Laws & Statutes MN MN-HF-4005
HF-4005
MN · State · USA
MN
USA
● Pending
Proposed Effective Date
2026-08-01
Minnesota H.F. No. 4005 — A bill for an act relating to biometric data; requiring consent for collection; prohibiting sale; requiring deletion; imposing civil penalties; proposing coding for new law in Minnesota Statutes, chapter 325M
Establishes biometric data consent and safeguard requirements for any person collecting biometric data in Minnesota. Requires prior consent before collecting biometric data, restricts sale and disclosure of biometric data with narrow exceptions (consent for identification in disappearance/death, completion of requested financial transactions, law or warrant), imposes reasonable care security standards, and mandates deletion within one year of purpose expiration. Enforced exclusively by the attorney general with civil penalties up to $25,000 per violation. Exempts voiceprint data retained by financial institutions or their affiliates as defined under 15 U.S.C. § 6809.
Passage Likelihood
Medium
Chamber No passage
Committee No action
Majority party Yes
Bipartisan Yes
Prior session None
Legislative History
2026-03-05 introduced Introduction and first reading, referred to Judiciary Finance and Civil Law
2026-03-25 other Author added Feist
Mapped Requirements
D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Establishes biometric data consent and safeguard requirements for any person collecting biometric data in Minnesota. Requires prior consent before collecting biometric data, restricts sale and disclosure of biometric data with narrow exceptions (consent for identification in disappearance/death, completion of requested financial transactions, law or warrant), imposes reasonable care security standards, and mandates deletion within one year of purpose expiration. Enforced exclusively by the attorney general with civil penalties up to $25,000 per violation. Exempts voiceprint data retained by financial institutions or their affiliates as defined under 15 U.S.C. § 6809.

Enforcement & Penalties
Enforcement Authority
Attorney general enforcement only. The attorney general may bring a civil action to recover civil penalties. No private right of action is created. Enforcement is agency-initiated.
Penalties
Civil penalty of not more than $25,000 for each violation. No private damages, injunctive relief, or attorney fees provisions. Penalties are recoverable only by the attorney general.
Who Is Covered
Compliance Obligations 4 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 2
Plain Language
Any person must obtain an individual's consent before collecting biometric data from that individual. There is no exception for publicly available data or implied consent — consent must be affirmative and obtained prior to collection. Biometric data includes facial features, retina, iris, fingerprint, voiceprint, and hand or face geometry when capable of identifying an individual. The statute does not specify the form of consent (written vs. oral) but requires it occur before collection. Voiceprint data retained by financial institutions or their affiliates (as defined in 15 U.S.C. § 6809) is exempt from this entire section.
Statutory Text
A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 3(1)-(1)(iv)
Plain Language
Any person who has obtained biometric data is prohibited from selling, leasing, or otherwise disclosing it to third parties except in four narrow circumstances: (1) the individual consents to disclosure for identification purposes in disappearance or death; (2) the disclosure completes a financial transaction the individual requested or authorized; (3) the disclosure is required or permitted by federal or state law; or (4) the disclosure is made to or by law enforcement pursuant to a warrant. Outside these four exceptions, all transfers of biometric data to third parties are prohibited — there is no general consent-based disclosure exception for commercial purposes.
Statutory Text
A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant;
Other · Biometrics
Minn. Stat. § 325M.40, subd. 3(2)
Plain Language
Any person who possesses biometric data must store, transmit, and protect it from disclosure using reasonable care. The protection standard is benchmarked: biometric data must receive at least the same level of protection as other confidential information the person possesses. This means the entity's existing confidential data security posture sets the floor — biometric data cannot receive lesser protection. The standard is 'reasonable care,' not a prescriptive technical requirement.
Statutory Text
(2) must store, transmit, and protect from disclosure the biometric data using reasonable care and in a manner that is at least as or more protective than the manner in which the person stores, transmits, and protects other confidential information the person possesses;
Other · Biometrics
Minn. Stat. § 325M.40, subd. 3(3)
Plain Language
Any person who possesses biometric data must delete and destroy it within a reasonable time, and in no event later than one year after the original purpose for collection expires. If federal or state law requires a longer retention period, the data must be destroyed within one year after that legally mandated retention period ends. The statute specifically addresses the employer context: when an employer collects an employee's biometric data for security purposes, the collection purpose is deemed to expire upon termination of employment, starting the one-year deletion clock. For all other contexts, the entity must determine when the stated collection purpose has been fulfilled and track the one-year deadline from that point.
Statutory Text
(3) must delete and destroy the biometric data within a reasonable time, but no later than one year from the date the purpose for collecting the data expires, unless the data is maintained pursuant to a federal or state law that requires a longer retention period, in which case the biometric data must be destroyed within a reasonable time frame but no later than one year from the date that the state or federal law retention period expires. If an employer collects an employee's biometric data for security purposes, the purpose for collecting the data expires upon termination of the employment relationship.