Iowa Becomes Sixth State to Pass Comprehensive Privacy Law

On March 28, 2023, Iowa became the sixth state to pass a comprehensive data privacy law. Senate File 262, otherwise known as the Act Relating to Consumer Data  Protection, obtained the governor’s signature after passing unanimously through the House and Senate. With another state comprehensive data privacy law added to the patchwork of U.S. privacy laws, it is important for businesses to understand this law and how it both differs from and mirrors other comprehensive state data privacy laws already in effect or passed and not-yet effective. The Iowa comprehensive privacy law will go into effect on January 1,  2025.  

In this blog post, we first address when the law applies. Next, we set forth key obligations  for (1) controllers (i.e., entities that “alone or jointly with others, determine the purpose and  means of processing personal data”); and (2) processors (i.e., persons, including entities, that “process personal data on behalf of a controller”). We conclude by addressing the required data processing agreements and enforcement of and penalties under the law. 

A. Applicability 

Iowa’s comprehensive privacy law applies to businesses that conduct business in Iowa or produce products or services targeted to Iowa consumers and that, during a calendar year, does either of the following: (1) controls or processes personal data of at least 100,000 Iowa  consumers; or (2) controls or processes personal data of at least 25,000 Iowa consumers and derives 50% of their revenue from the sale of personal data.

Notably, financial institutions, affiliates of financial institutions, nonprofit organizations, higher education institutions, and health care organizations subject to HIPAA will be exempt from the Iowa law at an entity level. Additionally, certain types of personal data will be exempted, including personal data subject to FCRA, GLBA, HIPAA, FERPA, and COPPA, among other exemptions. Because the law excludes persons acting in commercial or employment context from the definition of “consumer,” the processing of personal data of business contacts, employees, independent contractors, and job applicants also would not be covered by the law.  

B. Key Obligations for Controllers 

• Data Subject Rights Response Obligations 

Iowa’s comprehensive privacy law guarantees certain rights to Iowa consumers, including:  (1) the right to confirm whether a business is processing the consumer’s personal data and  to access such personal data;(2) the right to delete personal data that has been provided by  the Iowa consumer; (3) the data portability right (i.e., the right to obtain a copy of the  consumer’s personal data that the consumer previously provided to the controller in a  portable, and as technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance where the processing is carried  out by automated means); and (4) the right to opt out of the sale of their personal data (i.e.,  the exchange of personal data for monetary consideration by the controller to a third party). 

Barring special circumstances (e.g., manifestly unfounded or technically unfeasible requests), Iowa consumers may exercise their data subject rights free of charge up to twice annually.  Controllers subject to Iowa’s privacy law will have 90 days to respond to consumer data  rights requests, which may be extended by up to 45 days if and as reasonably necessary.  

Controllers must establish an appeals process and provide conspicuously available instructions on the appeals process. After receiving an appeal, a controller has 60 days to  inform the consumer of the action taken on his/her appeal. If an appeal is denied, the controller must provide the consumer with an online mechanism through which the consumer may contact the Iowa Attorney General to submit a complaint.  

• Special Obligations for Processing of Sensitive Personal Data, Sales of Personal Data, and Use of Personal data for Targeted Advertising 

Controllers subject to Iowa’s comprehensive privacy law also must provide consumers with notice and an opportunity to opt out of the processing of sensitive personal data for any non exempt purpose. Processing of sensitive children’s personal data must be in accordance with COPPA. The law also requires that if a controller “sells a consumer’s personal data to a third party or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a  consumer may exercise the right to opt out of such activity.”  

• Additional Notice Obligations 

The law also requires controllers to provide a reasonably accessible, clear, and meaningful privacy notice with the following information: 

o The categories of personal data processed; 

o The purposes for processing; 

o How consumers can exercise their data privacy rights; 

o The categories of personal data the controller shares with third parties, if any; o The categories of third parties, if any, with whom the controller shares personal data;  and 

o How consumers can exercise their data subject rights. 

• Other Key Obligations 

The law places several other obligations on controllers, including the following:

o Implementation of reasonable administrative, technical, and physical security  measures;  

o Non-discrimination;  and

o Adherence to processing limitations (i.e., processing must be (1) reasonably  necessary and proportionate; (2) adequate, relevant, and limited to what is  necessary). 

C. Obligations for Processors 

The Iowa comprehensive privacy law also sets forth specific obligations for processors. Such obligations include assisting controllers, as reasonably practicable, in meeting their obligations to respond to data subject rights requests, securely process personal data, and provide notification of breaches. Upon the reasonable request of controllers, processors must provide information supporting the processors’ compliance with their obligations under the Iowa law. Processors also are required to enter into agreements with their subcontractors requiring such subcontractors to meet all of the processors’ duties with respect to applicable personal data.  

D. Data Processing Agreements 

The Iowa comprehensive privacy law requires controllers and processors to enter into an agreement governing the data processing procedures. This agreement must include all terms required by the Iowa comprehensive data privacy law. 

E. Enforcement and Penalties 

The Iowa Attorney General has sole enforcement power. Businesses then have a 90-day period in which to cure any violations, after which businesses may be subject to an injunction to restrain any violations of the law and a fine of up to $7,500 per violation. 

Maddie Level is an associate at Fey LLC.  She assists the firm’s clients in navigating a broad variety of global data privacy and information governance issues.

Kelley Rowan, Contributed to this post.