WeVote

Bill

Bill

SF 5221

Geolocation data provisions establishment

2025-2026 Regular Session Introduced by Eric Lucero

Minnesota would require clear disclosure and strict limits on collecting, retaining, and selling precise geolocation data, with a private right of action and damages for violations

Referred to Commerce and Consumer Protection
0
WeVote Research Nonpartisan
Bill Summary · SF 5221

Summary of SF 5221 (2025-2026) – Geolocation Data Provisions Establishment (Minnesota)

Purpose and intent

  • Establishes new statutory provisions governing the collection, processing, retention, and disclosure of precise geolocation data in Minnesota.
  • Creates a framework of consumer protections related to geolocation data, with civil remedies for violations.

Key definitions (Section 325M.40)

  • Definitions relevant to geolocation data, including:
    • Collect: acquiring personal data by any means.
    • Consumer: a Minnesota resident, with certain exclusions for individuals acting in a commercial/employment context or within specific organizational roles.
    • Controller: as defined in Minnesota Statutes, § 325M.11, (h).
    • Device: Internet-enabled object capable of connecting to the Internet or another device.
    • Personal data, precise geolocation data: data that can pinpoint an individual’s or device’s location within a 1,750-foot radius; excludes content of communications unless used to identify precise geolocation.
    • Processor, third party, sale of personal data: as defined in the broader 325M framework.

Substantive protections for consumers (Section 325M.40, Subd. 2)

  • When a controller collects precise geolocation data, it must publicly disclose in its privacy notice:
    • The fact that precise geolocation data is being collected.
    • The type and precision level of the data.
    • The goods or services requested that justify collection, and how processing/disclosure occurs for those purposes.
    • Whether collection/processing/disclosure is to prevent or respond to security incidents, fraud, harassment, malicious or deceptive activities, or illegal activity, with a description of processing for those purposes.
    • Descriptions of disclosures to third parties necessary to provide goods or services.
  • Controllers must prominently display a notice at or before collection indicating that precise geolocation data is being collected (privacy notice visibility requirement).

Limitations on collection, retention, and use (Subd. 2, Subparts c–e)

  • Prohibitions:
    • Do not collect or process more precise geolocation data than necessary for the requested goods or services.
    • Do not retain precise geolocation data for longer than necessary to provide the goods/services, or for more than one year after the consumer’s last intentional interaction (whichever comes first).
    • Do not sell, trade, or lease precise geolocation data to a third party.
  • Exceptions allowing limited processing without violating the prohibitions:
    • Necessary to prevent or respond to security incidents, fraud, harassment, malicious/deceptive activities, or illegal activity targeting the consumer, or to investigate/report/prosecute responsible parties.
    • Retention for up to 90 days for these purposes (unless required by law).
    • Use is allowed to enable the controller or processor to investigate, report, or prosecute the person responsible for the activity described (subject to the 90-day retention limit).
  • Permitted uses for service-related activities:
    • Controllers/processors may use precise geolocation data to perform services on behalf of the controller or processor (e.g., account maintenance, customer service, order processing/fulfillment, verification, payments, storage, etc.), provided it is used only for those purposes.

Enforcement and remedies (Subd. 3)

  • Private right of action: a consumer harmed by a violation may sue the responsible party.
  • Available remedies in a civil action include:
    • Damages: at least $5,000 per individual per violation, adjusted annually for CPI, or actual damages, whichever is greater.
    • Punitive damages.
    • Injunctive relief (including orders to retrieve or return violated data).
    • Declaratory relief.
    • Reasonable attorney’s fees and litigation costs.

Practical impact and who is affected

  • Affects entities that collect precise geolocation data from Minnesota residents (controllers and processors under the bill’s framework).
  • Places explicit transparency requirements in privacy notices and imposes strict limits on collection, retention, and sale of precise geolocation data.
  • Provides Minnesota consumers with a private right of action and the potential for damages for violations.
  • The 1,750-foot precision standard defines what is considered “precise” geolocation for the purposes of this law.
  • Exemptions and allowances align with legitimate business needs (e.g., security, fraud prevention, service delivery) but with strict retention caps (maximum 90 days for certain purposes) and a general prohibition on long-term retention and sale.

Procedural and timeline aspects

  • Introduced and referred on 2026-04-27 to the Commerce and Consumer Protection committee.
  • As drafted, creates new law under Minnesota Statutes, chapter 325M (geolocation data provisions).
  • No enacted effective date is listed in the provided text; typical next steps would involve committee analysis, potential amendments, and floor votes, followed by passage or rejection in both chambers and possible gubernatorial action.

If you’d like, I can compare SF 5221 to existing Minnesota consumer data privacy provisions or outline potential compliance steps for businesses.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.