Just Around the Corner, Iowa’s Consumer Privacy Law Taking Effect
Iowa is next up in our series of articles providing in-depth summaries of state consumer privacy laws taking effect across the nation.
On March 28, 2023, Iowa Governor Kim Reynolds (R) signed into law Senate File 262 (the Iowa Consumer Data Protection Act or “IACDPA”) which becomes effective on January 1, 2025. The law aligns with other business-friendly state consumer privacy laws, but notably foregoes the requirement of conducting data protection impact assessments, and the IACDPA does not give consumers the right to correct personal data.
For additional resources about state consumer privacy laws, we are including an index at the bottom of this articles with hyperlinks to our blog posts covering laws passed in other states. For a full list of all state privacy laws we've covered, visit the U.S. State Consumer Privacy Law page. Please also keep your eye out for our 2024 round-up article that will be published in December as it will be a helpful overview of the full landscape of consumer privacy laws across the United States.
To Whom Does the Iowa Consumer Data Protection Act Apply?
The IACDPA applies to any individual or entity who either conducts business in Iowa or produces products or services that are targeted to the residents of Iowa; and that, during a calendar year either:
- controls or processes personal data of at least 100,000 Iowa residents; or
- controls or processes personal data of at least 25,000 Iowa residents and derives over 50% of its gross revenue from the sale of personal data.
Unlike broader and more onerous state consumer privacy laws, the IACDPA has narrower application to entities that target Iowa residents, as opposed to those who merely provide services or products to Iowa residents.
The IACDPA applies to personal data collected from a natural person who is a resident of the state and acts in any capacity other than in a commercial or employment context.
Iowa Consumer Data Protection Act Exemptions
In keeping with many other state consumer privacy laws in the country, the IACDPA exempts non-profit organizations, government entities, both public and private higher-ed institutions, and data addressed by sectoral privacy laws such as HIPAA and the Gramm- Leach- Bliley Act. Furthermore, the IACDPA also exempts specific types of data such as business-to-business personal data, data provided in the employment context, consumer credit-reporting data, health records, scientific research data, and information regulated under the federal Family Educational Rights and Privacy Act and Farm Credit Act.
Consumer Rights
Consumers have the following rights under the IACDPA:
- right to confirm whether or not their personal data is processed;
- right to access their personal data;
- right to deletion of their personal data;
- right to obtain a copy of their personal data;
- right to portability of their personal data;
- right to opt-out of the processing of their personal data for purpose of the sale of personal data and targeted advertising, and
- right to opt out of sensitive data processing.
Notably, and unlike more consumer-friendly state privacy laws, Iowa’s statute does not include a consumer’s right to correct personal data, and instead of allowing consumers to opt-in to sensitive data processing, it requires covered entities to provide consumers with the opportunity to opt out of this form of data processing.
Business Obligations to Consumers
The IACDPA requires covered entities to:
- respond to consumer requests under the IACDPA within 90 days of receipt of such request (and may be extended an additional 45 days when reasonably necessary, depending on number and complexity of requests);
- if the business declines to act on the consumer’s request, it must inform the consumer and provide instructions on how to appeal the decision;
- establish a process for consumers to appeal any refusal to take action on a consumer request; and
- within 60 days of receipt of a request for appeal, the business must inform the consumer of any action or inaction in response to the appeal, and if denied, provide the consumer with an online mechanism through which the consumer may reach the Iowa Attorney General to submit a complaint.
Notices to Consumers
Covered entities must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that includes at a minimum the following:
- the categories of personal data that the business processes;
- the express purposes for which the business is collecting and processing personal data;
- a list of all categories of personal data that a business shares with third parties;
- the categories of third parties with which the business shares personal data; and
- the manner in which consumers can exercise their rights under the IACDPA, including the process for appeals of denials of consumer requests.
As highlighted above, the IACDPA takes another departure from many other state privacy laws and does not require businesses to conduct and document data protection impact assessments in connection with the processing of personal data.
Other Business Obligations
Covered entities must (the DO’s):
- limit the processing of personal data to only the data that is “adequate, relevant, reasonably necessary, and proportionate” to serve the purposes for which the data is collected and processed;
- establish, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and security of the personal data;
- clearly and conspicuously disclose if the business sells consumers' personal data to third parties or engages in targeted advertising; and
- provide consumers an opportunity to opt out from the sale of their personal data to third parties or engaging in targeted advertising.
Covered entities must not (the DON’Ts):
- process consumers’ sensitive data without presenting the consumer with clear notice and an opportunity to opt out of such processing; or if the consumer is a child, must process sensitive data in accordance with the federal Children’s Online Privacy Protection Act (“COPPA”);
- Sensitive data is defined as a category of personal data that includes “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law, genetic or biometric data that is processed for the purpose of uniquely identifying a natural person, personal data collected from a known child, and precise geolocation data.
- process the sensitive data concerning a known child without complying with COPPA;
- process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer;
- discriminate against consumers who exercise the rights under the IACDPA; and
- require a consumer to create a new account in order to exercise consumer rights (but may require a consumer to use an existing account).
Impact on Vendors/ Data Processors
Subprocessors such as vendors to covered businesses most often will have direct obligations under the IACDPA, such as:
- assisting the covered business with their own compliance obligations;
- make available to the covered business all information in the subprocessor’s possession necessary to demonstrate the entity’s compliance with the IACDPA;
- ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; and
- at the covered business’ direction, delete or return all personal data to it, unless retention is required by law.
Subprocessors must enter into a contract with the covered business that governs how it processes personal data on the covered business’ behalf. The IACDPA contains the following requirements that must be included in data processing agreements between the parties:
- instructions for processing personal data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing; and
- the rights and duties of both parties.
Enforcement
Like most state consumer privacy laws, the IACDPA does not provide for a private right of action. The IACDPA is exclusively enforced by the Iowa Office of the Attorney General and provides for a 90-day cure period where, prior to bringing an enforcement action, the AG will notify a covered business and grant it an opportunity to cure (if a cure is deemed possible).
Fines and Penalties
The Iowa Attorney General may recover up to $7,500 in civil penalties per violation of the IACDPA.
Index
Here are links to our articles covering all other states that have enacted consumer privacy laws:
California (and additional information here)
Here you’ll find our 2023 Round-Up on State Consumer Data Privacy Laws