SF5221

Purpose

• Establish rules to protect Minnesota residents’ precise geolocation data. The bill creates new limits on how precisely geolocation data can be collected, stored, and shared, and adds civil penalties for violations.

Key Definitions (simplified)

• Collect: Obtaining or acquiring personal data by any means.
• Consumer: An individual who lives in Minnesota (not someone acting in a business, employment, or organizational role with a company or agency).
• Controller: The entity that determines how and why to collect personal data (as defined elsewhere in Minnesota law).
• Processor: A party that processes personal data on behalf of a controller.
• Personal data: The data described in the law’s definitions (specific to geolocation).
• Device: An object that can connect to the Internet or another device.
• Precise geolocation data: Data that can pinpoint a location within about 1,750 feet, derived from tech like GPS. It does not include the content of communications, photos, or videos unless those contents are used to identify precise location.
• Third party: A person who collects data from someone other than the consumer or a processor.
• Sale of personal data: The act of selling personal data to another party.

Main Provisions and What They Aim to Accomplish

• Notice to Consumers
  • Controllers must include in their publicly accessible privacy notices:
  • The type of precise geolocation data collected and the data’s precision level.
  • The goods or services the consumer requested that led to the data collection, and how the data is processed for those purposes.
  • Whether the data is collected, processed, or disclosed to prevent or respond to security incidents, fraud, harassment, or illegal activity, including how it is processed for these purposes.
  • The identity of each third party to whom the precise geolocation data is disclosed.
  • Controllers must prominently display a notice that precise geolocation data is being collected, provided at or before collection.
• Limitations on Collection, Processing, and Retention
  • Controllers/processors may not collect or process more precise geolocation data than necessary to provide the requested goods or services.
  • Controllers/processors may not retain precise geolocation data longer than needed to provide the goods or services, or more than one year after the consumer’s last intentional interaction with the controller, whichever comes first.
  • They may not sell, trade, or lease precise geolocation data to a third party.
• Allowed Uses and Necessary Exceptions
  • A controller/processor may collect or process precise geolocation data that is necessary to prevent or respond to security incidents, fraud, harassment, malicious or deceptive activities, or illegal activity targeted at the consumer.
  • It may enable investigations or prosecutions of individuals responsible for such actions.
  • Retention of location data under these exceptions cannot exceed 90 days unless required by law.
  • Use of precise geolocation data for any other purpose is prohibited.
  • It may still be used to provide services on behalf of the controller/processor (e.g., maintaining accounts, processing payments, providing financing, storage, etc.). This use is allowed only for those services and not for other purposes.
• Notice Delivery Timing
  • The required notices must be provided to the consumer at the time or before collection occurs.
• Enforcement and Remedies
  • A consumer harmed by a violation can bring a civil action.
  • Potential remedies include:
  • Damages: at least $5,000 per individual per violation (adjusted annually for inflation) or actual damages, whichever is greater.
  • Punitive damages.
  • Injunctive relief (court-ordered actions to stop improper practices), declaratory relief, and reasonable attorney fees and costs.

Significant Changes to Existing Law

• Creates a new set of rules under Minnesota Statutes chapter 325M specifically for geolocation data, introducing:
  • A formal definition of precise geolocation data and related terms.
  • Clear notice and transparency requirements for collection and disclosure of precise geolocation data.
  • A strict data minimization and retention framework (no more than necessary, with explicit time limits and a general one-year cap post-last interaction; and a tighter 90-day retention window for data collected under security/anti-abuse exceptions).
  • A prohibition on selling precise geolocation data and on using it for purposes other than stated.
  • Strong civil enforcement with substantial damages and other remedies for individuals who suffer harm.
• Expands consumer protections specifically around how precise location data can be used, stored, and shared, and creates a pathway for individuals to seek relief through civil actions.

Relevant Terms - precise geolocation data - geolocation data - consumer - controller - processor - collect - personal data - device - third party - sale of personal data - public/privacy notice - goods or services - precision level - security incidents - fraud - harassment - illegal activity - retention - 90 days - one year - civil action - damages - punitive damages - injunctive relief - declaratory relief - attorney fees