Iowa is in position to be the sixth state to enact comprehensive consumer privacy legislation after the Iowa Senate and House of Representatives passed Senate File 262. Once Governor Kim Reynolds receives Senate File 262, she can either sign, veto, or take no action. If Governor Reynolds takes no action for three calendar days, Senate File 262 becomes law. Notably, the Iowa Consumer Data Protection Law includes many of the same obligations and exceptions as the consumer privacy laws in California (CCPA), Colorado (CPA), Virginia (VCDPA), Utah (UCPA), and Connecticut (CTDPA), but most resembles the business-friendly UCPA.
What does this mean for businesses? Here are a few key points.
A COMPLIANCE RUNWAY
The Iowa Consumer Data Protection law would go into effect on January 1, 2025, so businesses have time to prepare and update their compliance programs.
TO WHOM DOES IT APPLY?
The Iowa Consumer Data Protection Law applies to businesses in the state or out-of-state businesses that target their products or services to Iowa residents and that:
- Control or process the personal data of at least 100,000 Iowan consumers; or
- Control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.
NOTABLE EXCEPTIONS
Unlike the CCPA, the Iowa Consumer Data Protection Law does not apply to data businesses compile in an employment context.
Further, the Iowa Consumer Data Protection Law does not apply to, among others:
- Government entities;
- Higher education institutions;
- Financial Institutions and their affiliates;
- Non-profits;
- Businesses that are covered entities pursuant to HIPAA; and
- Information subject to HIPAA and the Gramm-Leach-Bliley Act.
SCOPE
Under the Iowa Consumer Data Protection Law, “consumer” is defined as an Iowa resident and explicitly excludes individuals “acting in a commercial or employment context.” The Iowa law defines personal data as “information that is linked or reasonably linkable to an identified or identifiable natural person.” Like the other states’ laws, the Iowa Consumer Data Protection Law specifies that deidentified data or publicly available information does not constitute personal data. It defines publicly available information as “information that is lawfully made available through federal, state or local government records, or information that a business has reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” Further, the Iowa Consumer Data Protection Law defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
PRIVACY NOTICE
The Iowa law requires companies to provide consumers with a clear and reasonably accessible privacy notice that includes the following information:
- Categories of personal data processed;
- The purpose for processing personal data;
- How consumers may exercise their consumer rights, including how to appeal a company’s decision;
- Categories of personal data shared with third parties, if any;
- Categories of third parties, if any, with whom personal data is shared;
- Whether a company sells consumer’s personal data to third parties or engages in targeted advertising, as well as how a consumer may opt out of such activity.
CONSUMER RIGHTS
The Iowa Consumer Data Protection Law most similarly tracks the UCPA with regard to consumer rights and provides consumers with several rights, including:
- To confirm whether a controller is processing the consumer’s personal data;
- To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller;
- To opt-out of the sale of personal data;
- Data deletion; and
- To appeal a company’s decision.
Like the UCPA (but unlike the CPRA, CPA, VCDPA, and CTDPA), the Iowa Consumer Data Protection Law does not provide consumers the right to correct inaccuracies in their personal data.
EXERCISING CONSUMER RIGHTS
A consumer may exercise a right by submitting a request to a controller, specifying which right the consumer intends to protect. Once a consumer submits a request, the controller has 90 days to:
- Take action on the consumer’s request and inform the consumer of any action taken; or
- Inform the consumer of any reasons the controller is not taking action in response to the consumer’s request; or
- Extend the initial 90-day period by an additional 45 days if reasonably necessary due to the complexity or volume of the consumer’s request and inform the consumer of the reason and length of the extension.
Notably, the Iowa law provides businesses with double the time to respond to consumer rights requests than the other state laws. Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer.
DATA CONTROLLER OBLIGATIONS
Similar to the other states’ comprehensive privacy laws, the Iowa Consumer Data Protection Law establishes “controller” and “processor” roles, which differentiate how entities handle personal data. Controllers are those who determine the purposes and means of processing personal data, while processors are entities that process personal data on behalf of a controller and at the controller’s direction. The law assigns different obligations based on an entity’s status as a controller or processor. The law imposes several obligations on controllers, including:
- Providing consumers with privacy notices; and
- Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
SENSITIVE DATA
Under the Iowa Consumer Data Protection Law, controllers are prohibited from processing “sensitive data” without first giving the consumer explicit notice and providing an opportunity to opt-out of processing. Sensitive data includes:
- Racial or ethnic origins;
- Religious beliefs;
- Sexual orientation;
- Citizenship/immigration status;
- Biometric information;
- Health information;
- Data collected from a known child; and
- Precise geolocation.
ENFORCEMENT
Similar to other privacy laws, the Iowa law does not provide for a private right of action; enforcement falls solely to the attorney general. Prior to initiating an action, the attorney general must notify the controller of its violation. The Iowa law then gives a controller 90 days to cure the violation, which is triple the 30-day cure periods granted under the CCPA, UCPA, and VDCPA, and double that under the CTDPA. After the 90-day cure period, the Iowa Attorney General can issue injunctions and civil penalties of up to $7,500 for each violation not cured.
LOOKING AHEAD
We anticipate that 2023 will be an active year for privacy regulations – as many states currently have comprehensive privacy legislation pending. While preparing for the Iowa Consumer Data Protection Law, which, if passed, is set to go into effect on January 1, 2025, businesses can leverage their compliance efforts with other privacy laws, as this closely resembles other states’ comprehensive data privacy laws. However, it is always important to pay attention to the nuances between the patchwork of privacy regulations.
Redgrave LLP will continue to monitor developments in this area. We advise companies on how to address privacy and security issues, including crafting comprehensive privacy programs that account for state-specific regulations.
For assistance with or additional information on this topic, or to discuss data privacy compliance issues more broadly, please contact Martin Tully at mtully@redgravellp.com.
The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.