With the unanimous passage of Senate File 262 by the Iowa House and Senate and the Governor's signature Tuesday, the Hawkeye State joins California, Colorado, Connecticut, Virginia, and Utah as one of six states with a codified comprehensive consumer privacy law.
Let's take a look at some of the notable takeaways and key provisions from Iowa's new Consumer Data Protection Act (ICDPA). [1]
Notable Takeaways
- No Rush to Regulate: In contrast to other states with recently passed comprehensive privacy laws, the ICDPA does not go into effect until January 1, 2025. Other state privacy laws are either currently in effect or scheduled to go into effect at some point in 2023.
- New Law, Familiar Requirements: The ICDPA does not impose new substantive requirements for businesses or create new compliance obligations that do not already exist under the current cadre of state privacy laws. This will likely aid companies when it comes to incorporating the provisions of the ICDPA into their current privacy compliance programs.[2]
- Business-Friendly Legislation: It is reasonable to say Iowa's privacy law is business-friendly. For example, there is no private right of action available to consumers as enforcement authority is vested exclusively with the attorney general. The Iowa Attorney General can issue fines of up to $7,500 per violation, but the ICDPA provides a generous 90-day cure period for businesses to correct any identified deficiencies before any fine can actually be levied. The 90-day cure period is significant because the trend in other state privacy laws was to provide businesses a 60-day cure period at most upon receiving notice of a violation, and even then some states sunset the cure period. Furthermore, the ICDPA does not require covered entities to conduct risk assessments or practice purpose limitation and/or data minimization.
Key Provisions in the Iowa Privacy Act
- Application Threshold: In contrast to privacy laws in California and Utah, the ICDPA does not contain a revenue threshold. Nevertheless, Iowa's privacy act only applies to entities conducting business in Iowa or producing products or services targeted to Iowa residents that also do at least one of the following during a calendar year:
- control or process personal data of at least 100,000 Iowa residents; or
- control or process personal data of at least 25,000 Iowa residents and derive over 50 percent of gross revenue from the sale of personal data.
- Narrower Set of Consumer Data Rights: The rights afforded to consumers under the ICDPA are fairly limited relative to the consumer rights codified in other state privacy laws. For example, the ICDPA does not provide the right to data portability or an express right to opt out of the use of personal data for targeted advertising purposes.[3] In addition, there is no right to correct personal data or to opt out of profiling. In addition, the ICDPA does not require covered entities to recognize or act on opt-out signals such as the Global Privacy Control (GPC). The ICDPA provides consumers the following rights when it comes to accessing and managing their personal information:
- The right to access personal information;
- The right to confirm processing;
- The right to deletion (only applicable to personal data provided to the business by the consumer);
- The right to data portability (only applicable to personal data provided to the business by the consumer); and
- The right to opt out of sale.
Notably, the ICDPA defines a "sale" in a considerably narrower way than does the California Consumer Privacy Act (CCPA) and in line with the privacy laws in Virginia and Utah. Under ICDPA, a sale is "the exchange of personal data for monetary consideration by the controller to a third party." Under CCPA, a sale may involve various types of exchanges for monetary or "other valuable consideration." [4]
- Broad Set of Exemptions: The ICDPA excludes the same entities and information that most other state privacy laws exempt from coverage, including:
- Certain employment-related information;
- Entities governed by the Health Insurance Portability and Accountability Act;
- Financial institutions and data subject to Gramm-Leach-Bliley Act;
- Information governed by Fair Credit Reporting Act;
- Institutions of higher education;
- Nonprofit organizations;
- Personal data governed by the Children's Online Privacy Protection Act;
- Personal data governed by the Family Educational Rights and Privacy Act;
- State entities and political subdivisions of the state.
- Sensitive Data Processing Requirements: The ICDPA requires that data controllers provide consumers with "clear notice and an opportunity to opt out" of the processing of sensitive data (which includes biometric information to the extent it is "processed for the purpose of uniquely identifying a natural person").
- Privacy Notices: Similar to other state privacy laws, the ICDPA calls for covered entities to develop and display clear and accessible consumer privacy notices. Controllers subject to the ICDPA should ensure that the following information is included:
- categories of personal data processed;
- purposes for said processing;
- how consumers may exercise their consumer data rights;
- categories of personal data the controller shares with third parties; and
- categories of third parties with whom the controller shares personal data.
- No Rulemaking Authority: The ICDPA does not create or establish a privacy-focused regulatory agency (such as the California Privacy Protection Agency) or give the attorney general any rulemaking authority.
Looking Ahead
Iowa's new privacy law is part of a national trend. Over a dozen states are currently considering comprehensive privacy legislation. Iowa follows Utah in providing a more business-friendly framework that should be simpler for businesses to adopt and incorporate into their existing privacy programs compared to more complex regimes such as California's and Colorado's. Not all states considering privacy legislation this year are taking such a business-friendly approach, however. Some of the other states' bills would impose greater restrictions on data collection and use and, in some cases, provide private rights of action to consumers for remedying violations. Companies need to monitor state legislation and be at the ready to accommodate future compliance obligations.
DWT's Privacy and Security team will continue to monitor the rapid development of other state and new federal privacy laws and regulations.
[1] See https://www.legis.iowa.gov/legislation/BillBook?ga=90&ba=SF%20262.
[2] IAPP's assessment of where Iowa's privacy act falls in the current patchwork of U.S. privacy laws. See https://iapp.org/news/a/iowa-set-to-finalize-sixth-us-comprehensive-state-privacy-law/.
[3] Though the ICDPA does require controllers to disclose how users may opt out of targeted advertising activities.
[4] CCPA defines the term "sale" broadly as the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by [a] business to another business or a third party" in exchange for "monetary" or "other valuable consideration." Colorado and Connecticut's privacy laws align more closely with California when defining "sale" broadly to mean "the exchange of personal data for monetary or other valuable consideration by a controller to a third party" (emphasis added).