S.F. _____ Section 1. NEW SECTION . 554J.1 Definitions. 1 1. “Biometric data” means any information about or based on 2 an individual’s biometric identifier. 3 2. a. “Biometric identifier” means an individual’s retina, 4 iris, fingerprint, voice, hand, facial geometry, or other 5 physical feature that is described by all of the following: 6 (1) The feature is inherently tied to a specific individual. 7 (2) The feature is considered permanent, difficult to 8 replicate, and remains relatively stable over time. 9 (3) The feature is unique enough to identify a person with a 10 high degree of accuracy. 11 b. “Biometric identifier” does not include any of the 12 following: 13 (1) Writing samples, written signatures, and similar 14 products. 15 (2) Photographs. 16 (3) Biological samples used for scientific testing or 17 screening. 18 (4) Demographic data. 19 (5) Physical descriptions including but not limited to 20 tattoo descriptions, height, weight, eye color, and hair color. 21 (6) Information gained from an individual’s health care 22 treatment, including but not limited to biological samples 23 taken from an individual. 24 (7) A biometric scan, mammography, X ray, roentgen process, 25 computed tomography, magnetic resonance imaging, positron 26 emission tomography scan, or other image or film of the human 27 anatomy used to diagnose, prognose, or treat an illness or 28 medical condition, or used for scientific testing or screening. 29 3. “Department” means the department of inspections, 30 appeals, and licensing. 31 4. “Private entity” means any nongovernmental entity or 32 group. 33 5. “Subject” means an individual to whom particular 34 biometric data pertains. 35 -1- LSB 5870XC (4) 91 dg/jh 1/ 6

S.F. _____ Sec. 2. NEW SECTION . 554J.2 Biometric data. 1 1. a. A private entity in possession of biometric data 2 shall develop a written policy to establish a schedule for how 3 long the private entity will retain biometric data before the 4 private entity destroys the biometric data. 5 b. A written policy shall be available to the public. 6 c. A private entity shall not retain biometric data for more 7 than three years after the subject of the biometric data last 8 interacts with the private entity or until the purposes for 9 which the biometric data was collected have been accomplished, 10 whichever is longer. 11 2. A private entity shall not collect, capture, purchase, or 12 otherwise obtain an individual’s biometric data unless, prior 13 to receiving the biometric data, the private entity does all 14 of the following: 15 a. Informs the subject of the biometric data, or the 16 subject’s legal representative, in writing, that the private 17 entity intends to collect the subject’s biometric data. 18 b. Informs the subject of the biometric data, or the 19 subject’s legal representative, in writing, of the purposes and 20 length of time for which the private entity intends to retain 21 the biometric data. 22 3. A private entity shall not sell, lease, trade, or 23 otherwise profit from an individual’s biometric data. 24 4. A private entity shall store, transmit, and protect 25 biometric data using reasonable methods that are widely 26 accepted within the private entity’s industry and are 27 equivalent to, or more protective than, the manner in which the 28 private entity protects passwords and other information that 29 can be used to provide access to an individual’s account or 30 property. 31 Sec. 3. NEW SECTION . 554J.3 Limitations. 32 This chapter shall not apply to an employer that uses an 33 employee’s biometric data solely within the scope of the 34 employee’s employment. 35 -2- LSB 5870XC (4) 91 dg/jh 2/ 6

S.F. _____ Sec. 4. NEW SECTION . 554J.4 Enforcement —— penalties —— 1 rules. 2 1. The department shall enforce this chapter and may seek 3 injunctive relief for a violation of this chapter. 4 2. The department shall establish electronic means for an 5 individual to report a violation of this chapter. 6 3. If a private entity in violation of this chapter has not 7 previously violated this chapter, the department shall send 8 notice to the private entity informing the private entity of 9 the violation and allowing the private entity thirty calendar 10 days to cure the violation. 11 4. A private entity that violates this chapter is subject to 12 the following civil penalties: 13 a. One thousand dollars for a first violation. 14 b. Five thousand dollars for a second violation, regardless 15 of whether the private entity cured a first violation within 16 the time allowed under subsection 3. 17 c. Ten thousand dollars for a third or subsequent violation. 18 5. Civil penalties collected under this section shall be 19 deposited into the general fund of the state. 20 6. The department shall adopt rules pursuant to chapter 17A 21 to implement and enforce this chapter. 22 Sec. 5. NEW SECTION . 554J.5 Interpretation. 23 1. This chapter shall not be construed to affect the 24 admission or discovery of biometric data in a court action or 25 in an administrative action under chapter 17A. 26 2. This chapter shall not be construed to affect a 27 contractor, subcontractor, or agent of a government entity 28 while the contractor, subcontractor, or agent is acting in the 29 capacity for which the government entity employed or contracted 30 the contractor, subcontractor, or agent. 31 3. This chapter shall not be construed to create a private 32 right of action. 33 EXPLANATION 34 The inclusion of this explanation does not constitute agreement with 35 -3- LSB 5870XC (4) 91 dg/jh 3/ 6

S.F. _____ the explanation’s substance by the members of the general assembly. 1 This bill relates to private entity requirements concerning 2 biometric data. 3 The bill defines “biometric data” as any information about 4 or based on an individual’s biometric identifier. 5 The bill defines “biometric identifier” as an individual’s 6 retina, iris, fingerprint, voice, hand, facial geometry, or 7 other physical feature that is inherently tied to a specific 8 individual; is considered permanent, difficult to replicate, 9 and remains relatively stable over time; and is unique enough 10 to identify a person with a high degree of accuracy. The bill 11 lists several instances of what is not included within the 12 definition of “biometric identifier”. 13 The bill also defines “department”, “private entity”, and 14 “subject”. 15 The bill requires each private entity in possession of 16 biometric data to develop a written policy to establish a 17 schedule for how long the private entity will retain biometric 18 data before the private entity destroys the biometric data. 19 The written policy must be available to the public, and the 20 private entity cannot retain biometric data for more than three 21 years after the subject of the biometric data last interacts 22 with the private entity or until the purposes for which the 23 biometric data was collected have been accomplished, whichever 24 is longer. 25 The bill prohibits a private entity from collecting, 26 capturing, purchasing, or otherwise obtaining an individual’s 27 biometric data unless, prior to receiving the biometric data, 28 the private entity informs the subject of the biometric data, 29 or the subject’s legal representative, in writing, that the 30 private entity intends to collect the subject’s biometric data, 31 and for what purposes and length of time the private entity 32 intends to retain the biometric data. 33 The bill prohibits a private entity from selling, leasing, 34 trading, or otherwise profiting from an individual’s biometric 35 -4- LSB 5870XC (4) 91 dg/jh 4/ 6

S.F. _____ data. 1 The bill requires a private entity to store, transmit, 2 and protect biometric data using reasonable methods that are 3 widely accepted within the private entity’s industry and are 4 equivalent to, or more protective than, the manner in which the 5 private entity protects passwords and other information that 6 can be used to provide access to an individual’s account or 7 property. 8 The bill does not apply to an employer that uses an 9 employee’s biometric data solely within the scope of the 10 employee’s employment. 11 The bill requires the department of inspections, appeals, 12 and licensing (DIAL) to enforce the bill and seek injunctive 13 relief for a violation of the bill. 14 The bill requires DIAL to establish electronic means for an 15 individual to report a violation of the bill. 16 If a private entity in violation of the bill has not 17 previously violated the bill, the bill requires DIAL to send 18 notice to the private entity to inform the private entity of 19 the violation and allow the private entity 30 calendar days to 20 cure the violation. 21 A private entity that violates the bill is subject to a 22 $1,000 civil penalty for a first violation; a $5,000 civil 23 penalty for a second violation, regardless of whether the 24 private entity cured a first violation; and a $10,000 civil 25 penalty for a third or subsequent violation. Collected civil 26 penalties shall be deposited into the general fund of the 27 state. 28 The bill shall not be construed to affect the admission 29 or discovery of biometric data in a court action or in an 30 administrative action under Code chapter 17A; to affect a 31 contractor, subcontractor, or agent of a government entity 32 while the contractor, subcontractor, or agent is acting in the 33 capacity for which the government entity employed or contracted 34 the contractor, subcontractor, or agent; or to create a private 35 -5- LSB 5870XC (4) 91 dg/jh 5/ 6