Laws & Statutes MN MN-HF-4005
HF-4005
MN · State · USA
MN
USA
● Pending
Proposed Effective Date
2026-08-01
Minnesota H.F. No. 4005 — A bill for an act relating to biometric data; requiring consent for collection; prohibiting sale; requiring deletion; imposing civil penalties; proposing coding for new law in Minnesota Statutes, chapter 325M
Proposes a new Minnesota biometric data protection statute modeled loosely on Illinois BIPA. Requires any person to obtain consent before collecting biometric data — defined to include face, iris, retina, fingerprint, voiceprint, hand geometry, and face geometry images, descriptions, or recordings usable for identification. Prohibits sale, lease, or disclosure of biometric data except in narrow circumstances (individual consent for identification upon disappearance or death, individual-authorized financial transactions, law enforcement warrants, or federal/state law requirements). Requires reasonable-care security and mandatory deletion within one year of purpose expiration. Enforced exclusively by the attorney general with civil penalties up to $25,000 per violation. Exempts voiceprint data retained by financial institutions as defined under 15 U.S.C. § 6809.
Passage Likelihood
Medium
Chamber No passage
Committee No action
Majority party Yes
Bipartisan Yes
Prior session None
Legislative History
2026-03-05 introduced Introduction and first reading, referred to Judiciary Finance and Civil Law
2026-03-25 other Author added Feist
Mapped Requirements
D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Proposes a new Minnesota biometric data protection statute modeled loosely on Illinois BIPA. Requires any person to obtain consent before collecting biometric data — defined to include face, iris, retina, fingerprint, voiceprint, hand geometry, and face geometry images, descriptions, or recordings usable for identification. Prohibits sale, lease, or disclosure of biometric data except in narrow circumstances (individual consent for identification upon disappearance or death, individual-authorized financial transactions, law enforcement warrants, or federal/state law requirements). Requires reasonable-care security and mandatory deletion within one year of purpose expiration. Enforced exclusively by the attorney general with civil penalties up to $25,000 per violation. Exempts voiceprint data retained by financial institutions as defined under 15 U.S.C. § 6809.

Enforcement & Penalties
Enforcement Authority
Attorney general enforcement only. The attorney general may bring a civil action to recover civil penalties. No private right of action is created. Enforcement is agency-initiated.
Penalties
Civil penalty of not more than $25,000 for each violation. No private damages, injunctive relief, or attorney fees provisions. Penalties are recoverable only by the attorney general.
Who Is Covered
Compliance Obligations 4 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 2
Plain Language
Any person must obtain an individual's consent before collecting any biometric data from that individual. Biometric data includes facial images, retinal/iris scans, fingerprints, voiceprints, and hand/face geometry usable for identification. The consent must be received before the collection occurs — retroactive consent is not sufficient. The statute does not specify the form of consent (written vs. oral), nor does it require disclosure of the specific purpose or type of biometric identifier being collected, unlike Illinois BIPA. Voiceprint data retained by financial institutions (as defined under 15 U.S.C. § 6809) is exempt from this requirement.
Statutory Text
A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.
D-01 Automated Processing Rights & Data Controls · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 3(1)
Plain Language
Once a person has obtained biometric data, they are prohibited from selling, leasing, or otherwise disclosing it to any third party unless one of four narrow exceptions applies: (1) the individual consented to disclosure for identification in case of disappearance or death; (2) the disclosure completes a financial transaction the individual requested or authorized; (3) the disclosure is required or permitted by federal or state law; or (4) the disclosure is to or by law enforcement pursuant to a warrant. This is effectively a near-total ban on commercial sale of biometric data. Voiceprint data retained by financial institutions is exempt.
Statutory Text
A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant;
D-01 Automated Processing Rights & Data Controls · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 3(2)
Plain Language
Any person who holds biometric data must store, transmit, and protect it using reasonable care, at a level at least as protective as how the person handles its other confidential information. This establishes a relative security floor — if you already protect trade secrets or financial data at a high level, your biometric data security must match or exceed that standard. The statute does not prescribe specific technical measures such as encryption, but the reasonable care standard combined with the comparative benchmark creates an enforceable obligation.
Statutory Text
(2) must store, transmit, and protect from disclosure the biometric data using reasonable care and in a manner that is at least as or more protective than the manner in which the person stores, transmits, and protects other confidential information the person possesses;
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 3(3)
Plain Language
Biometric data must be deleted and destroyed within a reasonable time, and in no event later than one year after the purpose for collection expires. If a federal or state law requires longer retention, the data must be destroyed within one year after that legal retention period expires. For employers collecting employee biometric data for security purposes, the purpose automatically expires when the employment relationship terminates — meaning the data must be destroyed within one year of the employee's departure. This creates a hard outer deadline (one year after purpose expiration) with an expectation of faster deletion where reasonable. Voiceprint data retained by financial institutions is exempt.
Statutory Text
(3) must delete and destroy the biometric data within a reasonable time, but no later than one year from the date the purpose for collecting the data expires, unless the data is maintained pursuant to a federal or state law that requires a longer retention period, in which case the biometric data must be destroyed within a reasonable time frame but no later than one year from the date that the state or federal law retention period expires. If an employer collects an employee's biometric data for security purposes, the purpose for collecting the data expires upon termination of the employment relationship.