Iowa data privacy law to take effect January 1, 2025
Iowa has joined an increasing number of states in adopting a comprehensive data privacy law. The Iowa Senate and House unanimously passed Senate File 262 (SF 262), which was subsequently signed into law by the governor. Iowa’s version will not impose hefty compliance burdens on businesses, if those businesses are already operating in compliance with existing comprehensive privacy laws. For example, if an entity is already compliant with California’s Privacy Rights Act, the entity’s privacy policy will be in alignment with requirements under Iowa’s variation.
Iowa’s data privacy law follows similar suit to recent legislation from Colorado, Connecticut, Utah and Virginia however has some notable differences. Missing from Iowa’s new privacy law are certain consumer protection provisions such as granting a private right of action, the right to correct, and the ability to opt out of targeted advertising. Moreover, entities are not required to conduct data protection assessments nor practice data minimization. Thus, Iowa’s act is a step towards similar comprehensive privacy laws but is far and away from the most consumer protective.
As the law is not set to take effect until January 1, 2025, a number of states will likely propose or pass legislation echoing recent comprehensive data privacy measures, seemingly the space not currently occupied by a federal omnibus data privacy law. Four additional state legislative chambers are reviewing proposed privacy laws: Hawaii, New Jersey, Oklahoma and Kentucky.
Key provisions of Iowa's data privacy law
Iowa provides specific requirements for controllers of personal data (entities that determine the purpose and means of processing personal data) and processors (entities that process personal data on behalf of a controller). Entities subject to SF 262 must control or process data on 10,000 Iowa consumers or derive 50% of revenue from selling the data of more than 25,000 consumers.
Iowa defines “personal data” to mean “any information that is linked or reasonably linked to an identified or indentifiable natural person.” Furthermore, Iowa defines “sensitive data” which constructs a category of personal data that includes “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status…”, “genetic or biometric data that is processed for the purpose of uniquely identifying a natural person”, and “precise geolocation data.” An additional item included in this definition of note is “personal data collected from a known child”.
Section 3, titled “Consumer data rights”, provides consumers various exercisable rights and may request from the controller to: confirm whether a controller is processing the consumer’s personal data and to access the personal data, delete personal data provided by the consumer, obtain a copy of the personal data (subject to exceptions), and opt out of the sale of personal data. A parent or legal guardian may invoke these rights on behalf of a child regarding the processing of the child’s personal information.
Section 4, titled “Data controller duties”, outlines various security requirements imposed on Controllers including adoption and implementation of reasonable administrative, technical, and physical data security practices to protect confidentiality, integrity, and accessibility of personal data. Controllers are also required to provide privacy notices, which must include particular elements such as:
- The categories of personal data processed,
- The purpose for processing the data,
- How consumers may exercise their data privacy rights under Section 3,
- The categories of personal data the controller shares with third parties (if any), and
- The categories of third parties, (if any), with whom the controller shares personal data.
Iowa authorizes the Iowa Attorney General to enforce violations and may seek injunctive relief or monetary relief, imposing a civil penalty of up to $7500 per violation. Notably, prior to commencing an enforcement action, an entity suspected of violating SF 262 is provided a 90-day cure period.