On March 28, 2023, Iowa Governor, Kim Reynolds, signed into law Senate File 262, an Act relating to consumer data protection, providing civil penalties including effective date provisions. This bill makes Iowa the sixth U.S. state to officially enact a comprehensive consumer privacy law, following in the footsteps of California, Virginia, Colorado, Connecticut, and Utah.
In the absence of federal privacy legislation, Iowa Senate File 262 adds to the complicated patchwork of United States privacy laws. In this blog, we will break down the key elements of this bill that Iowa businesses need to know before it takes effect on January 1, 2025.
Which organizations does the Iowa privacy law apply to?
Any organization that conducts business in Iowa, or targets its products or services to Iowa residents, is subject to the Iowa privacy law if it satisfies one of the following thresholds:
- Processes or controls the personal data of at least 100,000 Iowa residents per year; or
- Processes or controls the personal data of at least 25,000 Iowa residents and derives at least 50% of its annual revenue from the sale of personal data.
Unlike other state privacy laws, including the California Privacy Rights Act (CPRA) and the Utah Consumer Privacy Act (UCPA), Iowa’s privacy law does not place a minimum annual revenue threshold on organizations. So long as the organization meets the above thresholds, they are in scope of this law.
Similar to many of the other enacted state consumer privacy laws, the Iowa privacy law does include some notable exemptions, including:
- The State and its political subdivisions;
- Financial institutions subject to the Gramm-Leach-Bliley Act;
- Entities that are covered by the Health Insurance Portability and Accountability Act (HIPAA);
- Not-for-profit organizations; and
- Institutions of higher education.
How does the Iowa privacy law define personal data?
Under Senate File 262, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” not including “de-identified or aggregate data or publicly available information.”
The law also classifies specific categories of personal data as sensitive data, including racial or ethnic origin, religious affiliations, health diagnoses, sexual orientation, immigration status, biometric data, children’s personal data, and precise geolocation data.
What consumer rights does the Iowa privacy law grant?
Included in Senate File 262 are some familiar consumer rights, including the right to know and access what personal data an organization holds, the right to deletion, the right to data portability, and the right to opt out of the sale of personal data.
What requirements does the Iowa privacy law place on covered entities?
Similar to other state consumer privacy laws, organizations subject to the Iowa privacy law have certain obligations to protect and respect the personal data of Iowa residents. Under this law, covered entities will be required to implement reasonable administrative, technical, and physical safeguards to protect the personal data of their consumers. Covered entities will also be required to limit the processing of personal data to certain purposes, obtain affirmative consent before processing a consumer’s personal data, refrain from discriminating against consumers for exercising their rights, and provide consumers with a clear privacy notice that includes:
- The categories of personal data being collected or processed by the organization;
- The purpose of processing that data;
- Instructions for exercising consumer rights;
- The categories of personal data being shared with third parties; and
- The categories of third parties with whom personal data is being shared.
One notable omission that is found in other privacy laws, including the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA), is a requirement to conduct regular data protection or privacy risk assessments.
How will Iowa’s privacy law be enforced?
Iowa Senate File 262 includes no private right of action that would allow private consumers to sue businesses for alleged violations of the law. Instead, it designates all enforcement authority to the state’s Attorney General, who will issue civil investigative demands to any entity suspected of violating the law’s tenants. After providing violating parties with a written notice outlining alleged violations, the organization will be allotted a 90-day window to remedy those violations. Organizations with repeated violations are subject to a fine of up to $7,500 per violation.
Key Takeaways and Next Steps
Iowa’s privacy law will become effective in January 2025 and three more state privacy laws will take effect later in 2023. In addition, numerous other states, including New York and Indiana, are considering enacting their own comprehensive consumer privacy laws, each with its own set of requirements.
In light of this flurry of state privacy activity, now is a great time for businesses located all over the country to start taking stock of their current data security and privacy policies and procedures, conduct data protection and privacy risk assessments, and align themselves with sophisticated legal counsel to help implement data security and privacy best practices in preparation for incoming regulations.
Octillo’s team of privacy compliance attorneys work with organizations to develop robust, scalable data security and privacy programs that address the key requirements of state, federal, and global regulations. We would be happy to help your organization prioritize security and privacy and adapt to this constantly evolving legal landscape.