Iowa Joins Five Other States with Comprehensive Privacy Law

Misty Peterson, Sydney Teng
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

Iowa became the sixth U.S. state to pass a comprehensive privacy law after the governor signed Senate File 262 (“the Act”) on March 28. The Act significantly echoes its non-California predecessors, particularly the Utah Consumer Privacy Act (“UCPA”), and likely presents few additional compliance hurdles for businesses that have already taken steps to address sister state laws.

The Act applies to businesses that annually process the personal data of 100,000 or more Iowa consumers, with a lower threshold (25,000) for businesses that derive over half of their revenue from the sale of personal data. The Act continues the trend set by Virginia, Colorado, Connecticut, and Utah by limiting the definition of consumers to those acting in an individual or household context and expressly carving out commercial and employment contexts. Likewise, the Act extends the typical slate of exemptions to those entities that are regulated by another federal framework, such as HIPAA or GLBA, as well as nonprofits and institutions of higher education.

The Act requires businesses provide consumers with basic data rights, including the rights to know, access, and delete their personal data. Consumers may also exercise rights to opt out of targeted advertising and sales of personal data. As with Virginia and Utah, the Act narrowly defines “sale” to mean exchanges of monetary consideration only. Notably, the Act provides businesses with 90 days to respond to data subject requests—much longer than the standard 45 days—with the option to extend that timeframe by an additional 45 days.

The Act joins Utah’s UCPA as the second state law to not extend a right to correct personal data, nor include a right to limit certain activities related to “profiling” or other automated processing. The Act also mimics the UCPA by requiring businesses to provide consumers with a “clear notice and opportunity to opt out” of processing of sensitive data. By comparison, Virginia, Colorado, and Connecticut impose a consent structure that more closely tracks to an opt-in model for sensitive data.

Other provisions in the Act, such as the privacy notice disclosures and requirement that businesses obtain certain contractual commitments from third-party vendors, align with similar provisions across the non-California laws.

Finally, the Act does not include a private right of action. Businesses are afforded a 90-day window—the most generous timeline thus far—to cure any potential violations of the Act before the Iowa Attorney General takes enforcement action, which may include fines up to $7,500 per violation. The Act takes effect January 1, 2025.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide