The Iowa Legislature just wrapped up its 2020 session. In the end, the COVID-19 pandemic dictated much of this year’s legislative agenda. There is little doubt that this interrupted several legislative initiatives, including one that could have significantly changed the privacy rights of Iowans. Proposed early in March, the legislation could have required Iowa businesses to provide privacy rights to consumers that are similar to the rights provided by the California Consumer Privacy Act (“CCPA”).
Senate File 2351 started as legislation to give individuals the right to request that websites and search engines remove information “which, after a significant lapse in time from its first publication, is no longer material to current public debate or discourse . . . .” On its own, this legislation would have had significant, but limited, consequences for search engines and certain website operators.
That all changed on March 11, 2020 when an amendment, S-5084, significantly revised the bill. The scope was no longer limited to website operators and search engines. The new legislation applied to “controllers” and “processors” which were defined as:
“Controller” means a person who, separately or in combination with another person, determines the purpose and methodology of the processing of personal data.
“Processor” means a person who processes personal data on behalf of a controller.
These new definitions expanded the scope of the law beyond search engines to cover most Iowa businesses. Under these definitions, Iowa businesses would be required to significantly change the way they handle “personal data” of their customers.
S-5084 defined “personal data” as data typically considered sensitive, such as names in conjunction with Social Security numbers, driver’s license numbers, and financial account numbers. However, S-5084 also defined “personal data” to include any data revealing racial or ethnic origin, religious beliefs, mental condition, physical condition, or sexual orientation.
If an organization is a controller or processor, then an individual may request all of the following:
a. A determination regarding whether the controller or processor possesses the individual’s personal data.
b. Copies of the individual’s personal data that is in the possession of the controller or processor.
c. Correction of the individual’s personal data that is in the possession of the controller or processor and that the individual indicates in the request is incorrect.
d. Cessation of the controller or processor’s sale of the individual’s personal data.
e. Cessation of the controller or processor’s use of the individual’s personal data for purposes of targeted advertising or profiling in furtherance of decisions that may result in the denial of consequential services or support, such as financial or lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.
Organizations would need to be able to provide individuals with copies of their data, and, in some cases, delete individual’s data upon request. Organizations receiving such a request would have had 45 days to respond. The organization could deny the request if it could not authenticate the request.
Further, the legislation would have required organizations that collect “sensitive data” to obtain an individual’s consent before collection. Sensitive data includes:
a. Data revealing an individual’s racial or ethnic origin, religious beliefs, mental condition, physical condition, or sexual orientation.
b. A minor’s personal data.
c. An individual’s geolocation data.
d. An individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable, or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through a breach of security:
(1) Social Security number.
(2) Driver’s license number or other unique identification number created or collected by a government body.
(3) Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account.
(4) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(5) Unique genetic or biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of genetic or biometric data.
(6) Data pertaining to the ownership or acquisition of a firearm.
The law excluded from the definition of “custodians” state and political subdivisions, certain financial institutions, certain healthcare organizations, and entities with fewer than 20 employees or an annual gross income of less than $4 million. However, the exclusion only applies to the definition of “custodians,” not “controllers” or “processors.” So organizations that collect or process data would still be required to, for example, disclose the types of information it has collected.
This law would have had a significant impact on businesses in Iowa. Much like entities doing business in California, Iowa businesses would be required to respond to individual requests to provide and delete data. Further, organizations that hold data would have been required to develop and implement privacy policies and procedures to safeguard data.
There is no way to know if this legislation would have gained traction in a normal legislative session. However, California has once again proven to be a bellwether. At least two dozen other states have considered data privacy legislation. While the pandemic may have interrupted Iowa’s consideration this year, Iowa businesses can expect data privacy legislation will receive serious consideration in the coming years. In the meantime, organizations should consider trying to stay ahead of the legislation by proactively updating their security and privacy procedures.