wyrick.com

Privacy in the Heartland: Iowa to Become Sixth State with a Comprehensive Privacy Law

An Iowa comprehensive privacy law bill titled An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions recently passed both chambers of the Iowa legislature with no dissenting votes. Unless Iowa’s governor vetoes the bill, Iowa will become the nation’s sixth state with a comprehensive consumer privacy law, following California, Virginia, Colorado, Utah, and Connecticut.

In comparison to the existing laws adopted by other states, the Iowa bill is most similar to the Utah Consumer Privacy Act—the most business-friendly of those existing laws. In that sense, the Iowa bill is a positive development for businesses. The core requirements are aligned with the Utah law and importantly, do not introduce any significant new or additional requirements as compared to those laws.

This post summarizes several key takeaways from the Iowa privacy bill.

Application and scope is most aligned with the Virginia, Colorado, and Connecticut statutes.

Unlike the California and Utah privacy laws, the Iowa bill does not contain a revenue threshold. It will apply to controllers and processors that:

  • conduct business in Iowa or otherwise produce products or services targeted at Iowa residents, and
  • either (i) control or process personal data of 100,000 or more Iowa residents in a calendar year, or (ii) control or process personal data of 25,000 or more Iowa residents and derive over 50% of gross revenue from the sale of personal data.

The law also includes, however, broad entity-level exceptions for financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education. And helpfully, as will all the existing state laws except California, the Iowa bill’s definition of “consumer” also excludes individuals acting in a “commercial or employment context” from its scope.

The Iowa bill also defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” with exclusions for deidentified and publicly available information.

Requirements for consumer rights, notices, and processor contracts are generally aligned to the Utah law, but with some notable deviations regarding targeted advertising opt-outs and consumer rights response deadlines.

The Iowa bill would provide Iowa residents with rights similar to those offered to Utah residents under that state’s law, including rights to (1) know whether a covered organization is processing their personal data, (2) access and delete personal data, (3) data portability, and (4) opt-out of sales of personal data.

The bill’s provisions regarding targeted advertising, however, are unusual as compared to existing state laws. Those provisions would require controllers that engage in targeted advertising to “disclose the manner in which a consumer may exercise their right to opt out of such activity,” but do not explicitly provide consumers a right to opt out of targeted advertising—leaving some ambiguity regarding the extent of any such right and how it could be exercised.

The Iowa bill would also allow controllers up to 90 days to respond to a consumer rights request, with the potential for a 45-day extension. That would be longest initial response period under any comprehensive state privacy laws—no other state comprehensive privacy law allows longer than 45 days to fulfill a consumer rights request absent an extension. The bill also does not include the rights to correction or to opt out of “profiling” included in more onerous state laws.

The Iowa bill’s consumer notice requirements generally track those of the other non-California state laws. Controllers are required to make disclosures about the categories of personal data processed and disclosed to third parties, personal data processing purposes, how consumers can exercise their rights, and the categories of third parties who receive personal data. Like the Utah law, Iowa would only require an opt-out for sensitive data processing that is not otherwise permitted. That’s in contrast to the Virginia and Colorado laws, which require an opt-in consent for such processing.

Similar to the Colorado, Connecticut, Utah, and Virginia laws, Iowa would also require that processor contracts contain GDPR-style processing details, and provide that the processor will ensure each person processing personal data is subject to a duty of confidentiality and flow the same written contractual obligations regarding personal data down to its subcontractors. Iowa would also join Utah in not requiring processors to return and delete all personal data. But unlike Utah, the Iowa bill would require that processors contractually agree to provide controllers information necessary to demonstrate the processor’s compliance. That requirement is similar to Colorado, Connecticut, and Virginia requirements, except that Iowa’s processor contractor provisions do not contemplate the potential for direct assessments by controllers.

The Iowa bill does not require data protection assessments.

The Iowa bill also mimics Utah’s business-friendly approach of not requiring data protection assessments for any personal data processing activities. That is a noticeable deviation from Colorado, Connecticut, and Virginia, which require data protection assessments for various activities such as targeted advertising, personal data sales, sensitive data processing, and processing that presents a heightened risk of harm to consumers.

The Iowa bill follows Utah and Virginia’s narrow definition of “sales” of personal data.

Iowa would adopt the relatively narrow definition of “sales” as “the exchange of personal data for monetary consideration.” That’s in contrast to the Colorado, Connecticut and California laws broader definitions that also include exchanges for “other valuable consideration” within the definition of “sale.”

The Iowa attorney general has exclusive enforcement authority with no private right of action.

Iowa’s Attorney General has exclusive enforcement authority. Iowa notably did not adopt Utah’s unique enforcement approach, which required review by both the Utah Department of Commerce’s Division of Consumer Protection and the Utah Attorney General prior to allowing an enforcement action.

Any enforcement by the Iowa Attorney General, however, is still subject to a 90-day notice-and-cure period—which would be the longest cure period under any state comprehensive privacy law by 30 days. If a controller or processor does not cure the violation or continues to violate the Iowa law following the cure period, the Iowa attorney general can pursue an enforcement action for civil penalties up to $7,500.

The statute also expressly provides that it does not create a private right of action.

Effective on January 1, 2025.

The law would become effective on January 1, 2025, which allows organizations a little over a year and a half to address Iowa privacy requirements.

* * * *

The Iowa bill is a favorable development for businesses in the sense that it joins Utah in adopting a relatively less onerous and more business-friendly comprehensive privacy statute. But Iowa nonetheless represents another entry in the continuously expanding and increasingly complex patchwork of US privacy legal requirements for companies and their lawyers to address. And in that regard, it will undoubtedly amplify calls for a comprehensive federal privacy law with broad preemption of state privacy legislation.

If you would like to discuss the implications of Iowa or other states’ legal requirements for your organization, or need help formulating and implementing a compliance strategy, please reach out to any member of the Wyrick Robbins privacy team.