Regulon.AI — MN-SF-4351 · MN SF 4351 (Biometric Data Consent)

Summary

Minnesota SF 4351 would require any person to obtain an individual's consent before collecting biometric data, defined broadly to include facial features, retinas, irises, fingerprints, voiceprints, and hand/face geometry. Persons who obtain biometric data are prohibited from selling, leasing, or disclosing it except under narrow exceptions (individual consent for identification after disappearance/death, completing a requested financial transaction, as required by law, or to law enforcement pursuant to a warrant). Biometric data must be stored with reasonable care and deleted within one year after the collection purpose expires. Voiceprint data held by financial institutions is exempt. Enforcement is exclusively through the attorney general, with civil penalties up to $25,000 per violation.

Enforcement & Penalties

Enforcement Authority

Attorney general enforcement only. The attorney general may bring a civil action to recover civil penalties. No private right of action is created by the statute. Enforcement is agency-initiated.

Penalties

Civil penalty of not more than $25,000 for each violation. No private damages, injunctive relief, or attorney fee provisions. Penalties are recoverable only by the attorney general.

Who Is Covered

Compliance Obligations 3 obligations · click obligation ID to open requirement page

D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics

Minn. Stat. § 325M.40, subd. 2

Plain Language

Before collecting any biometric data from an individual, the collecting person must obtain the individual's consent. Consent must be obtained before collection occurs — retroactive consent is insufficient. The definition of biometric data is broad, covering facial images, facial features, retinas, irises, fingerprints, voiceprints, hand geometry, and face geometry that may be used to identify an individual. Voiceprint data retained by financial institutions (as defined under 15 U.S.C. § 6809) is exempt from this requirement under Subdivision 5.

Statutory Text

A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.

D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics

Minn. Stat. § 325M.40, subd. 3(1)-(2)

Plain Language

Once biometric data is obtained, the holder faces two ongoing obligations. First, sale, lease, or other disclosure to third parties is prohibited except under four narrow exceptions: (1) the individual consents for identification in case of disappearance or death; (2) the disclosure completes a financial transaction the individual requested; (3) disclosure is required or permitted by federal or state law; or (4) disclosure is to or by law enforcement pursuant to a warrant. Second, the holder must store, transmit, and protect biometric data using reasonable care, at a level at least as protective as the holder's treatment of other confidential information. These are use-limitation and security safeguards that restrict what can be done with collected biometric data.

Statutory Text

A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant; (2) must store, transmit, and protect from disclosure the biometric data using reasonable care and in a manner that is at least as or more protective than the manner in which the person stores, transmits, and protects other confidential information the person possesses;

D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics

Minn. Stat. § 325M.40, subd. 3(3)

Plain Language

Biometric data must be deleted and destroyed within a reasonable time, but no later than one year after the purpose for collecting it expires. If a federal or state law mandates a longer retention period, the data must still be destroyed no later than one year after that legally required retention period ends. For employer-collected biometric data used for security purposes, the collection purpose is deemed to expire upon termination of the employment relationship — meaning the one-year deletion clock starts at termination. This creates a hard outer boundary on biometric data retention tied to purpose expiration.

Statutory Text

(3) must delete and destroy the biometric data within a reasonable time, but no later than one year from the date the purpose for collecting the data expires, unless the data is maintained pursuant to a federal or state law that requires a longer retention period, in which case the biometric data must be destroyed within a reasonable time frame but no later than one year from the date that the state or federal law retention period expires. If an employer collects an employee's biometric data for security purposes, the purpose for collecting the data expires upon termination of the employment relationship.