On March 29, 2023, Iowa became the sixth state to pass a comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado, and California. SF 262, "An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions" will become effective on January 1, 2025, giving covered businesses 21 months to comply with the new law. While the law is similar in many respects to other state laws (particularly Utah), there are some important differences with which business should become familiar as they prepare to comply.

Key Takeaways:

  • No new compliance obligations – The law does not create new or unique substantive requirements or obligations separate from those required by other state laws, which should ease the compliance burden for organizations that have already designed governance programs around these existing laws.
  • More "business friendly" – Like Utah's privacy law, Iowa's law has been described as more "business friendly" compared to other states. There is no private right of action, the law includes a 90-day cure period to correct violations, and does not require businesses to conduct data protection or privacy risk assessments.

Other key provisions of the Act are described in more detail below.

Scope

The Act applies to individuals and entities that conduct business in Iowa or that produce products or services targeted to Iowa consumers; and that in the preceding calendar year, controlled or processed the personal data of at least: (a) 100,000 Iowa consumers; or (b) 25,000 Iowa consumers, if the individual or entity derived more than 50% of their gross revenue from the sale of personal data. The law does not have a revenue threshold so businesses of any size that meet the above requirements must comply.

Unlike California's privacy laws, Iowa defines "consumer" as a natural person who is a resident of the state acting only in an individual and household context and excludes those acting in a commercial or employment context. Likewise, personal data is defined as any information linked or reasonably linked to an identified or identifiable natural person. The law also uses terms like "data controller" and "data processor," which will be familiar to entities subject to the EU's General Data Protection Regulation (GDPR).

Exemptions:

Like other state privacy laws, Iowa exempts personal data covered by existing federal laws, such as HIPAA, the Children's Online Privacy Protection Act (COPPA), FERPA, the Driver's Privacy Protection Act, and the Farm Credit Act. It further exempts health records, human subjects research data covered by federal law or other standards, and data processed or maintained for employment purposes.

  • Additionally, the law does not apply to government and state entities, financial institutions, or affiliates subject to the Gramm-Leach-Bliley Act, entities that are subject to and comply with HIPAA and the HITECH Act, nonprofit organizations, and institutions of higher education.

Consumer Rights

The Act provides consumers with four main rights:

  1. The Right to Access: Consumers have the right to confirm whether a controller is processing their personal data and to access that data, subject to an exception if the data would reveal trade secrets.
  1. The Right to Delete: Consumers have the right to request deletion of any personal data that they provided to controllers. Unlike Colorado and Connecticut, the law does not require deletion obtained about a consumer from other sources.
  1. The Right to Portability: Consumers have the right to obtain a copy of their personal data, except when that data is subject to security breach protection or if it was previously provided to the controller in a portable and readily usable format that allows the consumer "to transmit the data to another controller without hindrance, where the processing is carried out by automated means."
  1. The Right to Opt Out of Sales: Consumers have the right to opt out of the sale of personal data. The Act defines "sale of personal data" as the exchange of personal data for monetary consideration by the controller to a third party. "Sale" does not include disclosure of data to a processor, disclosure to a controller to fulfill a consumer request, disclosure made by a consumer to a public channel, or internal transfers (including mergers and acquisitions). Unlike Colorado, Connecticut, and Virginia, the opt-out right does not apply to pseudonymized data.

Notably, the law does not include a right to correct personal data or rights to opt out of automated processing, such as for targeted advertising or profiling purposes. Oddly, however, while there is no explicit right to opt out of targeted advertising, the law nonetheless requires controllers to "clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity." It is not clear if this inconsistency is a drafting error.

Data Controller Duties

The Act also prescribes additional obligations for covered entities that are similar to the other five state privacy laws. Unlike California, Colorado, Connecticut, and Virginia, the Act does not require covered entities to perform data protection or privacy risk assessments.

  • Data Security: Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and availability of personal data. The law also specifies that the practices must be appropriate to the volume and nature of the personal data implicated.
  • Sensitive Data: Controllers must not process sensitive data for a nonexempt purpose without providing consumers with clear notice and an opportunity to opt out of the processing. If the sensitive data belongs to a known child, the processing must comply with the Children's Online Privacy Protection Act (COPPA). Categories of sensitive data include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status (unless used to avoid prohibited discrimination), genetic or biometric data used for purposes of identification, personal data collected from a known child, and precise geolocation data.
  • Nondiscrimination: Controllers are prohibited from processing personal data in a manner that violates state and federal laws that prohibit unlawful discrimination against consumers. Controllers must also not discriminate against consumers for exercising their rights within the Act.
  • Transparency: Controllers must provide consumers with a privacy notice that includes: (a) the categories of personal data processed by the controller; (b) the purpose for processing personal data; (c) how consumers may exercise their consumer rights pursuant to the Act; (d) the categories of personal data that the controller shares with third parties, if any; and (e) the categories of third parties, if any, with whom the controller shares personal data.

Enforcement

Like laws in Colorado, Connecticut, Virginia, and Utah, the Act does not provide a private right of action. The Iowa Attorney General is exclusively tasked with enforcement of the Act. The Act provides a 90-day cure period following written notice by the Attorney General to an accused party; following that period, the attorney general may commence a civil action and seek civil penalties of up to $7,500 for each violation of the law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.