Almost one year to the day after Utah enacted the Utah Consumer Privacy Act (“UCPA”), Iowa is one (Kim Reynolds’) signature away from passing the sixth comprehensive consumer data privacy law, joining California, Colorado, Virginia, Connecticut, and Utah.
The bill – the “Act relating to consumer data protection” (available here) – moved fast. Introduced in the Iowa State Senate on January 23, 2023, the State Senate passed it unanimously on March 6th and, just nine days later, the Iowa House of Representatives unanimously passed it on March 15th.
Iowa’s (almost) new privacy law (“Iowa Privacy Law”), which will become Chapter 715D of the Iowa Code, is most similar to the UCPA and relatively business-friendly, with one influential consumer advocacy group opposing the law as “weak”. Following are some FAQs about key features of the Iowa Privacy Law.
When is the Iowa Privacy Law in effect?
Assuming Governor Reynolds signs it (or takes no action on it after three days), the Iowa Privacy Law will go into effect on January 1, 2025.
Whose privacy rights are protected by the Iowa Privacy Law?
The Iowa Privacy Law protects the “personal data” of “consumers”. Consumers are Iowa residents acting only in an individual or household context. Only California’s privacy law provides privacy rights to employees (including applicants and former employees) and individuals in a B2B context. Personal data means information linked or reasonable linkable to a consumer.
What organizations are subject to the Iowa Privacy Law?
An entity “conducting business” in Iowa or “producing products or services that are targeted to Iowa residents” is subject to the Iowa Privacy Law if, during a calendar year, the entity either (1) controls or processes the personal data of at least 100,000 consumers, or (2) controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. A “controller’ is the business that determines the purpose and means of processing personal data and a “processor” processes personal data on behalf of a controller.
The Iowa Privacy Law does not apply to non-profit organizations, HIPAA covered entities or HIPAA protected health information or to financial institutions regulated by GLBA (among other exclusions).
What rights are available for consumers under the Iowa Privacy Law?
The Iowa Privacy Law grants the following rights to consumers, subject to authentication of the consumer request:
- Right to confirm processing and access personal data
- Right to delete personal data provided by the consumer
- Right to obtain a copy of the personal data provided by the consumer and processed by automated means (but excluding personal data that is “personal information” as defined in Iowa’s data beach notification law)
- Right to opt-out of sale (for monetary consideration) of personal data to a third party
- Right to opt-out of targeted advertising
Like UCPA (but unlike the California, Connecticut, Colorado and Virginia privacy laws), the Iowa Privacy Law does not provide consumers the right to correct inaccuracies in their personal data.
Controllers must respond to consumer privacy rights requests within 90-days, with a possible extension of 45-days when reasonably necessary.
A controller also must establish a process for consumers to appeal the controller’s refusal to act on a privacy rights request within a reasonable period of time after the consumer’s receipt of the controller’s decision. Within sixty days of receipt of the appeal, the controller must inform the consumer in writing of any action taken or not taken, including an explanation of the reasons for that decision. If the appeal is denied, the controller must provide the consumer with an “online mechanism through which the consumer may contact the Iowa Attorney General” to submit a complaint.
What other key obligations apply to businesses under the Iowa Privacy Law?
> Role-Based Processing: The Iowa Privacy Law follows the same role-based processing model as the other state privacy laws, requiring a controller to have a contract with its processors.
> Sensitive Data Processing: Businesses must give consumers notice and the ability to opt-out prior to processing their sensitive data. Sensitive data is a subset of personal data consisting of: information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data that is processed for the purpose of uniquely identifying a natural person; personal data collected from a known child; and precise geolocation.
Data protection assessments are not part of the business obligations listed in the Iowa Privacy Law.
What are the consequences of not complying with the Iowa Privacy Law?
After a ninety-day cure period, the Iowa Attorney General can issue injunctions and civil penalties of up to $7,500 for each violation not cured during the cure period. No private right of action is available.
The Iowa Privacy Law will become part the Criminal Law and Procedure Title of the Iowa Code – after Iowa’s data breach notification law (Chapter 715C) – but criminal penalties are not part of the Iowa Attorney General’s enforcement powers.
Are regulations forthcoming under the Iowa Privacy Law?
The Iowa Privacy Law does not provide for future rulemaking, so the governor’s signature will result in the final text.
* * * * *
Businesses that have developed compliance programs for the five state consumer privacy laws will not face materially new obligations other than to extend the rights to Iowa consumers. Meanwhile, other states also are considering consumer privacy legislation and Congress continues to debate federal privacy legislation, including whether a federal privacy law will set a floor or a ceiling for privacy rights and/or offer a private right of action.