Publications

On March 15, 2023, the Iowa Legislature unanimously passed Senate File 262, a comprehensive data privacy bill set to expand protection of the personal data of Iowa consumers (“SF262”). Iowa Gov. Kim Reynolds signed the bill into law on March 28, 2023. While the bill shares the general structure of Colorado, Connecticut, and Virginia’s recent data privacy laws, the rights granted to consumers are less extensive, and most closely align with the more limited consumer rights granted in the Utah Consumer Privacy Act (the “UCPA”). SF262 is very business-friendly, and places fewer compliance obligations on businesses subject to the legislation. The legislation will go into effect on January 1, 2025.

Scope

Iowa’s bill applies to legal entities conducting business in Iowa or producing products or services targeted to Iowa consumers that either (1) control or process the personal data of 100,000 or more Iowa consumers or (2) control or process the personal data of at least 25,000 Iowa consumers and derive 50 percent of their revenue from the sale of personal data. Unlike California and Utah, SF262 has no applicable revenue threshold. A “consumer” is defined as a natural person who is a resident of Iowa acting in an individual or household context, and expressly excludes natural persons acting in a commercial or employment context. “Personal data” is defined to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” Personal data does not include de-identified or aggregate data or publicly available information.

Consumer Rights

Under the Iowa law, Iowa consumers will have the following rights: (1) right to know whether a covered business is processing their personal data; (2) right to access such data; (3) right to delete the personal data that they have provided to a business; (4) right of data portability whereby the business must provide consumers with a portable, readily usable copy of their personal data; and (5) right to opt out of the sale of their personal data. A “sale” of data is more narrowly defined than in some other state laws, with a requirement that the data be exchanged for monetary consideration, rather than monetary or “other valuable consideration” as defined in the California, Colorado and Connecticut laws. The bill refers to a right to opt out of the processing of the consumers’ personal data for targeted advertising in the context of controllers’ obligations, but does not expressly establish this right for consumers, and there is some uncertainty as to how this right may be exercised.

The bill does not provide consumers with a right to correct their personal information as held by the controller. Additionally, consumer rights will not apply to pseudonymous data, and consumers may not exercise their rights through global device settings or authorized agents.

Iowa’s bill does not require opt-in consent for sensitive data processing, but instead requires that the controller provide notice of sensitive data processing and allow consumers to opt out of such processing. “Sensitive data” includes (1) racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (2) genetic or biometric data processed to uniquely identify a person, (3) personal data collected from a known child, and (4) precise geolocation data.

Notably, under SF262, businesses have 90 days to respond to consumer requests, with the chance for a 45-day extension. No other current state comprehensive privacy law allows more than 45 days to respond to consumers without an extension.

Additional Requirements

Similarly to other state laws, processors have certain obligations under SF262, and controllers and processors must enter data processing addendums governing the third party processing of personal data. The obligations under Iowa’s law are not unique, and data processing addendums drafted to meet the standards of other state laws will satisfy obligations under Iowa’s law as well. Other obligations imposed on controllers under other state laws, such as maintaining a privacy notice and implementing reasonable data security practices, are incorporated into the Iowa law, with no new or additional requirements. However, like the UCPA, Iowa’s law will not require businesses to conduct data protection assessments.

Enforcement

Iowa’s law will not provide a private right of action to consumers. The Iowa Attorney General will have exclusive enforcement authority and may issue fines of up to $7,500.00 per violation. Iowa’s legislation allows a business 90 days to cure any violations of the act should the Iowa Attorney General send the business written notice of any issues. This is notable as no other state law allows more than 60 days to cure upon notice of a violation.

Koley Jessen will continue to monitor developments related to Iowa’s new data privacy law and advise as updates become available. If you have questions on whether your business needs to comply with the law or what steps you must take, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.