On March 29, 2023, the Iowa Governor signed into law a consumer data privacy law which enters into force on January 1, 2025.

Entities already complying with other enhanced state privacy laws should not experience any significant, additional compliance burdens, while those organizations regulated by the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), or the Health Information Technology for Economic and Clinical Health Act (HITECH) will enjoy an entity-level exemption.

The Iowa privacy law, designed to be more business-friendly than other US state privacy laws, also does not apply in the B2B or employment context, and it does not have a private right of action. While it requires businesses that sell data to provide an opt-out, Iowa adopts a narrower definition of a sale than does California, and it exempts pseudonymous data from that opt-out right.

Jurisdiction

The Iowa statute applies to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and, during a calendar year, either: (1) controls or processes personal data of at least 100,000 consumers or (2) controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Like the Colorado Privacy Act (ColoPA) and the Connecticut Data Privacy Act (CTDPA), and unlike the California Privacy Rights Act (CPRA), Utah Consumer Privacy Act (UCPA), and the Virginia Consumer Data Protection Act (VDPA), there is no annual revenue threshold. The absence of an annual revenue threshold means that smaller businesses will be covered by the law. Like the UCPA, CPRA, and VCDPA, the law also applies to businesses that derive over 50% of gross revenue from the sale of personal data. The CTDPA only requires 25% of gross revenue.

Exemptions

The statute exempts the state and political subdivisions, as well as institutions and their affiliates subject to either the GLBA, HIPAA, or HITECH. Nonprofit organizations and higher education institutions are also exempt.

Additionally, the statute exempts specific data and information subject to HIPPA, the Health Care Quality Improvement Act of 1986, the Patient Safety and Quality Improvement Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act, and personal data used in accordance with the Children’s Online Privacy Protection Act. Data processed and maintained as emergency contact information or necessary to administer benefits for another individual is also exempt.

Unlike the CPRA, but like the ColoPA, VCDPA, UCPA, and the CTDPA, the Iowa law does not apply in a B2B or employment context to a natural person acting in a commercial or employment context.

In a departure from other US and global privacy laws, Iowa has specific exemptions for pseudonymous data, which is defined as “personal data that cannot be attributed to a specific natural person without the use of additional information.” Pseudonymous data is exempt from the consumer’s data rights and the controller’s duties (discussed further below), so long as the information necessary to identify the consumer is kept separately and subject to technical and organization measures to ensure it is not attributed to an identified or identifiable natural person.

Privacy notice

Controllers (a person that determines the purpose and means of processing personal data) must provide a privacy notice that is reasonably accessible, clear, and meaningful and includes the following: (1) the categories of personal data processed; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights and the right to appeal a controller decision; (4) categories of personal data that the controller shares with third parties; and (5) categories of third parties with whom the controller shares personal data.

The requirements are similar to other privacy laws, therefore privacy notices that, for example, already comply with the CPRA and VCPA (for the additional appellate rights the CPRA does not have), should satisfy Iowa’s requirements.

Consumer rights

The statute gives consumers the right to request the following from a controller: (1) to confirm whether a controller is processing personal data and access to such personal data; (2) to delete personal data provided by the consumer; (3) to obtain a copy of the consumer’s personal data previously provided to the controller, except personal information subject to security breach protection; and (4) to opt out of the sale of personal data. Like Utah, the Iowa law does not grant consumers the right to correct inaccurate data. The Iowa law does not require any specific disclosures or requirements around automated decision making.

Consumers exercising these rights may not be discriminated against by the controller for exercising consumer rights. Contracts to limit consumer rights are unenforceable. A controller must respond to a consumer request, or inform the consumer of any justification for declining to respond to a consumer request, without undue delay and within a maximum of 90 days. The response period may be extended an additional 45 days “when reasonably necessary upon considering the complexity and number of the consumer’s requests.” This response period is significantly longer than the 45-day response period found in other privacy laws.

Sale of data, targeted advertising, and profiling

If a consumer’s personal data is sold to third parties or the controller engages in targeted advertising, then the controller must clearly and conspicuously disclose the sale and targeted advertising to consumers and inform the consumer how to opt out. “Sale of personal data” is defined as “the exchange of personal data for monetary consideration by the controller to a third party.” This definition aligns with the more narrow definitions of “sale” that Virginia and Utah have adopted in that it excludes other types of consideration.

