Purpose

• Establish rules for collecting, using, sharing, and keeping biometric data to protect individuals’ privacy. The bill sets requirements for obtaining consent, limits how data can be sold or disclosed, requires safeguards, sets a time limit on how long data can be kept, and creates penalties for violations.

What counts as biometric data

• The bill defines biometric data as an image, description, or recording of:
  • a person’s face or facial features
  • retina or iris
  • fingerprint
  • voiceprint
  • hand geometry
  • face geometry
  • that can identify an individual, alone or with other information

Consent and collection

• It is illegal to collect biometric data without the individual’s consent before collection.
• If a company collects biometric data, it must obtain consent first and follow the rules in this section.

Prohibited actions and safeguards on use

• Companies generally cannot sell, lease, or disclose biometric data to others unless certain conditions apply:
  • the individual consents for a purpose such as identification
  • the disclosure is connected to the individual’s disappearance or death
  • the disclosure completes a financial transaction the individual requested
  • the disclosure is required or allowed by federal or state law
  • the disclosure is made to a law enforcement agency for a law enforcement purpose in response to a warrant
• Companies must store, transmit, and protect biometric data with reasonable care, in a way that is at least as protective as how they protect other confidential information.

Retention and deletion

• Biometric data must be deleted and destroyed within a reasonable time, but no later than one year after the purpose for collecting it expires.
• If a federal or state law requires a longer retention period, the data must be kept for that longer period and then destroyed within a reasonable time after that period ends.
• If an employer collects biometric data for security, the data must be deleted after the employment ends.

Enforcement and penalties

• Violating these provisions can result in a civil penalty of up to $25,000 for each violation.
• The attorney general can bring a legal action to recover the civil penalties.

Exemptions

• Voiceprint data kept by a financial institution or an affiliate of a financial institution is exempt from these rules.
• The exemption references existing federal law related to financial institutions (as defined by 15 U.S.C. 6809).

How this changes Minnesota law

• Creates a new regulatory framework under Minnesota Statutes chapter 325M for biometric data, including consent requirements, restrictions on sale and disclosure, data protection standards, retention limits, and enforcement mechanisms.
• Establishes explicit time limits and exceptions that do not currently exist in this area.

Practical impact

• For individuals: greater control over who can collect their biometric data, when it can be used or shared, and how long it can be kept.
• For businesses and employers: new compliance obligations around obtaining consent, safeguarding data, limiting retention, and potential civil penalties for violations.

Relevant Terms - biometric data - consent - collection - sale - disclosure - identification purposes - disappearance - death - financial transaction - law enforcement - reasonable care - store - transmit - protect - destruction - retention period - one year - civil penalty - attorney general - exempt - voiceprint - financial institution - United States Code title 15 section 6809 - Minnesota Statutes chapter 325M