Idaho Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Idaho is one of the majority of U.S. states without a dedicated law governing biometric data. Residents who clock in with a fingerprint, unlock a phone with facial recognition, or provide a retina scan to access a secure facility have limited state-level protections for that data.

This guide covers what Idaho law currently does and does not address when it comes to biometric information, the pending legislation that could change the picture, and what protections exist right now.

For broader context on Idaho's overall privacy framework, see the parent guide to [Idaho Data Privacy Laws](/us-laws/data-privacy-laws/idaho-data-privacy-laws).

What Counts as Biometric Data

Biometric data includes unique physical or behavioral characteristics used to identify a person. Common examples include fingerprints, facial geometry (the measurements used by facial recognition systems), iris and retina scans, voiceprints, palm prints, and hand geometry.

States that regulate biometric data typically define these identifiers in statute and set rules for how organizations handle them. Idaho has not taken that step.

Pending House Bill 744 would define a "biometric identifier" as a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry. That definition aligns closely with the approach taken by Illinois BIPA and Texas CUBI.

Idaho's Current Legal Framework

Breach Notification Law (Idaho Code 28-51-104 et seq.)

Idaho's primary data security law is the Identity Theft/Data Breach Notification Act, codified at Idaho Code 28-51-104 through 28-51-107. This law requires businesses and government agencies to notify Idaho residents when a security breach compromises their personal information.

However, the statute defines "personal information" under Idaho Code 28-51-104 as an individual's name combined with one or more of the following:

• Social Security number
• Driver's license or Idaho identification card number
• Financial account, credit card, or debit card numbers (with required security codes or passwords)

Biometric data such as fingerprints, facial scans, and voiceprints are not included in this definition. A data breach that exposes only biometric records would not trigger notification obligations under current Idaho law.

Penalties for intentional failure to notify reach up to $25,000 per breach under Idaho Code 28-51-107. Public agencies must notify the Idaho Attorney General within 24 hours of discovering a breach.

Consumer Protection Act (Idaho Code 48-601 et seq.)

Idaho's Consumer Protection Act prohibits unfair and deceptive trade practices. While the statute does not reference biometric data specifically, a business that made false promises about how it collects or protects biometric information could face enforcement action under this law.

The Idaho Attorney General enforces the Consumer Protection Act. Individual consumers do not have a private right of action for biometric data misuse under this statute.

Student Data Protections (Idaho Code 33-133)

Idaho does protect biometric data in one specific context: education. The Student Data Accessibility, Transparency and Accountability Act (SDATAA) includes a student's "biometric record" in its definition of personally identifiable student data.

Under this law:

• Student biometric information may not be included in a student's educational record
• Schools must obtain written parental consent before private vendors can use individual student data for secondary purposes
• Schools cannot use "affective computing" technologies that analyze facial expressions, EEG brain wave patterns, or other biometric signals through statewide assessments (with limited exceptions for special needs students)

This protection is narrow. It applies only to K-12 educational settings and does not extend to private employers, commercial businesses, or government agencies outside of education.

Law Enforcement Fingerprinting (Idaho Code 67-3004)

Idaho law governs the collection and use of fingerprints by law enforcement under Idaho Code 67-3004. When a person is arrested for a retainable offense, the arresting agency must collect fingerprints and submit them to the state bureau for identification.

The statute includes provisions for shielding fingerprint records from public disclosure when a court determines a person is eligible and public safety would not be compromised. This applies only to law enforcement records and does not affect private-sector fingerprint collection.

No Employer-Specific Biometric Rules

Idaho does not restrict employers from collecting fingerprints, facial scans, or other biometric data from workers. Businesses that use biometric time clocks, fingerprint-based door access, or facial recognition for security are not required by state law to:

• Obtain written consent before collecting biometric data
• Disclose how biometric data will be stored or used
• Establish retention schedules or destruction timelines
• Limit sharing of biometric data with third parties

This stands in sharp contrast to states like Illinois, where the Biometric Information Privacy Act requires informed written consent and imposes statutory damages of $1,000 to $5,000 per violation.

Pending Legislation

Senate Bill 1066 (2025) - Failed

Senate Bill 1066 would have expanded Idaho's breach notification law to include biometric data as protected personal information. The bill also would have required businesses to offer 12 months of free credit monitoring after a breach and mandated notification "without unreasonable delay."

S1066 passed the Idaho Senate and crossed over to the House. However, it was retained on General Orders on April 4, 2025, and did not advance further. The bill is considered dead for the 2025 session.

House Bill 744 (2026) - Pending

House Bill 744 is the most significant biometric privacy proposal currently under consideration in Idaho. Introduced on February 20, 2026, the bill would create Chapter 21, Title 48 of Idaho Code to regulate the commercial capture and use of biometric identifiers.

Key provisions include:

• Consent requirement: A person may not capture a biometric identifier for a commercial purpose without first informing the individual and receiving consent
• Restrictions on sharing: Companies possessing biometric data face limitations on selling, leasing, or disclosing it, with exceptions for identification during disappearance or death, completing authorized financial transactions, legal compliance, and law enforcement purposes
• Data security and destruction: The bill requires enhanced security measures and mandatory destruction of biometric data after specified periods
• Penalties: Civil penalties of up to $25,000 per violation, enforceable by the Idaho Attorney General
• Government exemption: The bill applies only to commercial activities and does not restrict government capture or use of biometric information

As of March 2026, H0744 has been referred to the House Environment, Energy & Technology Committee and has not yet received a committee hearing.

Federal Protections That Apply in Idaho

Because Idaho lacks a state biometric privacy law, federal statutes provide the primary guardrails for biometric data in most contexts.

Section 5 of the FTC Act allows the Federal Trade Commission to bring enforcement actions against companies engaged in unfair or deceptive practices involving biometric data. The FTC has taken action against companies for deceptive facial recognition practices and inadequate biometric data security.

HIPAA protects biometric data when collected or used by covered healthcare entities and their business associates. Fingerprint or facial recognition data in a healthcare setting falls under the HIPAA Privacy Rule.

FERPA restricts how educational institutions handle student biometric data, complementing Idaho's own SDATAA protections at the federal level.

COPPA imposes strict requirements on collecting biometric data from children under 13, including parental consent requirements enforced by the FTC.

How Idaho Compares to Other States

Idaho falls into one of the least protective tiers for biometric privacy. For comparison:

• Illinois has the strongest biometric law in the country (BIPA), with a private right of action and statutory damages of $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes enforced by their attorneys general
• States with comprehensive privacy laws (like Colorado, Connecticut, and Virginia) classify biometric data as sensitive and require consent for processing
• Idaho has no biometric-specific protections and no comprehensive privacy law currently in effect

If H0744 passes, Idaho would join the small group of states with standalone biometric privacy legislation. However, the bill's government exemption and lack of a private right of action would place it below Illinois in terms of enforcement strength.

More Idaho Laws

• Idaho Recording Laws
• Idaho Data Privacy Laws
• Idaho Whistleblower Laws
• Idaho Recording Laws
• Idaho Recording Laws
• Idaho Lemon Laws
• Idaho Data Privacy Laws
• Idaho Recording Laws

This article provides general legal information about Idaho biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Idaho for advice about your specific situation.