On Wednesday, March 15, Iowa’s House Legislature unanimously voted to approve Senate File 262 (SF 262), a comprehensive data privacy bill that unanimously passed the Senate on March 6. The bill will now move to the Governor’s desk to be signed into law (if the Governor does not sign or veto the bill, it will become law after three days during the legislative session) and, if enacted, will become the sixth omnibus state privacy law in the country, following laws in California, Colorado, Connecticut, Utah and Virginia.
What You Need to Know:
- If enacted, the Iowa bill would go into effect on January 1, 2025.
- The Iowa bill shares the basic framework of the laws in effect, or set to go into effect in 2023, in Colorado, Connecticut, Utah and Virginia.
- Of the existing state privacy laws, the Iowa bill most closely tracks Utah’s privacy law, and includes various business-favorable provisions, including a cure period, delayed effective date and lack of a private right of action.
Of the existing state privacy laws, the Iowa bill most closely tracks Utah, and includes various business-favorable provisions. For instance, the bill does not contain a private right of action and grants the Iowa state attorney general (AG) exclusive enforcement authority. In addition, the state AG must provide a controller or processor of personal data with a 90-day cure period prior to initiating an action. The bill also includes broad exemptions for various entities and data regulated under certain federal laws.
Below is a high-level overview of SF 262 which, if enacted, would go into effect on January 1, 2025.
Applicability Thresholds
SF 262 applies to entities conducting business in Iowa or targeting consumers who are Iowa residents, and that meet at least one of the following thresholds during a calendar year: (1) control or process data of at least 100,000 consumers (i.e., residents of Iowa), or (2) control or process data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Broad Exemptions
Like California, Colorado, Connecticut, Utah and Virginia’s privacy laws, SF 262 exempts and does not apply to various entities and information types, including:
- Data regulated by the Fair Credit Reporting Act (FCRA)
- State and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA)
- Certain healthcare organizations subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Non-profits and higher education institutions including Family Educational Rights and Privacy Act (FERPA) data
- Data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA)
- Certain information related to employment
Consumer Rights
SF 262 creates several consumer rights similar to other state privacy laws, including:
- The right to confirm whether a controller is processing data and to access that data
- The right to delete data provided by the consumer
- The right to data portability
- The right to opt-out of data sales
- The right to nonretaliation for exercising consumer rights
Controller Obligations
Like other data privacy laws, SF 262 creates specific requirements for controllers of personal data, including:
- Implementing reasonable data security practices
- Providing consumers with clear notice and an opportunity to opt-out of sensitive data processing for certain purposes
- Providing privacy notices that identify: (1) categories of personal data processed; (2) purposes for the processing or personal data; (3) how consumers may exercise their consumer data rights; (4) categories of personal data the controller shares with third parties; and (5) categories of third parties with whom the controller shares personal data.
Processor Obligations
SF 262 imposes a range of requirements on processors, including requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.
Enforcement and Implementation
SF 262 gives the AG sole authority to enforce the law, but lacks various enforcement features prominent in other state privacy laws. For example, SF 262 does not:
- Create a provide right of action (California’s law has a limited private right of action)
- Create rulemaking authority for the state AG (unlike Colorado’s law)
- Create a separate privacy-centered enforcement agency (like the California Privacy Protection Agency)
Next Steps
Assuming the bill becomes law, companies will have to take the Iowa bill into consideration when developing their privacy compliance programs. Furthermore, companies that provide services to other companies that fall within the scope of the law will need to address the contractual requirements created by the law.