Laws & Statutes MN MN-SF-4351
SF-4351
MN · State · USA
MN
USA
● Pending
Minnesota S.F. No. 4351 — A bill for an act relating to biometric data; requiring consent for collection; prohibiting sale; requiring deletion; imposing civil penalties; proposing coding for new law in Minnesota Statutes, chapter 325M.
Minnesota SF 4351 would require any person to obtain an individual's consent before collecting biometric data, defined broadly to include face, iris, retina, fingerprint, voiceprint, hand geometry, and face geometry recordings. Persons who obtain biometric data are prohibited from selling, leasing, or disclosing it except in narrow circumstances (individual consent for disappearance/death identification, financial transactions, legal requirements, or law enforcement warrants). Collectors must safeguard biometric data with reasonable care and delete it within one year of purpose expiration. The bill is enforced exclusively by the attorney general, with civil penalties up to $25,000 per violation. Voiceprint data held by financial institutions as defined under 15 U.S.C. § 6809 is exempt.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party No
Bipartisan No
Prior session None
Legislative History
2026-03-11 introduced Introduction and first reading
2026-03-11 committee referral Referred to Commerce and Consumer Protection
Mapped Requirements
D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Minnesota SF 4351 would require any person to obtain an individual's consent before collecting biometric data, defined broadly to include face, iris, retina, fingerprint, voiceprint, hand geometry, and face geometry recordings. Persons who obtain biometric data are prohibited from selling, leasing, or disclosing it except in narrow circumstances (individual consent for disappearance/death identification, financial transactions, legal requirements, or law enforcement warrants). Collectors must safeguard biometric data with reasonable care and delete it within one year of purpose expiration. The bill is enforced exclusively by the attorney general, with civil penalties up to $25,000 per violation. Voiceprint data held by financial institutions as defined under 15 U.S.C. § 6809 is exempt.

Enforcement & Penalties
Enforcement Authority
Attorney general enforcement only. The attorney general may bring an action to recover civil penalties. No private right of action is created. Enforcement is agency-initiated.
Penalties
Civil penalty of not more than $25,000 for each violation. No private damages, injunctive relief, or attorney fees provisions. Penalties are recoverable only by the attorney general.
Who Is Covered
Compliance Obligations 3 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 2
Plain Language
Before collecting any biometric data from an individual, a person must first obtain the individual's consent. Biometric data is defined broadly to include images, descriptions, or recordings of facial features, retinas, irises, fingerprints, voiceprints, hand geometry, or face geometry usable to identify an individual. The bill does not specify the form of consent (written vs. oral) or require specific disclosures about the type of biometric data being collected or the purpose of collection, unlike Illinois BIPA. Voiceprint data retained by financial institutions or their affiliates (as defined by 15 U.S.C. § 6809) is exempt from this requirement.
Statutory Text
A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Minn. Stat. § 325M.40, subd. 3(1)-(3)
Plain Language
Once biometric data is collected, the collector faces three ongoing obligations. First, the data cannot be sold, leased, or disclosed except in four narrow circumstances: individual consent for disappearance/death identification, completing an individual-authorized financial transaction, disclosure required or permitted by law, or law enforcement disclosure under a warrant. Second, the data must be stored, transmitted, and protected with at least the same level of care applied to the collector's other confidential information. Third, the data must be deleted within a reasonable time but no later than one year after the collection purpose expires. For employers collecting employee biometric data for security, the purpose expires upon employment termination. If a federal or state law requires longer retention, the one-year clock starts when that retention period ends. Voiceprint data held by financial institutions or their affiliates is exempt.
Statutory Text
A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant; (2) must store, transmit, and protect from disclosure the biometric data using reasonable care and in a manner that is at least as or more protective than the manner in which the person stores, transmits, and protects other confidential information the person possesses; and (3) must delete and destroy the biometric data within a reasonable time, but no later than one year from the date the purpose for collecting the data expires, unless the data is maintained pursuant to a federal or state law that requires a longer retention period, in which case the biometric data must be destroyed within a reasonable time frame but no later than one year from the date that the state or federal law retention period expires. If an employer collects an employee's biometric data for security purposes, the purpose for collecting the data expires upon termination of the employment relationship.
Other · Biometrics
Minn. Stat. § 325M.40, subd. 5
Plain Language
The entire statute does not apply to voiceprint data retained by financial institutions or their affiliates as defined by 15 U.S.C. § 6809 (the Gramm-Leach-Bliley Act definitions). This exemption is limited to voiceprint data specifically — other biometric data types (facial geometry, fingerprints, etc.) held by financial institutions remain covered. This creates no new compliance obligation; it narrows the scope of the other provisions.
Statutory Text
This section does not apply to voiceprint data retained by a financial institution or an affiliate of a financial institution, as those terms are defined by United States Code, title 15, section 6809.