Iowa will soon be the sixth state in the nation with a comprehensive consumer privacy law – but the good news for employers is that it does not apply to data collected in the employment context and does not include a private right of action. Iowa Senate File 262 passed in the House on March 15 after previously passing in the Senate. It is expected to soon be signed into effect by the governor and will take effect on January 1, 2025. What does this law mean for your business? Here are the answers to your five biggest questions.

1. Will Iowa’s Law Catch Businesses By Surprise?

For the most part, no. Companies that are already complying with the other state consumer privacy laws – including California, Utah, Colorado, Connecticut, and Virginia – will find this law familiar. It is most similar to the Utah Consumer Privacy Act, which takes effect December 31.

2. What Does SF262 Require?

If your company is in compliance with other states’ consumer privacy laws, it is likely there is little additional work needed to comply with Iowa’s new law. SF262 will require companies to provide to consumers certain notices and access to a privacy policy. Iowa consumers have the right to access, delete, know, and opt out of the sale of personal information. Unlike California’s CCPA, SF262 does not require an opt-in consent for sensitive personal information, nor does it offer consumers a right to correct.

3. To Whom Does Iowa’s Law Apply?

The new Iowa law applies to businesses in the state or out-of-state businesses that target their products or services to residents of the state and that:

• control or process personal data of at least 100,000 Iowa residents; or
• derive over 50% of their annual gross revenue from the sale of personal data and also control or process personal data of 25,000 or more Iowa residents.

With this relatively high threshold and current population of Iowa hovering around 3.2 million, most businesses in this state will not be subject to the law.

4. What Exemptions Exist?

Unlike California’s broadly sweeping consumer privacy law which applies to employee and job applicant data, the Iowa law does not apply to data collected, created, or received in the employment context from or about an employee or job applicant for employment-related purposes. Also excluded from SF262’s definition of “consumer” is a person acting in a commercial or employment context. This is a big win for employers in the state.

5. What Are the Penalties for Non-Compliance?

SF262 does not create a private right of action for consumers. Like California’s CCPA, this law gives authority to the Iowa Attorney General to investigate non-compliance and assess penalties of up to $7,500 per violation of the statute.

Conclusion

Nothing in this law comes as a surprise, as it closely aligns with other states’ comprehensive consumer privacy laws. But it is a continuation of the trend sweeping the nation, as over a dozen other states currently have pending consumer privacy legislation. This will likely not be the only state to pass this type of legislation this year.