Recently, the Iowa Legislature sent a bill to Iowa Governor Kim Reynolds for her signature that would make Iowa the sixth state to enact a comprehensive privacy law. The Iowa Senate unanimously passed Senate File 262 (SF 262) on March 6, and the Iowa House passed the bill on March 15. If signed by the governor, the law will go into effect on January 1, 2025. SF 262 is more like Utah's Consumer Privacy Act than other state privacy laws enacted to date.

Who Must Comply?

SF 262 would apply primarily to "controllers" and "processors."

Controllers is defined as "a person that, alone or jointly with others, determines the purpose and means of processing personal data." Processor is defined as "a person that processes personal data on behalf of a controller."

SF 262 would apply to persons conducting business in the state or who target Iowa consumers and meet one of the following thresholds during the prior calendar year:

1. Controls or processes personal data of at least 100,000 consumers; or

2. Controls or processes personal data of at least 25,000 consumers and derives 50% of gross revenue from the sale of personal data.

SF 262 provides broad entity-level exemptions, such as an exemption under the Gramm-Leach-Bliley Act (GLBA) for financial institutions, affiliates of financial institutions, or data subject to the GLBA. SF 262 also provides exemptions for entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA). Like other state comprehensive privacy laws, SF 262 also provides common exemptions for compliance with other laws, complying with a subpoena, and preventing and protecting against security incidents, fraud, and other illegal activity.

What Is Protected?

SF 262 protects "personal data" and "sensitive data" of consumers.

Personal data is defined as "any information linked or reasonably linked to an identified or identifiable natural person." Sensitive data means a category of personal data that includes the following: "racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law."

A consumer is defined as a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.

Comparison to Other States

Like other states, SF 262 affords consumers various rights, including the right to confirm processing, delete personal data, and opt out of the sale of personal data.

However, SF 262 does not provide a right to correct. Like Utah's Consumer Privacy Act, it also does not require a user to affirmatively opt into the use of their sensitive data, and only requires that an opt-out right is offered. Unlike other state laws, SF 262 does not impose a data minimization requirement, a requirement to conduct risk assessments, or a duty to avoid secondary uses of the data.

Enforcement

There is no private right of action. SF 262 will be enforced only by the Iowa attorney general who must provide notice of any alleged violations. Further, controllers and processors will have a 90 day right to cure such alleged violations, which right does not sunset.

Takeaway

With no immediate federal privacy legislation in sight, states will continue to pass their own privacy laws. Iowa's and Utah's model may prove more attractive to states looking to balance providing consumers with rights to their personal information with imposing further obligations on businesses.