Iowa Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Iowa provides two layers of protection for biometric data. The Iowa Consumer Data Protection Act (ICDPA) treats biometric identifiers as sensitive data subject to disclosure and opt-out requirements. Separately, the state's breach notification law requires companies to alert consumers when biometric records are exposed in a data breach.

Neither law is as strong as dedicated biometric privacy statutes in states like Illinois or Texas. Iowa's approach relies on opt-out rather than opt-in consent, and enforcement rests solely with the Attorney General.

For the full picture of Iowa's privacy framework, see the parent guide to [Iowa Data Privacy Laws](/us-laws/data-privacy-laws/iowa-data-privacy-laws).

How Iowa Defines Biometric Data

Under Iowa Code 715D.1, biometric data means data generated by automatic measurements of an individual's biological characteristics that is used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Eye retinas and irises
• Other unique biological patterns or characteristics

The definition explicitly excludes physical or digital photographs, video or audio recordings (and data generated from them), and information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

Biometric data falls under the broader category of "sensitive data" in the ICDPA when it is processed for the purpose of uniquely identifying a natural person. Other categories of sensitive data include racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic data, data from known children, and precise geolocation data.

The ICDPA's Biometric Data Requirements

Opt-Out, Not Opt-In

This is the most important distinction between Iowa and stronger biometric privacy states. Under Iowa Code 715D.4, a data controller that processes sensitive data (including biometric data) must provide the consumer with clear notice and an opportunity to opt out of that processing.

Iowa does not require affirmative opt-in consent. A business can begin processing your fingerprint or facial geometry data as long as it tells you about it and gives you a way to say no. In contrast, states like Colorado, Connecticut, and Virginia require consumers to opt in before sensitive data processing begins.

For data collected from a known child, the ICDPA requires compliance with the federal Children's Online Privacy Protection Act (COPPA) rather than using the standard opt-out framework.

Who the ICDPA Applies To

The ICDPA applies to businesses that conduct business in Iowa or produce products or services targeted to Iowa consumers and that during a calendar year either:

• Control or process the personal data of at least 100,000 Iowa consumers, or
• Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from selling personal data

Iowa Code 715D.2 exempts several categories of entities, including state and local government bodies, financial institutions subject to the Gramm-Leach-Bliley Act, entities covered by HIPAA, nonprofits, and institutions of higher education.

Consumer Rights Over Biometric Data

Under Iowa Code 715D.3, Iowa consumers have the right to:

• Confirm and access whether a controller is processing their personal data, including biometric data, and obtain a copy of that data
• Delete personal data the consumer provided to the controller
• Opt out of the sale of personal data or the processing of personal data for targeted advertising

Notably, Iowa does not grant consumers the right to correct inaccurate personal data, which most other state privacy laws include. Consumers also cannot appeal a controller's decision regarding their data rights request through the controller itself.

Data Controller Duties

Controllers that handle biometric data must:

• Limit collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose
• Adopt reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the data
• Avoid processing personal data for purposes not reasonably necessary or compatible with the disclosed purpose without obtaining consumer consent
• Publish a clear and accessible privacy notice that describes the categories of personal data processed, the purpose for processing, how consumers can exercise their rights, and whether the controller sells data or uses it for targeted advertising

Iowa's Breach Notification Law and Biometric Data

Iowa's second layer of biometric protection comes from Iowa Code Chapter 715C, the Personal Information Security Breach Protection Act.

This law defines personal information to include "unique biometric data" alongside Social Security numbers, driver's license numbers, and financial account numbers. A breach of security involving biometric records triggers mandatory notification obligations.

Notification Requirements

Any person who owns or licenses computerized data containing an Iowa consumer's personal information must notify affected consumers following discovery of a breach. Key requirements include:

• Timing: Notification must occur as expediently as possible and without unreasonable delay
• Attorney General notification: Breaches affecting 500 or more Iowa residents require written notice to the Iowa Attorney General within five business days after notifying affected individuals
• Content: Notification must describe the breach, the type of information compromised, and steps the entity is taking in response
• Method: Notice can be provided in writing, electronically (with consent), or through substitute notice if the cost exceeds $250,000 or affected individuals exceed 350,000

This means that even if a business is exempt from the ICDPA (because it falls below the processing thresholds), it must still notify consumers if their biometric data is compromised in a breach.

Employer Use of Biometric Data

The ICDPA does not contain employer-specific exemptions for biometric data collection. If an employer meets the processing thresholds and collects biometric data such as fingerprints for time clocks or facial recognition for facility access, the opt-out notice requirements apply.

However, the practical impact is limited. Many Iowa employers fall below the 100,000-consumer processing threshold. The ICDPA also exempts data processed in an employment context when it is processed in accordance with applicable federal or state employment laws.

Iowa does not currently have a standalone law that requires employers to obtain written consent before collecting biometric data, establish retention schedules, or provide a private right of action for employees whose biometric data is mishandled.

Enforcement and Penalties

The Iowa Attorney General has exclusive enforcement authority under the ICDPA. Under Iowa Code 715D.8:

• The AG may seek an injunction and civil penalties of up to $7,500 per violation
• Before bringing an action, the AG must provide the business with a 90-day cure period to address the alleged violation
• If the business cures the violation within 90 days and provides the AG with an express written statement that the violation has been cured and that no further violations will occur, no action may be brought

There is no private right of action under the ICDPA. Individual consumers cannot sue businesses directly for violations related to biometric data handling. This is a significant limitation compared to Illinois's Biometric Information Privacy Act (BIPA), which allows individuals to recover $1,000 to $5,000 per violation.

For breach notification violations under Chapter 715C, the Attorney General may also bring enforcement actions.

Pending Legislation: SSB 3085

The Iowa Legislature is considering Senate Study Bill 3085, which would create a dedicated biometric data statute with stronger protections than the ICDPA currently provides.

What SSB 3085 Would Require

If enacted, the bill would require private entities to:

• Develop written retention policies available to the public, limiting storage to three years after the final interaction with the individual or until the original collection purpose has been satisfied
• Obtain informed written consent before collecting biometric data, including disclosing the specific purpose and length of time the data will be retained
• Never sell, lease, trade, or otherwise profit from an individual's biometric data
• Store and transmit biometric data using reasonable security measures equivalent to or more protective than the methods used for passwords and account access credentials

Penalties Under SSB 3085

The Department of Inspections, Appeals, and Licensing would oversee enforcement with escalating penalties:

• First violation: $1,000
• Second violation: $5,000
• Third or subsequent violation: $10,000
• A 30-day cure period would be allowed for initial violations

Employer Exemption

The bill exempts employers that use employee biometric data solely within the scope of employment. This would allow continued use of fingerprint time clocks and biometric access systems at work without triggering the consent and retention requirements.

SSB 3085 was introduced in the 91st General Assembly, which runs through January 2027. It has not yet advanced past the study bill stage.

How Iowa Compares to Other States

Iowa occupies a middle tier for biometric privacy protection. Here is how the state stacks up:

• Illinois has the strongest protections in the country through BIPA, with informed written consent requirements and a private right of action allowing $1,000 to $5,000 per violation
• Texas and Washington have biometric-specific statutes with attorney general enforcement but no private right of action
• Colorado, Connecticut, and Virginia require opt-in consent for processing biometric data under their comprehensive privacy laws
• Iowa requires only notice and opt-out for biometric data under the ICDPA, making it one of the weaker comprehensive privacy laws on this issue
• States without protections like Georgia have no biometric data provisions in either a comprehensive privacy law or a breach notification statute

More Iowa Laws

• Iowa Recording Laws
• Iowa Data Privacy Laws
• Iowa Recording Laws
• Iowa Recording Laws
• Iowa Whistleblower Laws
• Iowa Recording Laws

This article provides general legal information about Iowa biometric privacy laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Iowa for advice about your specific situation.