WeVote

Bill

Bill

SSB 3085

A bill for an act relating to private entity requirements concerning biometric data, and providing civil penalties.

2025-2026 Regular Session

The bill regulates private biometric data handling by requiring consent, notices, data minimization, safeguards, third-party controls, and civil penalties for violations.

Subcommittee recommends passage.
0
WeVote Research Nonpartisan
Bill Summary · SSB 3085

Summary of SSB 3085 (Iowa 2025-2026)

Purpose and intent

SSB 3085 establishes private entity requirements concerning biometric data and creates civil penalties for violations. The bill aims to regulate how private organizations collect, store, use, and disclose biometric information (such as fingerprints, facial recognition, and other unique biological identifiers) to protect individuals’ privacy and provide remedies for infringements.

Key provisions and changes

  • Definitions: Clarifies what constitutes biometric data (e.g., fingerprints, voiceprints, facial geometry, iris/retinal patterns) and identifies covered entities and data processing activities. Likely differentiates between consumer-facing businesses and other entities.

  • Consent and notice: Private entities may be required to obtain informed consent before collecting biometric data and to provide clear notices about collection purposes, data use, retention periods, and third-party disclosures. Notices may need to include the process for withdrawal of consent.

  • Data minimization and retention: Imposes limits on collection to that which is necessary for the stated purpose and sets retention schedules, after which biometric data must be securely destroyed or anonymized unless a longer retention is legally justified.

  • Security standards: Requires reasonable administrative, technical, and physical safeguards to protect biometric data from unauthorized access, breach, or disclosure. May reference industry standards or establish baseline protections (encryption, access controls, incident response planning).

  • Disclosure and sharing: Governs when biometric data may be shared with third parties (e.g., service providers, contractors) and may require data processing agreements, along with prohibitions on selling or using data for purposes not disclosed.

  • Civil penalties and enforcement: Establishes a framework for civil penalties for violations. This could include fines per violation or per affected individual, with potential statutory caps and enforcement by a state attorney general or dedicated privacy enforcement body. The bill may also specify remedial actions, such as mandatory corrective measures or injunctive relief.

  • Exemptions: Likely lists exemptions (for example, data processed for employee records under other state laws, government entities, or specific regulated industries) or circumstances where consent is not required.

  • Private right of action: The bill may authorize individuals to sue private entities for violations, specify statute-of-limitations periods, and outline remedies (damages, injunctive relief, and attorney’s fees).

  • Effective date and transitional provisions: Establishes when the law takes effect and any grace periods for compliance, including deadlines for implementing privacy notices, security measures, and retention policies.

Who would be affected

  • Private sector entities that collect or process biometric data from customers, employees, or contractors in Iowa. This includes retailers, app developers, service providers, healthcare or financial entities, and any organization handling biometric identifiers.

  • Vendors and contractors who process biometric data on behalf of covered entities, due to data processing and data security requirements.

  • Individuals whose biometric data is collected, stored, or used, as they gain new protections and potential avenues for civil redress.

Procedural and timeline aspects

  • Legislative steps: The bill was introduced and referred to the Technology committee. A subcommittee conducted hearings, with an administrative schedule indicating a meeting on February 4, 2026, and a subcommittee recommendation for passage on that date.

  • Advancement in committee: As of the latest action, the subcommittee recommended passage, signaling potential progress toward full chamber consideration.

  • Potential implementation schedule: If enacted, the bill would specify an effective date and phased deadlines for compliance steps (privacy notices, security measures, retention policies, and enforcement mechanisms).

This summary captures the bill’s core aims to regulate private biometric data handling, define protections and responsibilities for entities, and establish civil penalties for noncompliance. For exact language, definitions, and penalty amounts, refer to the bill’s official text and any amended provisions that may accompany final floor action.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.