On March 29, 2023, Iowa Gov. Kim Reynolds signed into law Senate File 262, the Iowa Act Relating to Consumer Data Protection (ICDPA). Taking effect nearly two years from now on January 1, 2025, the ICDPA makes Iowa the sixth state to enact a comprehensive data privacy law. In many ways, the new law parallels the  Utah Consumer Privacy Act (UCPA) and the Virginia Consumer Data Protection Act (VCDPA), which are generally considered more business-friendly and less restrictive than the  Colorado Privacy Act (CPA), the  Connecticut Data Privacy Act (CTDPA) and the California Consumer Privacy Act (CCPA) (as amended by the California Privacy Rights Act (CPRA)). 

Key Provisions

  • Consumer Opt Out for Sale of Data – consumers have a right to opt out of processing for the sale of personal data or for use in targeted advertisements, much like under the VCDPA and CPA.
  • No Right to Opt Out of Profiling – unlike the VCDPA and CPA, consumers do not have a right to opt out of profiling.1
  • Service Provider Contracts – controllers are required to establish contracts with processors establishing the instructions and obligations for the respective parties around the data processing. Like the VCDPA and CPA, controllers may request that processors delete or return personal data.
  • Sensitive Data Processing Requirements – like the UCPA, data controllers must provide consumers with notice and an opportunity to opt out before processing sensitive data.
  • 90-Day Cure Period – the ICDPA provides a 90-day cure period for alleged violations (the longest cure period of any U.S. privacy law), enforceable by the Iowa Attorney General.

Who Must Comply with the ICDPA?

The ICDPA applies to "controllers" who determine the purpose and means of processing personal data, and "processors" who process that data on behalf of the controller, much like other state laws as well as the European Union's (EU) General Data Protection Regulation (GDPR).2 The Iowa law applies to persons conducting business in Iowa or producing products or services targeted to Iowa consumers that either:

  • Control or process personal data of at least 100,000 Iowan consumers.
  • Derive over 50% of revenue from selling the personal data of at least 25,000 Iowan consumers.3

Notably, the ICDPA does not include a minimum annual revenue threshold. Thus, small businesses that may have avoided being subject to either the CCPA or UCPA because they do not meet those statutes' revenue thresholds may still be subject to the ICDPA and should carefully evaluate whether they meet either of the above criteria.

What Are Notable Exemptions?

Like the UCPA, the ICDPA has an employee and job applicant exemption. Specifically, it excludes coverage for natural persons acting in a commercial or employment capacity from the definition of "consumer," which means that the ICDPA's overall scope of privacy protections is more limited than other consumer privacy statutes such as the CCPA. Individuals providing personal data to a business in the course of applying for employment, for example, fall outside the parameters of the statute. While the ICDPA defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable natural person," it excludes de-identified data, aggregate data or publicly available information from that definition.4 The law also explicitly excludes data processed or maintained in the course of applying to, being employed by or acting as an agent for a data controller or processor, among several other exclusions, such as health records and consumer credit reporting data.5

Certain types of entities are also exempt from the statute's coverage, including nonprofits, higher education institutions, financial institutions and entities subject to certain federal regulations such as the Graham-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).6

What Rights Do Iowa Consumers Have?

The ICDPA is the latest U.S. privacy law to extend data privacy rights to consumers, which include the rights to: (1) know whether a controller is processing the consumer's data, and if so, the right to access that data; (2) request deletion of the consumer's data; (3) obtain a copy of that data; and (4) opt out of the sale of personal data.7 Unlike the CCPA, the Iowa law does not provide a separate requirement that consumers must opt in for the processing of "sensitive data," and does not explicitly provide any right to correct inaccurate information or to opt out of profiling. However, ICDPA Section 4(6) identifies the following requirement: "If a controller sells a consumer's personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity."8 It remains to be seen how businesses, courts and regulators will interpret this provision, and whether any administrative rules will be issued to guide the interpretation and implementation of the law.

