United States of America: Bill amending Minnesota Consumer Data Privacy Act including protection and sale requirements for sensitive data was introduced to Senate of Minnesota (SF 2940)

On 24 March 2025, a bill to amend the Minnesota Consumer Privacy Act was introduced in the Senate (SF 2940). The Bill would categorise consumer health data as a form of sensitive data and establish requirements for its processing. It would prohibit the processing or disclosure of sensitive information without the consumer's explicit consent, and establish conditions for obtaining and administering such consent. The Bill would also introduce restrictions on the use of geofencing technology around healthcare facilities in connection with the collection or use of health data. The Bill would also set out specific requirements for the sale of sensitive data. A separate written authorisation, distinct from general consent, would be required before any sale of sensitive data. The authorisation would be subject to formal requirements, including identification of the data and parties involved, the purpose of the sale, a right of revocation, a notice of redisclosure, and an expiry date of no more than one year. Sellers and purchasers would be required to keep copies of the authorisation for six years. In addition, the Bill would require data controllers to conduct privacy and data protection assessments for processing activities involving personal data, including where such activities may present an increased risk to consumers.