The opt-out provision is similar to those found in the CPRA, ColoPA, VDPA, and CTDPA as it relates to targeted advertising and the sale of personal data. However, like Utah, the Iowa law does not reference profiling or include an opt-out provision for profiling.

Data security

A controller must adopt and implement “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” This requirement is similar to those found in the California, Virginia, Colorado, Connecticut, and Utah statutes.

Data protection assessments

The Iowa law, like the UCPA, does not include a data protection assessment requirement. In contrast, the ColoPA and VCDPA require data protection assessments for certain processing. The CPRA, on the other hand, tasks the CA Attorney General with issuing regulations that require businesses engaged in high-risk processing to submit risk assessments to the California Privacy Protection Agency.

Data processing requirements

Like all the enhanced state privacy laws, and Article 28(3) of the GDPR, the Iowa law requires controllers to have a contract (DPA) with processors detailing instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, duration of processing, and the rights and duties of both parties.

Under the contract, the processor must also be required to do the following: (1) ensure persons processing personal data are subject to a duty of confidentiality; (2) at the controller’s direction, delete or return all personal data at the end of the provision of services, unless retention of personal data is required by law; (3) upon reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance under this law; and (4) engage any subcontractor or agent under a contract requiring the subcontractor or agent to meet the processor’s duties with respect to personal data.

A CPRA DPA would more than suffice under Iowa law. Interestingly, the Iowa law does not mandate on-premises audit rights; but data processors must assist controllers to fulfill their duties under the law as far as reasonably practicable.

Iowa also places general limits on the processing of personal data (i.e. a purpose limitation), only permitting personal data processing to the extent it is (1) reasonably necessary and proportionate to the purposes of the statute; and (2) adequate, relevant, and limited to what is necessary in relation to the specific statutory purpose. Reasonable administrative, technical, and physical measures should be taken to protect the confidentiality, integrity, and accessibility of the personal data. The burden is on the Controller to show that an exemption applies and that the two requirements listed above are met.

Sensitive data

Iowa, like Utah, requires the controller to present the consumer with “clear notice and an opportunity to opt out of such processing” before processing nonexempt sensitive data. The Iowa requirement aligns with the current GLBA standard which requires an opt-out option from disclosing personal information to non-affiliated third parties. In practice, the privacy notice informs the consumer of the sensitive data processing and the controller must then wait a reasonable amount of time, typically 30 days, between delivering the privacy notice and processing the sensitive data. Colorado, Virginia, and Connecticut, on the other hand, require consumers to affirmatively opt in to sensitive data processing. If the consumer is a known child, a controller may not process sensitive data unless it is processed in accordance with COPPA.

Sensitive data includes: (1) data including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law; (2) genetic or biometric data that is processed for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child; and (4) precise geolocation data. This definition is similar to the definitions found in the VCDPA, ColoPA, UCPA, and CTDPA.

Right to appeal

Pursuant to the statute, a controller must establish a consumer appeal process to address declined consumer requests.

If a controller declines a consumer’s request, they shall inform the consumer without undue delay of the justification for declining the request. This notice must include instructions for appealing the decision.

The controller is not required to respond to a consumer request if all of the following is true: (1) the controller is not reasonably capable, or it would be unreasonably burdensome, to associate the consumer request with personal data; (2) the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data; and (3) the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor.

The controller must inform the consumer of its appeal decision and justification for the decision in writing within 60 days of the consumer’s appeal. Additionally, if the appeal is denied, then the notice must provide the consumer with an online mechanism through which to contact the attorney general to submit a complaint.

The right to appeal is similar to those under the ColoPA, VCDPA, and CTDPA. Utah does not provide a right to appeal.

Enforcement

There is no private right of action under the Iowa law, similar to the ColoPA, VCDPA, CTDPA, and UCPA.

The attorney general has exclusive enforcement power and may initiate a civil investigative demand whenever they have reasonable cause to believe there has been a violation of the statute. There is a ninety-day safe harbor period because the attorney general must provide a controller or processor written notice of the alleged violations before initiating the civil investigate demand. If, within ninety days, the controller or processor cures the violation and provides the attorney general with a written statement that the violation has been cured, then no action will be taken by the attorney general. This safe harbor is significantly longer than those found in other state laws which range from 30 to 60 days.

If the controller or processor fails to cure or later violates its written statement to the attorney general, then the attorney general may initiate an action and seek an injunction and civil penalties. Civil penalties are $7,500 per violation, which is the same under the UCPA.

[View source.]