Iowa Legislature Passes Consumer Data Privacy Bill

David Stauss
Husch Blackwell LLP
Contact
LinkedIn
Facebook
X
Send
Embed
Keypoint: Pending the governor’s signature, Iowa will become the sixth state to pass consumer data privacy legislation.

On March 15, 2023, the Iowa House voted 97-0 to pass SF 262. The bill previously passed the Senate by a vote of 47-0. The bill was procedurally messaged back to the Senate. Pending any remaining procedural hurdles and the governor’s signature, Iowa will become the sixth state to pass consumer data privacy legislation with a bill that rivals Utah as the most business-friendly legislation passed to date.

In the below post, we provide a comparison of the Iowa bill to the five existing state privacy laws. You also can access a PDF of the comparison charts here. In addition, Keir Lamont and Mercedes Subhani from the Future of Privacy Forum prepared a very useful chart comparing the Iowa bill to the Connecticut Data Privacy Act.

Applicability Thresholds

Law Monetary Threshold # of Consumers Threshold Sell/Share Threshold
California $25,000,000 100,000 consumers or households   0.26% of state’s 39.2 million population Derives 50% or more of annual revenues from selling or sharingconsumers’ personal information
Colorado N/A 100,000 consumers   1.72% of state’s 5.8 million population Derives revenue or receives a discount on the price of goods or services from the sale of personal data + processes or controls the personal data of 25,000 or more consumers
Connecticut N/A 100,000 consumers   2.78% of state’s 3.6 million population Derives more than 25% of gross revenue from sale of personal data + control or process personal data of not less than 25,000 consumers
Iowa N/A 100,000 consumers   3.125% of state’s 3.2 million population Derives over 50% of gross revenue from sale of personal data + controls or processes personal data of 25,000 or more consumers
Utah $25,000,000 (+ another category) 100,000 consumers   3.03% of state’s 3.3 million population Derives over 50% of gross revenue from sale of personal data + controls or processes personal data of 25,000 or more consumers
Virginia N/A 100,000 consumers   1.16% of state’s 8.6 million population Derives over 50% of gross revenue from sale of personal data + control or process personal data of at least 25,000 consumers

Rights

Right Cal. Colo. Conn. Iowa Utah Virginia
Know / Confirm Yes Yes Yes Yes Yes Yes
Access Yes Yes Yes Yes Yes Yes
Data portability Yes Yes Yes Partial Partial Yes
Deletion Partial Yes Yes Partial Partial Yes
Correct inaccuracies Yes Yes Yes No. No Yes
Not be discrim. against Yes Yes Yes Partial   Partial Yes
Opt-out of sale Yes Yes Yes Yes Partial Yes
Opt-out of targeted advertising / sharing  Yes Yes Yes Unclear (right is not listed in consumer rights provision of bill but controllers must provide means to opt out) Yes Yes
Opt-out of certain types of profiling Yes Yes Yes No. No Yes
Recognize opt out signals Yes (through rulemaking) Yes Yes No No No

Other Provisions

Provision Cal. Colo. Conn. Iowa Utah Virginia
Data Protection Assess. TBD (rulemaking) Yes Yes No No Yes
Definition of sale Monetary or other valuable consid. Monetary or other valuable consid. Monetary or other valuable consid. Monetary consid. Monetary consid. Monetary consid.
Opt out Request Must be Verified No Yes No Yes Yes Yes
Treatment of Sensitive Data Right to Limit Use Opt-in Opt-in Notice and opt-out Notice and opt-out Opt-in
GLBA exemption Data level Entity and data level Entity and data level Entity and data level Entity and data level Entity and data level
Additional Children’s Rights Opt-in for selling or sharing of PI of children ages 13-15 No Opt-in for targeted advertising or sale of PI of children ages 13-15 No No No
Data Processing Agreements Yes Yes Yes Yes Yes Yes
Privacy Policy Yes Yes Yes Yes Yes Yes
Implement Reasonable Data Security Measures Yes Yes Yes Yes Yes Yes
Duty to Avoid Secondary Use Yes Yes Yes No No Yes
Data Minim. Yes Yes Yes No No Yes
Enforcement Attorney General / Agency (limited PRA for data breaches) Attorney General Attorney General Attorney General Attorney General Attorney General
Right to Cure Expired 60 days (sunsets Jan. 1, 2025) 60 days (sunsets Dec. 31, 2024) 90 days (does not sunset) 30 days (does not sunset) 30 days (does not sunset)
Rulemaking Yes Yes No No No No
Effective Date Jan. 1, 2023 July 1, 2023 July 1, 2023 Jan. 1, 2025 Dec. 31, 2023 Jan. 1, 2023

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP
Husch Blackwell LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide