SF2260 (Legislative Session 94 (2025-2026))
Biometric privacy standards and right of action establishment
AI Generated Summary
This bill, S.F. No. 2260, proposes the establishment of biometric privacy standards in Minnesota under a new statute (Minnesota Statutes, Chapter 325E). Key provisions include the following:
Definitions:
- Defines "biometric identifiers" (e.g., retina scans, fingerprints, voiceprints, and face geometry scans). Excludes items such as demographic data, tattoos, photographs, and medical images used for treatment.
- Defines "biometric information" as any data derived from biometric identifiers and used for identification.
- Defines "confidential and sensitive information" as personal data that uniquely identifies an individual.
- Defines "private entity" as any non-governmental organization or business handling biometric data.
- Defines "biometric identifiers" (e.g., retina scans, fingerprints, voiceprints, and face geometry scans). Excludes items such as demographic data, tattoos, photographs, and medical images used for treatment.
Rules for Collection, Retention, and Disclosure:
- Private entities must create a publicly available written retention schedule to destroy biometric data once the initial purpose is satisfied or within three years of the last interaction, whichever comes first.
- Private entities must obtain explicit written consent before collecting, storing, or using biometric data.
- Prohibits private entities from selling, leasing, or trading biometric data.
- Disclosure of biometric data is only allowed under specific conditions (e.g., with consent, for financial transactions, legal requirements, or valid court warrants).
- Requires reasonable security measures to protect biometric data, at least as strong as those used for other sensitive information.
- Private entities must create a publicly available written retention schedule to destroy biometric data once the initial purpose is satisfied or within three years of the last interaction, whichever comes first.
Right to Legal Action:
- Allows individuals to sue private entities for violations.
- Negligent violations carry liquidated damages of $1,000 or actual damages, whichever is greater.
- Intentional or reckless violations carry damages of $5,000 or actual damages, whichever is greater.
- Plaintiffs may also recover attorney fees and litigation costs and seek injunctive relief.
- Allows individuals to sue private entities for violations.
Interaction with Other Laws:
- The law does not limit the use of biometric data in legal proceedings.
- It does not override HIPAA protections for healthcare-related biometric data.
- It does not apply to financial institutions covered under the Gramm-Leach-Bliley Act.
- Contractors and agents working for government agencies are exempt when acting on behalf of those agencies.
- The law does not limit the use of biometric data in legal proceedings.
The bill ultimately seeks to strengthen individual privacy rights by regulating how businesses collect, store, and use biometric data while providing individuals legal recourse in cases of misuse.
Bill text versions
- Introduction PDF file
Actions
| Date | Chamber | Where | Type | Name | Committee Name |
|---|---|---|---|---|---|
| March 05, 2025 | House | Floor | Action | Introduction and first reading | |
| March 05, 2025 | Senate | Floor | Action | Introduction and first reading | |
| March 05, 2025 | House | Floor | Action | Referred to | Commerce and Consumer Protection |
| March 05, 2025 | Senate | Floor | Action | Referred to | Commerce and Consumer Protection |