From Coast to Coast and Now the Midwest: Iowa Becomes 6th State to Enact Comprehensive Privacy LawMarch 30, 2023
On March 28, 2023, Iowa’s Governor, Kim Reynolds, signed SF262, making Iowa the sixth state to enact a comprehensive privacy law. Up until now, the only states to have enacted comprehensive privacy laws had been in the western (California, Colorado, and Utah) and eastern (Connecticut and Virginia) parts of the country. Iowa’s law extends the recent wave in privacy laws to the Midwest and is substantially similar to the five other state comprehensive privacy laws, all of which will be in effect by the end of 2023. Although Iowa’s law will not take effect until January 1, 2025, given the similarities, impacted businesses may want to consider integrating compliance with Iowa’s law into their compliance plans for the other state laws.
The Iowa privacy law will apply to persons conducting business in Iowa or producing products or services that are targeted to residents of Iowa and that during a calendar year either:
- control or process personal data of at least 100,000 consumers (defined below); or
- control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.
Unlike California’s and Utah’s privacy laws, which include a $25 million annual revenue threshold part of applicability, there is no monetary threshold under Iowa’s law. Rather, it focuses only on the activity of businesses with respect to personal data. The applicability thresholds under Iowa’s law mirror those under Virginia’s privacy law.
Of note, like the other state comprehensive privacy laws, Iowa’s law contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act (“GLBA”), persons subject to HIPAA and HITECH, non-profit organizations, and institutions of higher education. It also exempts certain types of information, such as protected health information under HIPAA, personal data regulated by the Family Educational Rights and Privacy Act (“FERPA”), data processed or maintained in the course of employment, and personal data used in accordance with the Children’s Online Privacy Protection Act (“COPPA”).
Like the privacy laws in Colorado, Connecticut, Utah, and Virginia, the Iowa privacy law uses a narrower definition of “consumer” than California’s privacy law. It defines “consumer” to mean an individual who is an Iowa resident, but excludes an individual acting in a commercial or employment context. As a result, employee personal information and business contact personal information fall outside the scope of the law.
With respect to consumers, the Iowa law not only regulates their “personal data,” but also recognizes a special category of personal data known as “sensitive data,” which it defines as (i) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. While Iowa’s definition of “sensitive data” is similar to the definitions used in Colorado, Connecticut, Utah, and Virginia, Iowa’s definition is unique in that it includes a carve out to the extent certain sensitive data is used to avoid discrimination. Businesses should take note of the slight differences in order to make their compliance efforts comprehensive or tailor them as necessary.
Iowa’s definition of the “sale of personal data” aligns with the narrower definitions in Utah’s and Virginia’s privacy laws, meaning the exchange of personal data for monetary consideration only (as opposed to monetary or other valuable consideration) by the controller to a third party. Additionally, Iowa’s privacy law provides broad exceptions to the definition of “sale” that are similar to exceptions in other state privacy laws and should cover may ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, to a third party for the purpose of providing a product or service requested by a consumer, and to an affiliate of the controller.
The Iowa privacy law contains compliance obligations found in all the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into agreements with processors that handle the controller’s personal data. However, unlike some of the other comprehensive state privacy laws, the Iowa law does not require controllers to undertake data protection assessments.
Consumer Rights and Requests
A key tenet of all of the US comprehensive privacy laws is the granting of rights to individuals regarding their own personal data. Like the others before it, Iowa’s privacy law grants consumers the right to make requests to (1) access their personal data; (2) delete their personal data; (3) obtain a copy of their personal data; and (4) opt out of the sale of personal data. These rights notably exclude a right to correct inaccurate personal data, which Utah’s privacy law also omits. Further, the opt out rights under Iowa’s do not expressly include the right to opt out from the use of personal data for targeted advertising. However, with respect to sensitive data, Iowa’s law requires controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of their sensitive data.
A controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer’s requests. Like under the comprehensive privacy laws in Colorado, Connecticut, and Virginia, a controller must also provide consumers with an appeals process if it denies a consumer’s request. A controller has 60 days to respond to an appeal.
Importantly, Iowa’s law continues the trend of excluding a private right of action for individuals. Like the other state comprehensive privacy laws, Iowa’s privacy law leaves enforcement exclusively to its Attorney General. The Iowa Attorney General can seek civil penalties of up to $7,500 for each violation of the law. However, the Attorney General must first give violators an opportunity to cure violations within 90 days of receiving notice of a violation.
The passage of Iowa’s comprehensive privacy law continues privacy’s momentum in the U.S., especially on the state level. As states continue to enact similar laws, the benefits of a universal approach to privacy compliance, especially for medium to large businesses, become increasingly important. As such, businesses should not delay their compliance efforts.
If you would like assistance with, or have any questions about, complying with Iowa’s comprehensive privacy law or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.