On March 28, 2023, Iowa became the sixth state to enact a comprehensive consumer privacy law. If the thought of having to comply with yet another state privacy law is causing a sense of panic, fret not. Iowa’s bill is largely modeled after existing state laws which should remove any material compliance burdens other than responding to Iowa data subject requests.

• Timeline and Applicability. The law goes into effect on Jan. 1, 2025. It applies to businesses that control or process the personal data of at least 100,000 Iowa consumers or derive more than 50% of gross revenue from the sale of personal data if the business controls or processes the data of at least 25,000 Iowans.
• The Iowa Law’s Familiar Structure Reduces Compliance Burdens. The Iowa law has the same basic structure as the other comprehensive state privacy laws. It assigns different obligations to controllers and processors. It does not apply to employees or individuals acting outside of personal or household reasons. And the law contains familiar definitions for personal data (information linked or reasonable linkable to an identified or identifiable natural person) and sensitive personal data (genetic/biometric data, precise geolocation information, racial/ethnic information, religious beliefs, mental/physical health diagnosis, sexual orientation, and citizenship or immigration status). That compatibility with other states’ laws should reduce costs for businesses while also expanding basic (albeit limited) rights to Iowans.
• Rights Available to Consumers Largely Mirror those Provided by other Laws. The law also provides consumers with the same basic rights that we have become accustomed to here in the States: the right to access, to delete, to data portability, and to opt out of sales. Speaking of sales, the Iowa law uses the traditional, non-CCPA definition of sale. That is, an exchange of personal data for monetary consideration. A question that the law does not clearly answer is whether there is a right to opt-out of processing for purposes of targeted advertising. This right is not explicitly listed alongside the other rights mentioned above. Controllers, however, are required to provide consumers with the option to opt out of targeted advertising. Other obligations imposed on controllers include limiting the purposes for which data is processed, implementing reasonable data security safeguards, obtaining clear and affirmative consent from the consumer before processing their sensitive data, not discriminating against consumers for exercising their rights, posting a privacy notice, and implementing data processing agreements. Those rights don’t necessarily prohibit odious (in the consumer’s judgment) uses of personal data (after all, a consumer has no knowledge of many companies that use the consumer’s data, so a consumer shouldn’t be expected to exercise rights with respect to such a company). However, the law elevates Iowans’ control over their personal data.
• Enforcement Structure is Business-Friendly. The Iowa privacy law does not offer a private right action and instead, will be enforced by the Iowa Attorney General. A 90-day cure period is provided, after which violations will be subject to a fine of $7,500 per violation. Iowa’s 90 cure period is longer than such windows provided under other comprehensive privacy laws, as other states tend to have 60-day periods or no automatic right to cure whatsoever.

Colorado Finalizes Colorado Privacy Act Rules

There wasn’t much that was novel or newsworthy in the Iowa law, so we wanted to also provide an important update on Colorado’s privacy law that might materially impact your privacy operations. The Colorado Attorney General’s Office recently finalized its rules for the Colorado Privacy Act (CPA). The rules go into effect on July 1, 2023. These regulations are somewhat similar to California’s regulations and have also drawn inspiration from the GDPR. They require companies to provide consumers with comprehensive privacy notices that clearly describe the purposes for processing.

The rules require business to adhere to some of the obligations mentioned above, and some unique obligations. Businesses must implement a mechanism for consumers to exercise their rights. Businesses must also restrict the amount of information they collect and ensure they obtain consent if they intend to process sensitive information or process information about children. If biometric identifiers are collected, a business must conduct annual reviews to determine whether the retention of such data remains justified.

The Colorado rules also discuss universal opt-out mechanisms. Similar to the California Privacy Rights Act (CPRA), the CPA gives consumers the ability to use a universal opt-out mechanism to communicate their opt-out preferences (e.g., opt outs of targeted advertising or sales) to businesses. These signals must be honored beginning on July 1, 2024. Unlike California, Colorado authorities will post and maintain a list of officially recognized opt out mechanisms (the list will be published no later than January 1, 2024). The Colorado rules provide clarity to consumers and companies by (i) establishing clear date by when responding to opt out preference signals becomes mandatory and (ii) publicly posting what opt out preference signals controllers must honor—much unlike the California regulations.

As you can tell, things are moving fast in the privacy world. We will continue to monitor the landscape and keep you apprised of developments as they occur.