Laws & Statutes IA IA-SSB-3085
SSB-3085
IA · State · USA
IA
USA
● Pending
Iowa Senate Study Bill 3085 — A bill for an act relating to private entity requirements concerning biometric data, and providing civil penalties
Iowa SSB 3085 imposes obligations on private entities (any nongovernmental entity or group) that possess, collect, or obtain biometric data — defined as information about or based on an individual's biometric identifier (retina, iris, fingerprint, voice, hand, facial geometry, or other qualifying physical feature). Private entities must develop and publicly post a written retention and destruction policy, provide written notice to individuals before collecting their biometric data (including the purpose and retention period), refrain from selling or profiting from biometric data, and protect biometric data using industry-standard security methods. The bill exempts employers using employee biometric data solely within the scope of employment and government contractors acting in their governmental capacity. Enforcement is exclusively through DIAL, with escalating civil penalties and a 30-day cure period for first-time violations. No private right of action is created.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-01-27 other By COMMITTEE ON TECHNOLOGY
2026-01-27 introduced Introduced, referred to Technology.
2026-01-28 other Subcommittee: Alons, Bennett, and Taylor.
2026-01-29 other Subcommittee Meeting: 02/04/2026 12:00PM Senate Lounge.
2026-02-04 other Subcommittee recommends passage.
Mapped Requirements
D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Iowa SSB 3085 imposes obligations on private entities (any nongovernmental entity or group) that possess, collect, or obtain biometric data — defined as information about or based on an individual's biometric identifier (retina, iris, fingerprint, voice, hand, facial geometry, or other qualifying physical feature). Private entities must develop and publicly post a written retention and destruction policy, provide written notice to individuals before collecting their biometric data (including the purpose and retention period), refrain from selling or profiting from biometric data, and protect biometric data using industry-standard security methods. The bill exempts employers using employee biometric data solely within the scope of employment and government contractors acting in their governmental capacity. Enforcement is exclusively through DIAL, with escalating civil penalties and a 30-day cure period for first-time violations. No private right of action is created.

Enforcement & Penalties
Enforcement Authority
The Department of Inspections, Appeals, and Licensing (DIAL) enforces the chapter and may seek injunctive relief for violations. Enforcement is agency-initiated and complaint-driven — DIAL must establish electronic means for individuals to report violations. For first-time violators with no prior violations, DIAL must send notice and allow 30 calendar days to cure before imposing penalties. No private right of action is created.
Penalties
Escalating civil penalties: $1,000 for a first violation; $5,000 for a second violation (regardless of whether the first violation was cured within the cure period); $10,000 for a third or subsequent violation. DIAL may also seek injunctive relief. Civil penalties are deposited into the state general fund. No private damages or attorney fees — no private right of action is created.
Who Is Covered
"Private entity" means any nongovernmental entity or group.
Compliance Obligations 7 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
§ 554J.2(1)(a)-(c)
Plain Language
Any private entity that possesses biometric data must create a written retention and destruction policy specifying how long it will retain biometric data, make that policy publicly available, and destroy biometric data no later than three years after the individual's last interaction with the entity or when the collection purpose is accomplished, whichever is longer. This combines a data minimization and retention limit obligation with a public transparency requirement for the retention policy itself.
Statutory Text
1. a. A private entity in possession of biometric data shall develop a written policy to establish a schedule for how long the private entity will retain biometric data before the private entity destroys the biometric data. b. A written policy shall be available to the public. c. A private entity shall not retain biometric data for more than three years after the subject of the biometric data last interacts with the private entity or until the purposes for which the biometric data was collected have been accomplished, whichever is longer.
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
§ 554J.2(2)(a)-(b)
Plain Language
Before collecting, capturing, purchasing, or otherwise obtaining any individual's biometric data, a private entity must provide written notice to the individual (or their legal representative) of two things: (1) that the entity intends to collect the individual's biometric data, and (2) the specific purposes for and length of time the entity intends to retain that data. This is a pre-collection written notice requirement — collection cannot occur until the notice has been given. The bill does not require affirmative opt-in consent; written notice alone satisfies the obligation.
