Iowa and Indiana Add to Growing Privacy Patchwork

Robert Botkin, Sarah Fulton Hutchins
Parker Poe Adams & Bernstein LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Parker Poe Adams & Bernstein LLP

Iowa became the sixth state with a comprehensive privacy law after passing the Act Relating to Consumer Data Protection (ICDPA), with Indiana’s Senate Bill 5 set to cause Indiana to become the seventh, following Governor Holcomb’s signature. These two new laws are not the most restrictive of the bunch; however, the growing number of nuances among state privacy laws can make compliance burdensome.

Iowa’s law goes into effect on January 1, 2025, with Indiana’s law becoming effective a year later, on January 1, 2026. This long timeline leaves a significant legislative runway for amendments to be introduced and passed. The most likely reason for such a long compliance timeline is to put pressure on Congress to pass privacy legislation while minimizing the impact on small and medium sized businesses with regard to compliance expenditures if the federal privacy law preempts state laws.

Thresholds

Both laws apply to businesses conducting business in the state that are either (1) controlling or processing the personal data of at least 100,000 residents or (2) controlling or processing the personal data of 25,000 residents and deriving over 50% of gross revenue from the sale of personal data.

Consumer Rights and Controller Obligations

Both state laws provide consumers with the right to:

  • confirm whether a controller is processing the consumer’s personal data and accessing the personal data;
  • delete personal data provided by the consumer;
  • data portability; and
  • opt-out of the sale of personal data.

Furthermore, Indiana consumers also have the right to opt-out of profiling for decisions that have a legally significant effect. Other states call this the right to opt-out of algorithmic decision making.

Both laws require controllers to implement reasonable security practices, provide a compliant privacy notice to consumers, and enter into agreements with processors that handle the controller’s personal data. Indiana requires controllers to undertake data protection assessments, whereas Iowa does not.

Right to Cure

Both states provide a right to cure following a notice of violation: 90 days in Iowa and 30 days in Indiana. Unlike certain provisions of California’s privacy laws, these cure periods do not sunset automatically.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Parker Poe Adams & Bernstein LLP | Attorney Advertising

Written by:

Parker Poe Adams & Bernstein LLP
Parker Poe Adams & Bernstein LLP
Contact
more
less

Parker Poe Adams & Bernstein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide