IA SSB3085: A bill for an act relating to private entity requirements concerning biometric data, and providing civil penalties. Verified

Senate Study Bill 3085 outlines specific requirements for private entities that collect and manage biometric data. It mandates that entities develop a written policy detailing how long biometric data will be retained, which cannot exceed three years after the last interaction with the subject or until the data's purpose is fulfilled. Furthermore, entities must inform individuals about the collection and intended use of their biometric data in writing prior to obtaining it. The bill also prohibits the sale or profit from biometric data, ensuring that individuals' information is not commodified. Compliance is required from all private entities in possession of biometric data, with no specific deadline mentioned in the bill text. Non-compliance can lead to civil penalties, starting at $1,000 for a first violation and escalating to $10,000 for subsequent violations. However, the bill explicitly states it does not create a private right of action. The Department of Inspections, Appeals, and Licensing is tasked with enforcing these provisions, and it must send notice and allow 30 days to cure a first violation before imposing penalties. Key definitions in the bill include 'biometric data' and 'biometric identifier,' which are crucial for understanding the scope of the law. The bill does not apply to employers using biometric data solely within the employment context, which may limit its impact on certain sectors. Compared to similar laws in other states, this bill aligns with growing trends to regulate biometric data usage, reflecting increasing concerns over privacy and data security.