This bill establishes new regulations for private entities regarding the collection, retention, and protection of biometric data in Iowa. It defines biometric data and biometric identifiers, outlining what constitutes these terms and what does not, such as writing samples and photographs. Private entities are required to create a written policy detailing how long they will retain biometric data, which cannot exceed three years after the last interaction with the subject or until the purpose of collection is fulfilled. Additionally, entities must inform individuals in writing about the collection of their biometric data, its intended use, and retention period. The bill also prohibits the sale or profit from biometric data and mandates that entities protect this data using industry-standard methods.

The enforcement of these regulations falls under the Department of Inspections, Appeals, and Licensing (DIAL), which is tasked with seeking injunctive relief for violations and establishing a reporting mechanism for individuals. Civil penalties are imposed for violations, starting at $1,000 for the first offense and escalating to $10,000 for subsequent violations. The bill clarifies that it does not apply to employers using biometric data solely within the scope of employment and does not create a private right of action. Overall, the legislation aims to enhance the protection of individuals' biometric information while providing a framework for accountability among private entities.