Iowa Governor Signs Data Privacy Act into Law

Firm Publication

On March 28, Iowa Governor Kim Reynolds signed into law an Iowa consumer privacy act (SF 262), making the state the sixth to adopt what is generally considered a comprehensive consumer privacy law. The law takes effect on January 1, 2025, but for those complying with other states’ frameworks, compliance with this law should not require significant further action. It contains many of the same protections and regulations enacted by other states, including the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA), but it may be the most user-friendly law to date.

Similarities Between Iowa’s Protections and Other States

Like other states, Iowa’s consumer privacy law applies to entities (known as controllers) that determine how personal data is to be processed and that conduct business in the state of Iowa or produce products or services that are targeted to consumers who are residents of the state and that during the preceding calendar year have either:

  • Controlled or processed the personal data of 100,000 or more Iowa residents (consumers), or
  • Controlled or processed the personal data of at least 25,000 consumers and derived 50% of its gross revenue from the sale of personal data.

Iowa’s law contains provisions granting consumers the right to do the following:

  1. Know and confirm whether a controller is processing their personal data.
  2. Access a copy of such data or request the deletion of such data.
  3. Opt out of the sale of and targeted advertising based on such personal data.

Additionally, there are several other provisions in Iowa’s law regarding controller obligations that likewise mirror other states’ laws:

  • Controllers must privately and securely process consumer requests to opt out of the sale of personal data.
  • Controllers must give consumers a reasonably accessible and clear privacy notice informing them how personal data is used and disclosed, the purposes of that use and disclosure, and methods for consumers to exercise their rights.
  • Controllers must limit all personal data collected, used, or retained to what is necessary for purposes described in its privacy notice.
  • Controllers also must adopt reasonable administrative, technical, and physical measures to protect the confidentiality, integrity and accessibility of personal data.
  • Controllers who sell personal data to third parties or engage in targeted advertising must give consumers the right to opt out of the activity.
  • Consumers maintain the right to be free from discrimination based on an exercise of their rights, the right to deletion, and the right to data portability.

Notable User-Friendly Differences

While the Iowa law reflects many of the provisions of similar laws in other states, it often takes a more restrained approach toward what is required of covered businesses including, for example:

  • Covered businesses are not required to correct inaccuracies in personal data, conduct data protection assessments or practice data minimization beyond complying with their privacy notices.
  • Covered businesses are not required to recognize opt-out signals or give opt outs for profiling.
  • Notice to consumers is required for a controller to process sensitive data, and rather than the opt-in approach taken by other states (requiring active consent), consumers must choose to opt out of such processing under Iowa’s law.
  • There is no right for consumers to appeal a denial to take action by a covered business.

Enforcement

Although not granted any rulemaking authority, the Iowa Attorney General (AG) is granted exclusive authority to enforce a violation of the law but is required to provide 90 days’ notice to allow the covered businesses subject to investigation the right to cure. The right to cure does not sunset and contains the longest notice period currently offered by any state, underscoring the law’s more favorable approach toward businesses. Many companies already complying with other states’ privacy laws may be able to also comply with the Iowa law by extending their privacy practices to the state.

If you have questions about the Iowa consumer privacy law and how it could affect you or your business, please contact the authors.

Related Professionals
Related Services
Firm Publication

On March 28, Iowa Governor Kim Reynolds signed into law an Iowa consumer privacy act (SF 262), making the state the sixth to adopt what is generally considered a comprehensive consumer privacy law. The law takes effect on January 1, 2025, but for those complying with other states’ frameworks, compliance with this law should not require significant further action. It contains many of the same protections and regulations enacted by other states, including the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA), but it may be the most user-friendly law to date.

Similarities Between Iowa’s Protections and Other States

Like other states, Iowa’s consumer privacy law applies to entities (known as controllers) that determine how personal data is to be processed and that conduct business in the state of Iowa or produce products or services that are targeted to consumers who are residents of the state and that during the preceding calendar year have either:

  • Controlled or processed the personal data of 100,000 or more Iowa residents (consumers), or
  • Controlled or processed the personal data of at least 25,000 consumers and derived 50% of its gross revenue from the sale of personal data.

Iowa’s law contains provisions granting consumers the right to do the following:

  1. Know and confirm whether a controller is processing their personal data.
  2. Access a copy of such data or request the deletion of such data.
  3. Opt out of the sale of and targeted advertising based on such personal data.

Additionally, there are several other provisions in Iowa’s law regarding controller obligations that likewise mirror other states’ laws:

  • Controllers must privately and securely process consumer requests to opt out of the sale of personal data.
  • Controllers must give consumers a reasonably accessible and clear privacy notice informing them how personal data is used and disclosed, the purposes of that use and disclosure, and methods for consumers to exercise their rights.
  • Controllers must limit all personal data collected, used, or retained to what is necessary for purposes described in its privacy notice.
  • Controllers also must adopt reasonable administrative, technical, and physical measures to protect the confidentiality, integrity and accessibility of personal data.
  • Controllers who sell personal data to third parties or engage in targeted advertising must give consumers the right to opt out of the activity.
  • Consumers maintain the right to be free from discrimination based on an exercise of their rights, the right to deletion, and the right to data portability.

Notable User-Friendly Differences

While the Iowa law reflects many of the provisions of similar laws in other states, it often takes a more restrained approach toward what is required of covered businesses including, for example:

  • Covered businesses are not required to correct inaccuracies in personal data, conduct data protection assessments or practice data minimization beyond complying with their privacy notices.
  • Covered businesses are not required to recognize opt-out signals or give opt outs for profiling.
  • Notice to consumers is required for a controller to process sensitive data, and rather than the opt-in approach taken by other states (requiring active consent), consumers must choose to opt out of such processing under Iowa’s law.
  • There is no right for consumers to appeal a denial to take action by a covered business.

Enforcement

Although not granted any rulemaking authority, the Iowa Attorney General (AG) is granted exclusive authority to enforce a violation of the law but is required to provide 90 days’ notice to allow the covered businesses subject to investigation the right to cure. The right to cure does not sunset and contains the longest notice period currently offered by any state, underscoring the law’s more favorable approach toward businesses. Many companies already complying with other states’ privacy laws may be able to also comply with the Iowa law by extending their privacy practices to the state.

If you have questions about the Iowa consumer privacy law and how it could affect you or your business, please contact the authors.

In Case You Missed It:

  • Kentucky Gallops into the Privacy Race: Kentucky’s New Consumer Data Privacy Law
    April 15, 2024 | Firm Publication
  • CISA Publishes Proposed Rule for Cyber Reporting
    April 10, 2024 | Firm Publication
  • David Wilson Examines the Applicability of Law to Artificial Intelligence and Nonhumans
    April 4, 2024 | Virginia Journal of Law & Technology