Iowa became the sixth state to enact a comprehensive consumer privacy law after Gov. Kim Reynolds signed SF 262 into law on March 28, 2023. The Act Relating to Consumer Data Protection uses similar language as the Virginia Consumer Data Protection Law (VCDPA) but removes certain consumer rights and data governance obligations, resulting in a law that is substantively more like the Utah Consumer Privacy Act. The new Iowa law takes effect on Jan. 1, 2025.
The following tables compare the Iowa law to the laws of the five other states that have passed comprehensive consumer privacy legislations. A State Consumer Privacy Laws "cheat sheet" is also available for downloading and printing.
Overview
The Iowa law is heavily modeled after existing state laws, meaning that organizations already complying with other state laws will likely face little, if any, additional compliance burdens. California continues to remain an outlier in extending rights to workforce members and business-to-business contacts and in containing any sort of private right of action.
View larger image
Consumer Rights
Similar to Utah's privacy law, the Iowa law does not have a "right to correct," and a consumer's right to delete is limited to the data the organization obtained from the consumer. Iowa also follows Utah in its approach to children's data – a controller cannot process such data unless it complies with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. Section 6501 et seq. – which creates a significant gray area since COPPA applies only to personal information collected directly from the child via an online service. The Iowa law does not offer consumers a right to opt out of profiling or other automated decision-making.
View larger image
Request Submission and Handling
Unlike California's and Colorado's laws, the Iowa law does not contain a lot of specificity as to the process for submitting consumer requests. Iowa's new law closely parallels Virginia's and Utah's, although Iowa's expands the timeline to respond to consumer requests from 45 days to 90 days.
View larger image
Information Governance
Similar to Utah's legislation, the Iowa law is light on internal requirements for the management of data, including that there is explicit purpose of processing limitation or requirement for data minimization. The Iowa law also does not require organizations to conduct data protection assessments.
View larger image
Enforcement
Iowa follows the trend in providing that violations of its new privacy law will be enforced only by its state attorney general and not civil litigants. Iowa offers time to cure violations, and the 90-day period offered is longer than those of other states. Violations of the law are punishable by civil penalties of up to $7,500 for each violation. California continues to be the only state to allow a private right of action – limited to certain types of data breaches only.
View larger image