Minnesota Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Minnesota does not have a standalone biometric privacy statute like Illinois's BIPA or Texas's CUBI. Instead, the state protects biometric data through the Minnesota Consumer Data Privacy Act (MCDPA), a comprehensive consumer privacy law that classifies biometric identifiers as sensitive data requiring affirmative consent before collection or processing.

Governor Tim Walz signed HF 4757 into law on May 19, 2024. The MCDPA took effect on July 31, 2025, making Minnesota one of a growing number of states with comprehensive privacy legislation that covers biometric data.

For an overview of Minnesota's broader privacy framework, see the parent guide to Minnesota Data Privacy Laws.

How the MCDPA Defines Biometric Data

The MCDPA defines biometric data under Minn. Stat. 325M.11(d) as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Eye retinas
• Irises
• Other unique biological patterns or characteristics

The law draws a clear line around what does not qualify. A physical or digital photograph, a video or audio recording, or data generated from those recordings is not biometric data unless that data is specifically generated to identify a specific individual.

This definition follows the same approach used in several other state comprehensive privacy statutes, including Connecticut and Kentucky. It is narrower than the definition used in Illinois's BIPA, which covers a broader set of biometric identifiers without the same exclusions.

Sensitive Data Classification and Consent

Under the MCDPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data" per Minn. Stat. 325M.11(v). This is the highest protection category in the law.

Other categories of sensitive data under the MCDPA include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic data processed for identification
• Specific geolocation data
• Personal data of a known child under 13

Consent requirement. Under Minn. Stat. 325M.16(2)(d), controllers cannot process sensitive data, including biometric data, without first obtaining consumer consent. This means a business cannot collect your fingerprint, faceprint, or iris scan for identification purposes without your affirmative agreement.

Revocation right. Under Minn. Stat. 325M.16(2)(e), consumers can revoke consent at any time. Controllers must provide a revocation mechanism that is at least as easy to use as the original consent process. Once a consumer revokes consent, the controller must stop processing their biometric data within 15 days.

Who Must Comply

The MCDPA applies to entities that conduct business in Minnesota or produce products or services targeted to Minnesota residents and meet one of these thresholds under Minn. Stat. 325M.12:

• Process personal data of 100,000 or more consumers during a calendar year, excluding data processed solely for completing payment transactions, or
• Process personal data of 25,000 or more consumers and derive over 25% of gross revenue from the sale of personal data

Small businesses as defined by the U.S. Small Business Administration receive limited exemptions but must still obtain consent before selling sensitive data, including biometric data.

Key Exemptions

The MCDPA exempts several categories of entities and data from coverage:

Entity exemptions:

• HIPAA-covered entities and their business associates
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Nonprofit organizations
• Government agencies
• Postsecondary institutions regulated by the Office of Higher Education (exempt until July 31, 2029)

Data exemptions:

• Data regulated under HIPAA
• Data governed by the Fair Credit Reporting Act (FCRA)
• Data covered by the Family Educational Rights and Privacy Act (FERPA)
• Data under the Driver's Privacy Protection Act (DPPA)

Employee data exemption. The MCDPA does not apply to personal data collected about job applicants, employees, or individuals acting as business representatives when that data is processed in the context of the employment relationship. If your employer collects your fingerprints for a timekeeping system or uses facial recognition for building access, the MCDPA does not regulate that collection. Minnesota does not have a separate law governing employer use of biometric data.

Consumer Rights Over Biometric Data

Because biometric data is sensitive personal data under the MCDPA, Minnesota consumers have these rights under Minn. Stat. 325M.14:

Right to confirm and access. You can ask any covered business whether it is processing your biometric data and request access to that data. However, controllers are not required to disclose biometric data itself in response to access requests. Instead, they must inform you that they have collected such information.

Right to correct. If a business holds inaccurate biometric data about you, you can request a correction.

Right to delete. You can request that a business delete the biometric data it holds about you.

Right to data portability. You can obtain a copy of your personal data in a portable and readily usable format.

Right to opt out. You can opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Right to non-discrimination. Businesses cannot penalize you for exercising any of these rights by denying goods or services, charging different prices, or providing a different quality of service.

Businesses must respond to consumer rights requests within 45 days. They can extend this period by an additional 45 days when reasonably necessary, but must notify the consumer of the extension and the reason for it.

Data Protection Assessments for Biometric Data

Controllers that process sensitive data, including biometric data, must conduct data protection assessments under Minn. Stat. 325M.18. These assessments must weigh the benefits of processing against potential risks to consumers, including:

• Unfair or deceptive treatment or unlawful disparate impact
• Financial, physical, or reputational injury
• Intrusion upon solitude or seclusion
• Other substantial injury

Controllers must also establish and maintain reasonable administrative, technical, and physical data security practices proportional to the volume and nature of the biometric data they process. The Minnesota Attorney General can request these assessments during an investigation.

Breach Notification and Biometric Data

Minnesota's separate breach notification law at Minn. Stat. 325E.61 requires businesses to notify affected individuals when a security breach compromises unencrypted personal information. However, the statute's definition of personal information is limited to Social Security numbers, driver's license or ID numbers, and financial account numbers with security codes.

Biometric data is not explicitly listed as a category of personal information triggering breach notification under Minn. Stat. 325E.61. This creates a gap in Minnesota's data protection framework. A breach that exposes biometric data alone, without an accompanying Social Security or financial account number, may not trigger the breach notification requirement under the older statute.

The MCDPA's data security requirements under Minn. Stat. 325M.16 provide a separate layer of protection by requiring controllers to maintain reasonable security practices for all personal data, including biometric data. A failure to maintain adequate security could still lead to AG enforcement under the MCDPA, even if the breach notification statute does not apply.

Enforcement and Penalties

The Minnesota Attorney General has exclusive enforcement authority over the MCDPA under Minn. Stat. 325M.20. There is no private right of action, meaning individual consumers cannot file lawsuits against businesses for MCDPA violations.

Enforcement resources. The legislature appropriated funding for four new attorneys and one investigator in the AG's office dedicated to MCDPA enforcement. The AG's office received over 200 MCDPA complaints in the first six months of the law and sent dozens of warning letters to companies identifying problems with privacy policies and procedures.

Cure period (expired). From July 31, 2025, through January 31, 2026, the law required the AG to notify businesses in writing of alleged violations and provide 30 days to cure. This grace period expired on January 31, 2026. Since February 2026, the AG can bring enforcement actions immediately without advance notice.

Penalties. The AG can initiate civil actions against businesses that violate the MCDPA with penalties of up to $7,500 per violation. Multiple violations involving biometric data collection without consent could result in substantial aggregate penalties.

Pending Minnesota Biometric Legislation

Several bills in the 94th Minnesota Legislature (2025-2026) could expand biometric privacy protections:

HF 3661 would prohibit government entities from acquiring or using facial recognition technology. Introduced in February 2026, it was referred to the House Judiciary Finance and Civil Law Committee.

SF 3270 would require express written consent for biometric data collection in places of public accommodation, using a broader definition that includes facial features, gestures, and movements.

HF 4131 would address surveillance-based price and wage discrimination, defining "surveillance data" to include biometric information. If passed, it would take effect August 1, 2026.

None of these bills have advanced beyond committee referral as of March 2026.

How Minnesota Compares to Other States

Minnesota's approach to biometric privacy falls in the middle of the spectrum among U.S. states:

Stronger than states with no protections. Many states still lack any specific biometric data protections. Minnesota's classification of biometric data as sensitive data requiring consent, combined with active AG enforcement, puts it ahead of states with no comprehensive privacy law.

Weaker than dedicated biometric privacy laws. States like Illinois, Texas, and Washington have standalone biometric privacy statutes with specific requirements for notice, consent, retention schedules, and data destruction. Illinois's BIPA includes a private right of action that has produced billions in litigation and settlements.

Similar to other comprehensive privacy law states. Minnesota's approach closely mirrors Kentucky, Connecticut, Indiana, and Montana, which all classify biometric data as sensitive data within their comprehensive consumer privacy frameworks and require opt-in consent for processing.

Notable gap. Unlike states with dedicated biometric breach notification provisions, Minnesota's breach notification statute (Minn. Stat. 325E.61) does not explicitly cover biometric data, leaving a potential gap when breaches involve biometric information without other personal identifiers.

More Minnesota Laws

• Minnesota Data Privacy Laws
• Minnesota Recording Laws
• Minnesota Recording Laws
• Minnesota Hit and Run Laws
• Minnesota Car Seat Laws
• Minnesota Child Support Laws
• Minnesota Dog Bite Laws
• Minnesota Lemon Laws

Sources and References

This article references Minnesota statutes and official state government publications. For the full text of the MCDPA, visit the Minnesota Revisor of Statutes. For guidance on consumer rights and filing complaints, visit the Minnesota Attorney General's MCDPA page.

This article provides general legal information about Minnesota biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Minnesota government sources.