Iowa is the Sixth State to Adopt Comprehensive Data Privacy Law

Rebecca Jacobs Goldman, Grant Lukas, S. Jenell Trigg
Lerman Senter PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Iowa has become the sixth state in the country to enact a comprehensive consumer privacy law, joining California, Virginia, Colorado, Connecticut, and Utah. The “Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions Act” (the “Iowa Act”) will apply to businesses producing products or providing services that are targeted to Iowa residents and that either (a) control or process personal data of at least 100,000 Iowa consumers during a calendar year; or (b) control or process personal data of at least 25,000 Iowa consumers and derive more than 50% of their annual gross revenue from the sale of personal data. “Consumers” are defined as a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context. The Iowa Act does not apply to non-profit organizations. The new law will go into effect on January 1, 2025.

The Iowa Act adopts a virtually identical definition of “controller” and “processor” as the Virginia, Colorado, Connecticut and Utah laws. Controllers determine the purposes for and means by which personal data is processed, and processors process personal data on behalf of controllers.

Highlighted Provisions

Similar to other state privacy laws, the Iowa Act gives consumers the following rights:

  • To confirm whether a controller is processing their personal data and to access the data;
  • To delete data provided by the consumer to the controller;
  • To obtain a copy of personal data they provided to the controller; and
  • To opt-out of the “sale” of their personal data.

Notably, the Iowa Act does not: (1) give consumers a right to correct inaccuracies in their personal data; (2) include any requirement for controllers to conduct data protection assessments, or (3) hamper controllers with obligations to minimize data collection only to what is reasonably necessary.

The Iowa Act mandates the following duties to controllers and processors:

  • Provide reasonably accessible and clear notice to consumers that includes: (1) what categories of personal data will be processed, (2) the purpose for the processing personal data, (3) how consumers may exercise their rights, (4) the categories of personal data the controller shares with third parties, and (5) the categories of third parties with whom the controller shares personal data;
  • Respond to consumer requests within 90 days (the longest of any state law), and a 45-day extension option provided notice of the extension is given within the initial period; and
  • Provide consumers notice after “sensitive data” is collected and the opportunity for consumers to opt-out from any processing of such data.

Enforcement

The Iowa Act will be exclusively enforced by the State Attorney General and does not provide for a consumer’s private right of action. Iowa provides controllers and processors a permanent 90-day cure period to fix alleged violations before the Attorney General can commence an enforcement action, and damages are limited to civil penalties of up to $7500 per violation.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Lerman Senter PLLC | Attorney Advertising

Written by:

Lerman Senter PLLC
Lerman Senter PLLC
Contact
more
less

Lerman Senter PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide