Iowa Set to Become the Sixth State to Enact Comprehensive Privacy Legislation

Leah Leyendecker
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing LLP

On Wednesday, March 15, Iowa’s House Legislature unanimously voted to approve Senate File 262 (SF 262), a comprehensive data privacy bill that unanimously passed the Senate on March 6. The bill will now move to the Governor’s desk to be signed into law (if the Governor does not sign or veto the bill, it will become law after three days during the legislative session) and, if enacted, will become the sixth omnibus state privacy law in the country, following laws in California, Colorado, Connecticut, Utah and Virginia.

What You Need to Know:

  • If enacted, the Iowa bill would go into effect on January 1, 2025.
  • The Iowa bill shares the basic framework of the laws in effect, or set to go into effect in 2023, in Colorado, Connecticut, Utah and Virginia.
  • Of the existing state privacy laws, the Iowa bill most closely tracks Utah’s privacy law, and includes various business-favorable provisions, including a cure period, delayed effective date and lack of a private right of action.

​Of the existing state privacy laws, the Iowa bill most closely tracks Utah, and includes various business-favorable provisions. For instance, the bill does not contain a private right of action and grants the Iowa state attorney general (AG) exclusive enforcement authority. In addition, the state AG must provide a controller or processor of personal data with a 90-day cure period prior to initiating an action. The bill also includes broad exemptions for various entities and data regulated under certain federal laws.

Below is a high-level overview of SF 262 which, if enacted, would go into effect on January 1, 2025.

Applicability Thresholds

SF 262 applies to entities conducting business in Iowa or targeting consumers who are Iowa residents, and that meet at least one of the following thresholds during a calendar year: (1) control or process data of at least 100,000 consumers (i.e., residents of Iowa), or (2) control or process data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. 

Broad Exemptions

Like California, Colorado, Connecticut, Utah and Virginia’s privacy laws, SF 262 exempts and does not apply to various entities and information types, including:

  • Data regulated by the Fair Credit Reporting Act (FCRA)
  • State and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA)
  • Certain healthcare organizations subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Non-profits and higher education institutions including Family Educational Rights and Privacy Act (FERPA) data
  • Data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA)
  • Certain information related to employment

Consumer Rights

SF 262 creates several consumer rights similar to other state privacy laws, including:

  • The right to confirm whether a controller is processing data and to access that data
  • The right to delete data provided by the consumer
  • The right to data portability
  • The right to opt-out of data sales
  • The right to nonretaliation for exercising consumer rights

Controller Obligations

Like other data privacy laws, SF 262 creates specific requirements for controllers of personal data, including:

  • Implementing reasonable data security practices
  • Providing consumers with clear notice and an opportunity to opt-out of sensitive data processing for certain purposes
  • Providing privacy notices that identify: (1) categories of personal data processed; (2) purposes for the processing or personal data; (3) how consumers may exercise their consumer data rights; (4) categories of personal data the controller shares with third parties; and (5) categories of third parties with whom the controller shares personal data.

Processor Obligations

SF 262 imposes a range of requirements on processors, including requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.

Enforcement and Implementation

SF 262 gives the AG sole authority to enforce the law, but lacks various enforcement features prominent in other state privacy laws. For example, SF 262 does not:

  • Create a provide right of action (California’s law has a limited private right of action)
  • Create rulemaking authority for the state AG (unlike Colorado’s law)
  • Create a separate privacy-centered enforcement agency (like the California Privacy Protection Agency)

Next Steps

Assuming the bill becomes law, companies will have to take the Iowa bill into consideration when developing their privacy compliance programs. Furthermore, companies that provide services to other companies that fall within the scope of the law will need to address the contractual requirements created by the law.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide