Back to Minnesota

SF5221 • 2026

Geolocation data provisions establishment

Geolocation data provisions establishment

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Lucero
Last action
2026-04-27
Official status
Introduction and first reading
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Geolocation data provisions establishment

Geolocation data provisions establishment

What This Bill Does

  • Geolocation data provisions establishment

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-04-27 House

    Introduction and first reading

Official Summary Text

Geolocation data provisions establishment

Current Bill Text

Read the full stored bill text
A bill for an act

relating to consumer data privacy; governing certain geolocation data; providing

civil penalties; proposing coding for new law in Minnesota Statutes, chapter 325M.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

new text begin

[325M.40] GEOLOCATION DATA; USE; LIMITATIONS.

new text end

new text begin

Subdivision 1.

new text end

new text begin

Definitions.

new text end

new text begin

(a) For purposes of this section, the following terms have

the meanings given.

new text end

new text begin

(b) "Collect" means buying, renting, gathering, obtaining, receiving, accessing, or

otherwise acquiring personal data by any means.

new text end

new text begin

(c) "Consumer" means an individual who is a resident of Minnesota. Consumer does

not include an individual acting: (1) in a commercial or employment context; or (2) as an

employee, owner, director, officer, or contractor of a company, partnership, sole

proprietorship, nonprofit entity, or government agency whose communications or transactions

with the controller occur solely within the context of the individual's role with the company,

partnership, sole proprietorship, nonprofit entity, or government agency.

new text end

new text begin

(d) "Controller" has the meaning given in section 325M.11, paragraph (h).

new text end

new text begin

(e) "Device" means a physical object that is capable of directly or indirectly connecting

to the Internet or another device.

new text end

new text begin

(f) "Personal data" has the meaning given in section 325M.11, paragraph (p).

new text end

new text begin

(g) "Precise geolocation data" means information derived from technology, including

but not limited to latitude and longitude coordinates from global positioning system

mechanisms or other similar positional data, that reveals with precision and accuracy within

a radius of 1,750 feet the past or present physical location of (1) an individual, or (2) a

device that identifies, is linked, or is reasonably linkable to one or more individuals. Precise

geolocation data does not include the content of a communication, photograph, or video

unless the content is used to identify an individual's or device's precise geolocation.

new text end

new text begin

(h) "Process" or "processing" has the meaning given in section 325M.11, paragraph (q).

new text end

new text begin

(i) "Processor" means a person who collects, processes, or transfers personal data on

behalf and at the direction of a controller or another processor.

new text end

new text begin

(j) "Sale of personal data" has the meaning given in section 325M.11, paragraph (u).

new text end

new text begin

(k) "Third party" means a person that collects personal data from another person who

is not (1) the consumer to whom the data pertains, or (2) a processor with respect to the

data.

new text end

new text begin

Subd. 2.

new text end

new text begin

Consumer protections.

new text end

new text begin

(a) A controller that collects a consumer's precise

geolocation data must, in the controller's publicly accessible privacy notice, inform the

consumer that the consumer's precise geolocation data is being collected. The privacy notice

must also include:

new text end

new text begin

(1) the type of precise geolocation data collected, including the data's precision level;

new text end

new text begin

(2) the goods or services the consumer requested that are the basis for the controller to

collect, process, or disclose the consumer's precise geolocation data, including a description

of how the controller processes the precise geolocation data for the purposes indicated in

this clause;

new text end

new text begin

(3) whether the controller is collecting, processing, or disclosing precise geolocation

data to prevent or respond to security incidents, fraud, harassment, malicious or deceptive

activities, or illegal activity, including a description of how the controller processes the

precise geolocation data for the purposes indicated in this clause; and

new text end

new text begin

(4) disclosures describing the precise geolocation data necessary to provide the goods

or services requested by the consumer, including the identity of each third party to whom

the precise geolocation data is disclosed.

new text end

new text begin

(b) In addition to providing notice under paragraph (a), a controller that collects a

consumer's precise geolocation data must prominently display a notice that informs the

consumer that the consumer's precise geolocation data is being collected. The notice must

be provided to the consumer at the time or before collection occurs.

new text end

new text begin

(c) A controller or processor is prohibited from:

new text end

new text begin

(1) collecting or processing more precise geolocation data than is necessary to provide

the goods or services requested by the consumer;

new text end

new text begin

(2) retaining precise geolocation data for more time than is necessary to provide the

goods or services requested by the consumer or more than one year after the date the

consumer last intentionally interacted with the controller, whichever occurs first; or

new text end

new text begin

(3) selling, trading, or leasing precise geolocation data to a third party.

new text end

new text begin

(d) Notwithstanding paragraph (c), a controller or processor may collect or process

precise geolocation data that is necessary to: (1) prevent or respond to security incidents,

fraud, harassment, malicious or deceptive activities, or illegal activity targeted at the

consumer; or (2) enable the controller or processor to investigate, report, or prosecute a

person responsible for an action identified in clause (1). A controller or processor is

prohibited from retaining precise location information collected and processed under this

subdivision for more than 90 days, except as required under law. A controller or processor

is prohibited from using precise location information collected and processed under this

subdivision for any other purpose.

new text end

new text begin

(e) Notwithstanding paragraph (c), a controller or processor may use precise geolocation

data to perform services on behalf of the controller or processor, including maintaining or

servicing accounts, providing customer service, processing or fulfilling orders and

transactions, verifying customer information, processing payments, providing financing,

providing storage, or providing similar services on behalf of the controller or processor. A

controller or processor is prohibited from using precise location information collected and

processed under this subdivision for any other purpose.

new text end

new text begin

Subd. 3.

new text end

new text begin

Enforcement.

new text end

new text begin

A consumer injured by a violation of subdivision 2 may bring

a civil action against the party that commits the violation. In a civil action brought under

this subdivision, the court may award the injured consumer one or more of the following:

new text end

new text begin

(1) damages in an amount not less than $5,000 per individual per violation, as adjusted

annually to reflect an increase in the Consumer Price Index, or actual damages, whichever

is greater;

new text end

new text begin

(2) punitive damages;

new text end

new text begin

(3) injunctive relief, including an order that an entity retrieved personal data transferred

in violation of this section;

new text end

new text begin

(4) declaratory relief; or

new text end

new text begin

(5) reasonable attorney fees and litigation costs.

new text end