In general, the ICDPA is more generous to businesses than other state privacy laws in the context of providing time to review and respond to consumer rights requests. Controllers will have 90 days to respond to verifiable consumer requests—and an additional 45 days when reasonably necessary and as long as the requestor is notified of the extension within the original 90-day period.9

What Obligations Do Controllers and Processors Have?

The ICDPA contains requirements for both controllers and processors, similar to those found in other state privacy laws.

Controller Requirements:

  • Data Security: Controllers must adopt and implement reasonable administrative, technical and physical practices for data security, appropriate to the volume and nature of the data.10
  • Sensitive Data: As previously mentioned, the ICPDA does not require opt-in consent for the processing of sensitive data, much like the UCPA. Instead, controllers must provide consumers with clear notice and the ability to opt out before they process sensitive data. Sensitive data includes genetic data, biometric data, data of a known child, precise geolocation data, among other categories of information such as race and religion.11
  • Nondiscrimination: Controllers must not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers, and may not discriminate against consumers who exercise their rights under the ICDPA.12
  • Transparency and Purpose Specification: A controller's privacy notice must disclose: (1) what categories of data are processed; (2) the purpose for such processing; (3) how consumers can exercise their rights; (4) categories of personal data shared with third parties; (5) the categories of those third parties with whom personal data is shared; and (6) how consumers can appeal a business's refusal to take action on a consumer request. And as mentioned above, the controller must also clearly and conspicuously disclose that it is selling personal data to third parties and/or participating in targeted advertising and the manner in which consumers can opt out of such activity.13

Processor Requirements: Processors are required to assist with controller obligations, including (1) responding to consumer requests, (2) implementing appropriate technical and operational data security measures and (3) complying with data breach notification requirements.14 Like other state privacy laws, the ICPDA requires a contract to govern the controller-processor relationship that establishes the controller's instructions for processing data, the nature and purpose of the processing, the duration of the processing, and the rights and obligations of both parties.15

Who Can Enforce the Law?

The Iowa Attorney General (AG) has exclusive authority to issue civil investigative demands, conduct enforcement actions and seek the imposition of injunctive relief and/or civil penalties for violations.16Similar to the consumer request timeline, should the AG wish to initiate an action against a business for any violation of the law, the AG must first provide the business with written notice of the violation and 90 days to cure such violation, longer than the cure period provided under any similar statute.17 Although the Iowa legislature has aligned with all other state legislatures enacting similar laws, except California, in that the State AG has exclusive enforcement authority and there is no private right of action, this does not mean it has taken the protection of Iowans' privacy rights lightly; the ICDPA allows the AG to issue fines of up to $7,500 per violation, and does not textually distinguish between unintentional or intentional violations.18

Fortunately, companies that have already made strides to bring themselves into compliance with the other state privacy laws and/or the GDPR are likely well on their way to being compliant with the ICDPA, which is not effective until January 1, 2025. Nonetheless, companies should take the time now to understand the Iowa law's requirements and incorporate them into their existing privacy compliance programs.

Footnotes

1. Under Cal. Civ. Code § 1798.185(a)(16), the CCPA indicates that regulations will need to be developed to govern access and opt-out rights concerning automated decision-making, including profiling. While not addressed in the final CCPA Regulations effective March 29, 2023, the California Privacy Protection Agency (CPPA) invited preliminary comments on proposed rulemaking covering profiling from February 10 – March 27, 2023, suggesting that profiling may be covered in a future iteration of the Regulations.

2. S.F. 262, 90th Gen. Assemb., Reg. Sess. §§ 1(8), (21) (Iowa 2023).

3. Id. § 2(1).

4. Id. § 1(18).

5. Id. § 2(3).

6. Id. § 2(3).

7. Id. § 3(1).

8. Id. § 4(6) (emphasis added).

9. Id. § 3(2)(a).

10. Id. § 4(1).

11. Id. § 4(2).

12. Id. § 4(3).

13. Id. § 4(5) - (7).

14. Id. § 5(1).

15. Id. § 5(2).

16. Id. § 8(1).

17. Id. § 8(2).

18. Id. § 8(3).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.