Purpose

This bill creates rules for handling biometric data in Minnesota. It requires people or organizations to obtain consent before collecting biometric data, restricts how biometric data can be shared or sold, sets protection and retention standards, and establishes penalties for violations. It also provides an exemption for certain voiceprint data held by financial institutions.

Key Definitions

• Biometric data: an image, description, or recording of a person’s biometric traits such as a face, facial features, retina, iris, fingerprint, voiceprint, hand geometry, or face geometry, which can identify a person either alone or with other information.

Main Provisions

• Consent before collection: A person cannot collect biometric data from an individual without their consent.
• Prohibitions on sale or disclosure: A person who has biometric data may not sell, lease, or disclose it to someone else unless one of several exceptions applies (e.g., identification in case of disappearance or death; completion of a financial transaction the person requested or authorized; required or allowed by federal or state law; disclosure to a law enforcement agency for a law enforcement purpose in response to a warrant).
• Safeguards: Biometric data must be stored, transmitted, and protected with reasonable care, at least as protective as the protection given to other confidential information the person holds.
• Retention and deletion: Biometric data must be deleted and destroyed within a reasonable time, but no later than one year after the purpose for collecting the data expires, unless a longer retention period is required by federal or state law (in which case it must still be destroyed within a reasonable time after that period ends). If an employer collects biometric data for security, retention ends when the employment relationship ends.
• Civil enforcement: Violations can lead to a civil penalty of up to $25,000 per violation. The attorney general may file suit to recover the penalty.

Enforcement and Penalties

• Civil penalties: Up to $25,000 for each violation.
• Enforcement: The attorney general has authority to bring a civil action to recover penalties.

Exemptions

• Voiceprint data held by a financial institution or an affiliate of a financial institution is exempt to the extent defined by federal law (specifically, United States Code title 15 section 6809).

Significant Changes to Existing Law

• Establishes a new statutory framework in Minnesota Statutes chapter 325M (325M.40) governing biometric data, including consent requirements, restrictions on use and disclosure, data protection standards, defined retention limits, and civil penalties.
• Introduces a formal, enforceable standard for how biometric data can be stored, shared, or deleted, and creates a mechanism for enforcement by the state (attorney general) with notable penalties.
• Creates an explicit exemption for voiceprint data held by financial institutions, aligning with federal standards for certain financial data.

Relevant Terms biometric data, biometric identifiers, consent, collection, sale, lease, disclosure, identification, disappearance, death, financial transaction, storage, transmission, protection, reasonable care, retention, destruction, one year, employer, security purposes, termination, civil penalty, attorney general, law enforcement, warrant, exemptions, voiceprint, financial institution, affiliate, United States Code, 15 U.S.C. 6809, Minnesota Statutes, chapter 325M, 325M.40