SF2940 (Legislative Session 94 (2025-2026))
Minnesota Data Privacy Act modification to make consumer health data a form of sensitive data provision and sensitive data additional protections addition provision
Related bill: HF2700
AI Generated Summary
Purpose of the Bill
This legislative bill aims to update the Minnesota Consumer Data Privacy Act by recognizing consumer health data as sensitive personal information. The bill intends to strengthen protections around the handling, processing, and sharing of sensitive data, which includes but is not limited to health data.
Main Provisions
Consumer Health Data: The bill explicitly categorizes consumer health data as sensitive data. This extends the protection required for sensitive data to consumer health data under Minnesota law.
Sensitive Data Requirements: Businesses must obtain consumers’ consent to process or share sensitive data. Specifically, the consent for processing or sharing sensitive data must be clear and separate from any general terms and conditions.
Sale of Sensitive Data: The bill prohibits the sale of sensitive data, including health data, without explicit permission from the consumer. Authorizations to sell must be distinct and clearly documented in plain language.
Geofence Use: The bill bans the use of geofences to collect data from, identify, or send targeted messages to individuals seeking in-person health care services.
Data Privacy Assessments: Organizations must conduct data privacy and protection assessments for processing activities that involve personal or sensitive data, especially if it presents a heightened risk to consumers.
Attorney General's Role: The attorney general is responsible for enforcing these provisions. Organizations have 30 days to rectify any violation before enforcement actions are taken.
Significant Changes to Existing Law
Expanded Definitions: The bill revises and expands definitions related to personal and sensitive data under Minnesota Statutes 2024 sections.
Prohibitions and Requirements: Establishes new prohibitions against the sale and misuse of sensitive data without proper consumer authorization. It also requires maintaining detailed data privacy policies and conducting risk assessments.
Legal Framework Adjustments: Amendments to existing legal entities are introduced to ensure compliance, including newly defined enforcement mechanisms, fines for violations, and data handling responsibilities.
Relevant Terms
consumer data privacy, health data, sensitive data, data processing, geofence, consent, data security, targeted advertising, attorney general, privacy assessment, data sale prohibitions, child information protection
Bill text versions
- Introduction PDF file
Actions
| Date | Chamber | Where | Type | Name | Committee Name |
|---|---|---|---|---|---|
| March 24, 2025 | Senate | Floor | Action | Introduction and first reading | |
| March 24, 2025 | Senate | Floor | Action | Referred to | Commerce and Consumer Protection |
| April 22, 2025 | Senate | Floor | Action | Author added |
Citations
[
{
"analysis": {
"added": [
"Ties genetic information to the definition provided in another statute for consistency."
],
"removed": [
""
],
"summary": "This amendment to the Minnesota Consumer Data Privacy Act references the definition of genetic information under section 13.386.",
"modified": [
""
]
},
"citation": "13.386",
"subdivision": "subdivision 1"
},
{
"analysis": {
"added": [
"Specific exclusions for entities like government and tribes, and data regulated under other federal acts."
],
"removed": [
""
],
"summary": "This section modifies the exemptions for entities from the Minnesota Consumer Data Privacy Act under section 325M.12.",
"modified": [
"Alteration of subsection terminology and format."
]
},
"citation": "325M.12",
"subdivision": "subdivision 2"
},
{
"analysis": {
"added": [
"Clarification of health records management under the Health Records Act."
],
"removed": [
""
],
"summary": "References within section 325M modify the definitions under section 144.291 subdivision 2 relating to health records.",
"modified": [
""
]
},
"citation": "144.291",
"subdivision": "subdivision 2"
},
{
"analysis": {
"added": [
"Clarifies definitions linked to financial activities covered by separate acts."
],
"removed": [
""
],
"summary": "This section references definitions for residential mortgage servicers within the Consumer Data Privacy Act framework under section 58.02.",
"modified": [
""
]
},
"citation": "58.02",
"subdivision": "subdivision 20"
}
]