On March 29, 2023, Iowa became the latest in a small but growing number of states to enact comprehensive data privacy legislation. Like its counterpart laws in California, Connecticut, Colorado, Utah and Virginia, Iowa’s data privacy law – formally titled “An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions” (“IDPL”) – provides a detailed framework regulating the collection and use of consumer personal data, and affords consumers various rights as to data collected about them. Fortunately, many of the requirements imposed by the IDPL, which goes into effect on January 1, 2025, are largely similar to those applicable in the other five states, and especially those in Connecticut, Colorado, Utah and Virginia.
Entities That are Covered
The IDPL applies to any person (or entity) that conducts business in Iowa or targets products or services to consumers that are residents of the state; provided that, during a calendar year: (1) the entity controls or processes personal data of at least 100,000 Iowa consumers; or (2) the entity controls or processes personal data of at least 25,000 Iowa consumers and derives over 50% of gross revenue from the sale of personal data. Importantly, the IDPL does not contemplate an overall revenue threshold (unlike California and Utah), meaning that much smaller business may be subject to the law if there is sufficient interaction with Iowa consumers.
Information That is Covered
Under the IDPL, personal data is defined broadly to include any information linked or reasonably linkable to an identified or identifiable person. However, several important exceptions apply. Personal data excludes de-identified, aggregated data and publicly available information, as well as certain categories of information that are otherwise already regulated by federal law (e.g., the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act (“COPPA”), the Family Educational Rights and Privacy Act, the Driver’s Privacy Protection Act, etc.). In addition, and importantly, Iowa has followed the example of other states (except California) and excluded from its scope any information collected about a person in an employment or business-to-business context.
As in other comprehensive data privacy laws, the IDPL affords heightened protection for “sensitive personal data,” which includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of children (subject to the COPPA exclusion noted above), and precise geolocation data within a radius of 1,750 feet.
The IDPL imposes different obligations depending on the characteristics of the subject business and the information collected.
Controllers (entities that determine the purpose and means of processing personal data) bear the greatest burden. Their obligations include:
- Disclosure. The controller must provide a reasonably accessible, clear and meaningful privacy notice setting forth: (1) the categories of personal data processed; (2) the applicable business purpose; (3) the mechanism by which consumers can exercise their rights; (4) the categories of personal data that the controller shares with third parties; and (5) the categories of third parties with whom the controller shares personal data.
- Use Restriction. The controller is prohibited from using any personal data except in accordance with the disclosed business purposes.
- Security. The controller must implement data security processes that are appropriate to the volume and nature of the data collected.
- Consent. The controller must provide consumers a clear notice of and opportunity to “opt-out” of: (1) the processing of any “sensitive personal data”; and (2) any “sale” of personal data (i.e., the exchange of personal data for monetary consideration between the controller and a third party).
Processors (service providers that process personal data on a controller’s behalf) have fewer explicit obligations, but must assist controllers in complying with their obligations.
Moreover, the relationship between a controller and processor must be governed by a data processing agreement that, among other things, sets forth clear and detailed requirements regarding the processing and protection of personal data.
As in other states, the IDPL affords consumers various rights with respect to personal data collected about them and requires controllers to comply with and provide a mechanism for the exercise of those rights. These rights include:
- Right to Access. Consumers have the right to confirm whether a controller is processing their personal data and to access that data.
- Right to Delete. Consumers have the right to require the controller to delete the personal data they provided to the controller. This right only applies to personal data provided by the consumer; it does not apply to data the controller obtained from other sources. The IDPL provides, with certain exceptions, that if a controller declines to take action regarding a request, it shall inform the consumer without undue delay of the justification for declining to take action.
- Right to Data Portability. Consumers have the right to obtain a copy of the personal data they provided to the controller in a portable and readily usable format that allows the consumer “to transmit the data to another controller without hindrance.”
- Right to Opt Out. Consumers have the right to opt-out of sales of personal data and processing sensitive personal data for a nonexempt reason.
The IDPL vests the attorney general with sole authority to enforce the act through civil investigative demands. Unlike in California, there is no private right of action. When a violation occurs, the attorney general is required to give notice to the violator and 90 days to cure. If violations persist after 90 days, the attorney general may impose fines of up to $7,500 per violation.
The IDPL does not go into effect until January 1, 2025; however, businesses with any presence or substantial concentration of customers in Iowa should be cognizant of the requirements, and should begin reviewing their existing data privacy and security policies and procedures to evaluate whether changes must be made to ensure compliance with the IDPL.