Aw, Shucks! Iowa Becomes 6th State to Enact Consumer Privacy Law

Holland & Knight LLP
Contact

Holland & Knight LLP

Highlights

  • Iowa became the sixth state to implement comprehensive consumer privacy legislation when Gov. Kim Reynolds signed SF 262 into law on March 28, 2023.
  • The Act Relating to Consumer Data Protection uses similar language as the Virginia Consumer Data Protection Law (VCDPA) but removes certain obligations, rendering the requirements more like those of the Utah Consumer Privacy Act.
  • This Holland & Knight alert provides key details on Iowa's consumer privacy law and a comparison with the five other states that have passed similar privacy legislation.

Iowa became the sixth state to enact a comprehensive consumer privacy law after Gov. Kim Reynolds signed SF 262 into law on March 28, 2023. The Act Relating to Consumer Data Protection uses similar language as the Virginia Consumer Data Protection Law (VCDPA) but removes certain consumer rights and data governance obligations, resulting in a law that is substantively more like the Utah Consumer Privacy Act. The new Iowa law takes effect on Jan. 1, 2025.

The following tables compare the Iowa law to the laws of the five other states that have passed comprehensive consumer privacy legislations. A State Consumer Privacy Laws "cheat sheet" is also available for downloading and printing.

Overview

The Iowa law is heavily modeled after existing state laws, meaning that organizations already complying with other state laws will likely face little, if any, additional compliance burdens. California continues to remain an outlier in extending rights to workforce members and business-to-business contacts and in containing any sort of private right of action.

Cybersecurity Alert Graph 1

View larger image

Consumer Rights

Similar to Utah's privacy law, the Iowa law does not have a "right to correct," and a consumer's right to delete is limited to the data the organization obtained from the consumer. Iowa also follows Utah in its approach to children's data – a controller cannot process such data unless it complies with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. Section 6501 et seq. – which creates a significant gray area since COPPA applies only to personal information collected directly from the child via an online service. The Iowa law does not offer consumers a right to opt out of profiling or other automated decision-making.

Cybersecurity Alert Graph 2

View larger image

Request Submission and Handling

Unlike California's and Colorado's laws, the Iowa law does not contain a lot of specificity as to the process for submitting consumer requests. Iowa's new law closely parallels Virginia's and Utah's, although Iowa's expands the timeline to respond to consumer requests from 45 days to 90 days.

Cybersecurity and Privacy Graph 3

View larger image

Information Governance

Similar to Utah's legislation, the Iowa law is light on internal requirements for the management of data, including that there is explicit purpose of processing limitation or requirement for data minimization. The Iowa law also does not require organizations to conduct data protection assessments.

Cybersecurity and Privacy Alert 4

View larger image

Enforcement

Iowa follows the trend in providing that violations of its new privacy law will be enforced only by its state attorney general and not civil litigants. Iowa offers time to cure violations, and the 90-day period offered is longer than those of other states. Violations of the law are punishable by civil penalties of up to $7,500 for each violation. California continues to be the only state to allow a private right of action – limited to certain types of data breaches only.

Cybersecurity Alert Graph 5.1

View larger image

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Holland & Knight LLP

Written by:

Holland & Knight LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Holland & Knight LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide