On March 28, Iowa’s six-year-long effort to pass comprehensive consumer data privacy legislation was finally completed, making Iowa the sixth state to pass such a law. Just over two weeks later, Indiana’s legislature passed its own comprehensive consumer data privacy law (with Governor Eric Holcomb expected to sign the bill into law shortly) to make Indiana the seventh state with such comprehensive legislation. The new Iowa law (the Iowa Act Relating to Consumer Data Protection) is set to take effect on Jan. 1, 2025, and the Indiana law (the Indiana Consumer Data Protection law) a year later on Jan. 1, 2026.
Not only were both laws passed within a short time of one another, but they both share quite a few similarities to one another and to other similar comprehensive data privacy laws. For those who do business in Iowa or Indiana or have Iowa or Indiana consumers, here are important features of the new laws’ applicability and effects on consumer rights and business obligations.
Applicability
Both the Iowa law and Indiana’s approved bill apply to (a) entities that do business in those states; and (b) to entities that target the residents of Iowa or Indiana. Both states delineate between those who collect and control data and those who process data for others. To be subject to the laws, both statutes provide that they apply to businesses that, in the prior calendar year:
- Control or process the data of at least 100,000 residents; or
- Control or process personal data of at least 25,000 residents and derive over 50% of gross revenue from the sale of personal data.
Both laws define consumers as residents of the state acting in a noncommercial and nonemployment context (as opposed to CPRA which applies to employees for instance).
Consumer Rights
Both laws also create a number of consumer rights.
The Iowa law does not give residents the right to correct their personal data or to opt out of profiling or automated decision-making and does not require Iowa businesses to recognize universal opt-out signals.
Entities covered by the law must respond to consumer rights requests in Iowa within 90 days and, in Indiana, within 45 days. And both laws prohibit discrimination against consumers for exercising their rights under the law and give consumers the right to appeal an entity’s refusal to take action on a consumer request.
One interesting note, under the Indiana law, riverboat casinos are expressly allowed to use facial recognition technology as part of their operations—a unique exception so far in the area of consumer data protection.
Business Obligations
Both of these laws increase the importance of and the scrutiny of website privacy policies. In both states, entities subject to these laws are required to provide residents with a privacy notice advising residents of the categories of personal data processed, the purpose for processing the data, the categories of personal data disclosed, the categories of third parties to whom personal data is disclosed, and how consumers can exercise their consumer rights under the law.
Both laws also required that covered entities have contracts with service providers that process consumer data for them and require these contracts to provide instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the rights and duties of both parties to the contract. The contract must also describe the process for retaining data, deleting data, accessing data, and holding subcontractors accountable.
Covered entities are also subject to a number of general requirements with respect to their handling and processing of consumer personal data. Such entities can process personal data, but only that which is reasonably necessary and if it is adequate, relevant, and limited to what is necessary in relation to the specific purposes for its collection. Entities that process data must also implement reasonable physical, technical, and administrative data security practices to protect the confidentiality, integrity, and availability of collected personal data, and these practices must be appropriate to the volume and nature of the data collected.
Under Iowa law, entities can only process sensitive data collected from a consumer for a nonexempt purpose unless they provide the consumer with clear notice and an opportunity to opt out of such processing. Under Indiana law, entities cannot process sensitive data without obtaining the consumer’s consent. And, in both states, collecting and processing sensitive data from a consumer under the age of 13 must be done in accordance with the requirements of the Children’s Online Privacy Protection Act (“COPPA”)—requiring opt-in consent for such collection.
Indiana law also requires covered entities to conduct and document risk assessments whenever they plan to: (1) process personal data for purposes of targeted advertising, (2) sell personal data, (3) process data for the purposes of profiling, (4) process sensitive data, or (5) when processing would involve a heightened risk of harm.
Enforcement
Neither statute creates a private right of action (as is the case in all such similar laws except those in California) as enforcement authority is held exclusively by each state’s Attorney General. Fines under both laws can be for up to $7,500 per violation, but Iowa requires a notice and cure period (90 days in Iowa and 30 days in Indiana) before such fines can be imposed.