Iowa joined the privacy club last week when it passed a comprehensive consumer data privacy law, officially joining the five trendsetting states: California, Colorado, Virginia, Connecticut, and Utah.
The bill, SF 262, named “Act relating to consumer data protection” passed unanimously and surprisingly quickly. Introduced in the Iowa State Senate only two months ago, the law passed in the Senate on March 6. Just over a week later, on March 15, the Iowa data privacy law passed in the Iowa House of Representatives. The governor is expected to sign the bill into law any day, at which point the Iowa privacy law’s effective date will be January 1st, 2025.
Will Iowa’s Law Impose a Heavy Compliance Burden?
The Iowa Privacy Act is not expected to impose a heavy compliance burden on organizations that are already in compliance with or on the way to compliance with other state privacy laws. This means that if a company has already drafted a privacy policy that is compliant with the CCPA or the VCDPA, it will not have to amend its policy to include additional items specified by the Iowa legislature.
Similar to Utah’s UCPA, the bill competes with Utah’s privacy law as the most business-friendly, comprehensive privacy law. It was drafted with tech companies in mind, critics say. Indeed, the Technology Association of Iowa welcomed the passage of SF 262. Critics of the privacy law in Iowa go so far as to claim that it essentially offloads the responsibility for privacy protection onto the individual with almost no substantive limitations on how companies collect or process data.
Which Entities Are Covered By the Bill?
The bill would regulate all entities that conduct business in Iowa, or produce a product or service for residents of Iowa, and meet one of these two thresholds during a given calendar year:
- the entity controls or processes the personal data of over 100,000 Iowa residents
- the entity controls or processes the personal data of over 55,000 Iowa residents and derives over 50% of its gross revenue from the “sale” of personal data.
Broad Exemptions to the Iowa Privacy Law
Higher education institutions, non-profit organizations, financial institutions regulated by GLBA, HIPAA-covered entities, and institutions whose data is already regulated by the Fair Credit Reporting Act (FCRA) are all exempt from this bill.
Additionally, the bill does not apply to personal information that is publicly accessible, such as information that has been made broadly public by the subject of the data.
The law states that controllers and processors of personal data should not be prevented from processing that personal data for certain specified purposes like internal research, product improvement, and security operations.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
What Consumer Rights Are Protected under the Iowa Privacy Law?
According to the Iowa Privacy Law, consumers are defined as Iowa residents acting only in an individual, noncommercial, or household context. Personal data is defined as information linked or reasonably linkable to the consumer.
The Iowa Privacy Law grants the following rights to consumers, subject to authentication of the consumer request:
- Right to confirm processing and access personal data
- Right to delete personal data provided by the consumer
- Right to obtain a copy of the personal data provided by the consumer and processed by automated means (but excluding personal data that is “personal information” as defined in Iowa’s data breach notification law)
- Right to opt-out of sale (for a monetary consideration) of personal data to a third party
- Right to opt out of targeted advertising
Like the Utah Consumer Privacy Act, under Iowa’s law, consumers do not have the right to correct inaccuracies in their personal data. This stands in contrast to broader rights provided to consumers under the California, Connecticut, Colorado, and Virginia privacy laws that do give consumers the right to correct inaccuracies in their personal information.
When a consumer requests to exercise their given rights under the law, controllers must respond to requests within 90 days and are given the possibility to extend that time frame to another 45 days if deemed necessary for a reasonable justification. This stands in contrast to the 45-day deadline in other states, which allows for an additional 45-day extension period for reasonable justifications.
Controllers are also required to establish a procedure for consumers to appeal in the case that a controller refuses to act on a consumer’s privacy right requested y the consumer within a reasonable amount of time after the consumer is notified of the controllers’ decisions.
What Obligations Apply to Controllers and Processors?
Privacy Policies
A controller must make available a privacy policy that explains the following to the consumer:
- The categories of personal data processed,
- The purposes for processing,
- How consumers can exercise their data privacy rights,
- The categories of personal data the controller shares with third parties if any, and
- The categories of third parties, if any, with whom the controller shares personal data.
- whether the controller sells consumer personal data to third parties or engages in targeted advertising.
Notify Consumers Prior to Sensitive Data Processing
Businesses must give consumers notice and the ability to opt-out prior to processing their sensitive data. Sensitive data is a subcategory of personal data and consists of the following:
- information revealing racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexual orientation
- citizenship or immigration status
- genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
- personal data collected from a known child; and precise geolocation.
Discrimination
Consumers shall not be discriminated against for exercising any of their rights under the Bill. Denial of service and inequalities in the cost or standard of goods or services are examples of discrimination.
Processor and Controller Contracts
The law requires that processors and controllers execute an agreement concerning the scope of the processor’s services provided at the direction of the controller.
What Constitutes the “Sale” of Data Under the Iowa Bill?
SF 262 adopts a tight definition of “sale,” limiting the term to the exchange of personal data for monetary compensation only, similar to privacy legislation in Virginia and Utah.
Enforcement
Under the Iowa Act Relating to Consumer Data Protection, the Attorney General of Iowa would have sole enforcement authority and be authorized to execute civil penalties of up to $7,500 for each violation, regardless of whether it was willful. Before taking enforcement action against a controller or processor, the AG must give notice and give a 90-day window, or “cure period,” to give the controller or processor a chance to remedy the violation.
Centraleyes State Privacy Tracker
Stay with Centraleyes as we bring you updated information on the latest additions to US comprehensive state privacy laws.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
