On March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive privacy law similar to the ones already in effect in five other US states. The bill had previously passed the Senate on March 6 and now awaits signature by the Governor. If signed into law, Iowa will become the sixth state to have a comprehensive privacy law in effect, joining California, Colorado, Virginia, Utah, and Connecticut. However, unlike the other states, the Iowa law will not go into effect until January 1, 2025.
If you have any further questions or concerns, please do not hesitate to reach out.
While this bill will require companies to take the Iowa law into consideration when developing their compliance programs, it does not create any new obligations for businesses that did not previously exist under the other laws. This will allow companies to expand their current compliance programs to account for Iowa, without needing to take any different compliance steps. The bill also has other business-friendly provisions, including a cure period, delayed effective date, and lack of a private right of action that will lessen the compliance burden faced by companies.
Enforcement of the Iowa privacy law will rely solely on the Iowa state attorney general (AG), as the bill does not contain a private right of action. Controllers and processors can avail themselves of a 90-day cure period to resolve any deficient practices before the state AG may bring an enforcement action. However, the law does have broad exemptions for entities and data regulated under certain federal laws, limiting how “comprehensive” the law actually is.
Key provisions of the Iowa privacy law include the following:
- Applicability Thresholds: The law applies to entities that conduct business in Iowa or produce products or services targeted to Iowa residents and do at least one of the following during a calendar year: (1) control or process personal data of at least 100,000 Iowa residents; or (2) control or process personal data of at least 25,000 Iowa residents and derive over 50% of gross revenue from sale of personal data.
- Broad Exemptions: The law exempts various entities and information types, including state entities and political subdivisions of the state; financial institutions and data subject to GLBA; “certain organizations” governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; personal data governed by FERPA; certain employment-related information; and personal data governed by COPPA.
- Consumer Data Rights: The law creates rights for individual consumers, including: the right to confirm whether a controller is processing personal data and to access that data; the right to delete personal data; the right to obtain a portable and readily usable copy of personal data; and the right to opt out of the sale of personal data.
- Privacy By Design: The law incorporates privacy by design principles, such as requiring data controllers to implement reasonable data security practices.
- Sensitive Data Processing Requirements: The law requires that data controllers provide consumers with “clear notice and an opportunity to opt out” of the processing of sensitive data (which includes biometric information to the extent it is “processed for the purpose of uniquely identifying a natural person”).
- Privacy Notices: Controllers must provide consumers with a privacy notice that identifies (1) categories of personal data processed; (2) purposes for said processing; (3) how consumers may exercise their consumer data rights; (4) categories of personal data the controller shares with third parties; and (5) categories of third parties with whom the controller shares personal data.
- Disclosure of Data Sale and Targeted Advertising: Controllers must “clearly and conspicuously” disclose whether they sell consumers’ personal data or engage in targeted advertising.
Iowa’s new privacy law serves as another reminder for companies to review and revise their privacy compliance program and to assess whether they wish to provide certain privacy rights
