gross revenue from selling personal data of 25,000 or more consumers. The law excludes data regulated under federal statutes such as the Gramm-Leach-Bliley Act, HIPAA, and the Fair Credit Reporting Act, as well as data related to employment contexts.
Consumers are granted several rights under the Act. They can confirm whether their data is being processed, correct inaccuracies, delete their data, and obtain a portable copy of their data. They also have the right to opt out of data processing for targeted advertising, the sale of personal data, or profiling decisions with significant effects. Controllers must provide a list of third parties to whom they have disclosed personal data, ensuring transparency and control over data sharing.
The Act mandates that any processing of sensitive data requires consumer consent. It also says that contracts between data controllers and processors must detail the processing instructions, purposes, types of data, and security obligations. Processors are required to maintain confidentiality, engage subcontractors under strict conditions, implement data security measures, and provide data back to controllers upon request.
To ensure compliance, controllers must conduct data protection assessments for activities involving targeted advertising, the sale of personal data, processing sensitive data, and any other activities posing significant risks to consumers.
Enforcement of the Act falls under the exclusive authority of the Attorney General, who can impose civil penalties of up to $7,500 per violation. This, among other things, distinguishes the Act from Illinois’ Biometric Information Privacy Act, which has a private right of action, meaning any citizen can file suit against a company that allegedly violates BIPA. It is more aligned with Texas’ biometric privacy law, which also must be enforced by the state’s Attorney General.
The Minnesota Act includes a 30-day grace period until January 31, 2026, giving businesses time to fix any violations before any penalties are enforced.
Source: Lexology
–
June 7, 2024 – by Ali Nassar-Smith and Alex Perala
Related News
Colorado AG Proposes Amendments to Privacy Act, Including Biometric Data Regulations
ByteDance Faces BIPA Lawsuit Over Video Editing App
Getaround Sued for Alleged Violations of Illinois Biometric Privacy Law
T-Mobile Profited from Biometric Security by Preventing Theft, Lawsuit Alleges- BIPA Lawsuit Takes Aim at Target
CCPA Prepares Regulations for Automated Decision-Making Tech
Follow Us