Laws & Statutes IA IA-SSB-3085
SSB-3085
IA · State · USA
IA
USA
● Pending
Proposed Effective Date
2025-07-01
Iowa Senate Study Bill 3085 — A bill for an act relating to private entity requirements concerning biometric data, and providing civil penalties
Iowa SSB 3085 regulates the collection, retention, sale, and protection of biometric data by private (nongovernmental) entities. Private entities must develop a publicly available written retention policy, provide written notice and purpose disclosure before collecting biometric identifiers, and destroy biometric data no later than three years after the subject's last interaction or upon fulfillment of the collection purpose. The bill prohibits selling, leasing, trading, or otherwise profiting from biometric data and requires industry-standard security protections. Enforcement is exclusively through the Department of Inspections, Appeals, and Licensing (DIAL), which may seek injunctive relief and impose escalating civil penalties ($1,000/$5,000/$10,000). The bill exempts employers using employee biometric data solely within the scope of employment and government contractors acting in their governmental capacity, and it expressly does not create a private right of action.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-01-27 other By COMMITTEE ON TECHNOLOGY
2026-01-27 introduced Introduced, referred to Technology.
2026-01-28 other Subcommittee: Alons, Bennett, and Taylor.
2026-01-29 other Subcommittee Meeting: 02/04/2026 12:00PM Senate Lounge.
2026-02-04 other Subcommittee recommends passage.
Mapped Requirements
D-01 Automated Processing Rights & Data Controls G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Iowa SSB 3085 regulates the collection, retention, sale, and protection of biometric data by private (nongovernmental) entities. Private entities must develop a publicly available written retention policy, provide written notice and purpose disclosure before collecting biometric identifiers, and destroy biometric data no later than three years after the subject's last interaction or upon fulfillment of the collection purpose. The bill prohibits selling, leasing, trading, or otherwise profiting from biometric data and requires industry-standard security protections. Enforcement is exclusively through the Department of Inspections, Appeals, and Licensing (DIAL), which may seek injunctive relief and impose escalating civil penalties ($1,000/$5,000/$10,000). The bill exempts employers using employee biometric data solely within the scope of employment and government contractors acting in their governmental capacity, and it expressly does not create a private right of action.

Enforcement & Penalties
Enforcement Authority
The Department of Inspections, Appeals, and Licensing (DIAL) is the designated enforcement agency. DIAL shall enforce the chapter and may seek injunctive relief for violations. DIAL must establish electronic means for individuals to report violations (complaint-driven intake). For first-time violators, DIAL must send notice and allow a 30-calendar-day cure period before penalties attach. No private right of action — the statute expressly provides it shall not be construed to create a private right of action.
Penalties
Civil penalties: $1,000 for a first violation; $5,000 for a second violation (regardless of whether the first violation was cured); $10,000 for a third or subsequent violation. DIAL may also seek injunctive relief. Civil penalties are deposited into the general fund of the state. No actual harm requirement for civil penalties.
Who Is Covered
"Private entity" means any nongovernmental entity or group.
Compliance Obligations 5 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
§ 554J.2(2)(a)-(b)
Plain Language
Before collecting, capturing, purchasing, or otherwise obtaining any biometric data, a private entity must provide the subject (or the subject's legal representative) with written notice of two things: (1) that the entity intends to collect the subject's biometric data, and (2) the specific purposes for collection and the length of time the entity intends to retain the data. This is a pre-collection requirement — the notice must be delivered before the biometric data is received. The bill does not require affirmative opt-in consent; written notice alone satisfies the obligation.
Statutory Text
2. A private entity shall not collect, capture, purchase, or otherwise obtain an individual's biometric data unless, prior to receiving the biometric data, the private entity does all of the following: a. Informs the subject of the biometric data, or the subject's legal representative, in writing, that the private entity intends to collect the subject's biometric data. b. Informs the subject of the biometric data, or the subject's legal representative, in writing, of the purposes and length of time for which the private entity intends to retain the biometric data.
G-01 AI Governance Program & Documentation · G-01.3 · Deployer · Biometrics
§ 554J.2(1)(a)-(c)
Plain Language
Any private entity that possesses biometric data must develop a written retention and destruction policy establishing how long it will keep biometric data before destroying it. The policy must be publicly available. Regardless of what the policy states, the hard ceiling is three years after the subject's last interaction with the entity or until the original collection purpose has been fulfilled — whichever is longer. This creates three distinct obligations: (1) create a written policy, (2) make it publicly available, and (3) comply with the maximum retention period.
Statutory Text
1. a. A private entity in possession of biometric data shall develop a written policy to establish a schedule for how long the private entity will retain biometric data before the private entity destroys the biometric data. b. A written policy shall be available to the public. c. A private entity shall not retain biometric data for more than three years after the subject of the biometric data last interacts with the private entity or until the purposes for which the biometric data was collected have been accomplished, whichever is longer.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
§ 554J.2(3)
Plain Language
Private entities are categorically prohibited from selling, leasing, trading, or otherwise deriving profit from any individual's biometric data. This is an absolute prohibition — no consent mechanism or opt-in can override it. The prohibition covers any commercial transaction or monetization arrangement involving biometric data, not just direct sales.
Statutory Text
3. A private entity shall not sell, lease, trade, or otherwise profit from an individual's biometric data.
Other · Biometrics
§ 554J.2(4)
Plain Language
Private entities must protect biometric data in storage and transmission using reasonable, industry-standard security methods. The security floor is set by how the entity already protects passwords and account-access credentials — biometric data must receive at least equivalent protection. This is a dual benchmark: the methods must be (1) widely accepted in the entity's industry and (2) at least as protective as the entity's own credential security practices.
Statutory Text
4. A private entity shall store, transmit, and protect biometric data using reasonable methods that are widely accepted within the private entity's industry and are equivalent to, or more protective than, the manner in which the private entity protects passwords and other information that can be used to provide access to an individual's account or property.
Other · Biometrics
§ 554J.3
Plain Language
The entire chapter does not apply to employers that use employee biometric data solely within the scope of employment. This is a complete exemption — if the biometric data use is limited to employment purposes (e.g., timekeeping, facility access), the employer is not subject to the notice, retention, commercialization, or security requirements. The exemption applies only when use is 'solely' within employment scope; any use outside that scope would bring the employer back within the chapter's coverage.
Statutory Text
This chapter shall not apply to an employer that uses an employee's biometric data solely within the scope of the employee's employment.