Statutory Text
2. A private entity shall not collect, capture, purchase, or otherwise obtain an individual's biometric data unless, prior to receiving the biometric data, the private entity does all of the following: a. Informs the subject of the biometric data, or the subject's legal representative, in writing, that the private entity intends to collect the subject's biometric data. b. Informs the subject of the biometric data, or the subject's legal representative, in writing, of the purposes and length of time for which the private entity intends to retain the biometric data.
D-01 Automated Processing Rights & Data Controls · Deployer · Biometrics
§ 554J.2(3)
Plain Language
Private entities are categorically prohibited from selling, leasing, trading, or otherwise profiting from any individual's biometric data. This is an absolute prohibition with no exceptions — there is no consent mechanism that would allow monetization of biometric data.
Statutory Text
3. A private entity shall not sell, lease, trade, or otherwise profit from an individual's biometric data.
Other · Deployer · Biometrics
§ 554J.2(4)
Plain Language
Private entities must store, transmit, and protect biometric data using security methods that meet two benchmarks: (1) the methods must be reasonable and widely accepted within the entity's industry, and (2) the methods must be at least as protective as those used to protect passwords and account-access information. This sets a floor at password-level security and requires industry-standard data protection practices for all biometric data in the entity's possession.
Statutory Text
4. A private entity shall store, transmit, and protect biometric data using reasonable methods that are widely accepted within the private entity's industry and are equivalent to, or more protective than, the manner in which the private entity protects passwords and other information that can be used to provide access to an individual's account or property.
Other · Biometrics
§ 554J.3; § 554J.5(2)
Plain Language
Two categories of biometric data use are excluded from the chapter: (1) an employer using employee biometric data solely within the scope of employment, and (2) contractors, subcontractors, or agents of government entities acting in their governmental capacity. These are scope limitations — entities falling within these carve-outs have no obligations under this chapter for the carved-out activities.
Statutory Text
This chapter shall not apply to an employer that uses an employee's biometric data solely within the scope of the employee's employment. ... 2. This chapter shall not be construed to affect a contractor, subcontractor, or agent of a government entity while the contractor, subcontractor, or agent is acting in the capacity for which the government entity employed or contracted the contractor, subcontractor, or agent.
Other · Biometrics
§ 554J.4(1)-(6)
Plain Language
This section establishes DIAL as the enforcement authority, authorizes injunctive relief, mandates an electronic complaint reporting system, provides a 30-day cure period for first-time violators, sets escalating civil penalties ($1,000 / $5,000 / $10,000), directs penalties to the state general fund, and grants DIAL rulemaking authority. These are enforcement infrastructure provisions — they describe how the chapter is enforced but do not impose independent compliance obligations on private entities beyond those in § 554J.2.
Statutory Text
1. The department shall enforce this chapter and may seek injunctive relief for a violation of this chapter. 2. The department shall establish electronic means for an individual to report a violation of this chapter. 3. If a private entity in violation of this chapter has not previously violated this chapter, the department shall send notice to the private entity informing the private entity of the violation and allowing the private entity thirty calendar days to cure the violation. 4. A private entity that violates this chapter is subject to the following civil penalties: a. One thousand dollars for a first violation. b. Five thousand dollars for a second violation, regardless of whether the private entity cured a first violation within the time allowed under subsection 3. c. Ten thousand dollars for a third or subsequent violation. 5. Civil penalties collected under this section shall be deposited into the general fund of the state. 6. The department shall adopt rules pursuant to chapter 17A to implement and enforce this chapter.
Other · Biometrics
§ 554J.5(1), (3)
Plain Language
Two interpretive provisions: (1) the chapter does not limit the admissibility or discoverability of biometric data in court or administrative proceedings, and (2) the chapter does not create a private right of action. Neither provision imposes a new compliance obligation — they clarify what the chapter does not do.
Statutory Text
1. This chapter shall not be construed to affect the admission or discovery of biometric data in a court action or in an administrative action under chapter 17A. ... 3. This chapter shall not be construed to create a private right of action.