On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act, which relates to consumer data and privacy protection. Once signed by Iowa’s governor, the statute will become operative on January 1, 2025, and Iowa will join California, Colorado, Connecticut, Utah, and Virginia in passing a comprehensive consumer privacy statute.
Covered businesses that must comply with the requirements of this new consumer privacy law are those entities that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers.
Under the statute, a consumer is defined as a natural person who is a resident of Iowa and acting only in an individual or household context. The definition of consumer excludes individuals acting in a commercial or an employment context.
The Act applies to Personal Data, which means information linked or reasonably linkable to an identified individual or an identifiable individual.
Consumer Data Rights
The statute provides consumers with the following rights:
- To confirm that covered businesses are processing the consumer’s personal data and access that personal data.
- To delete personal data provided by the consumer.
- To port the personal data.
- To obtain a copy of the consumer’s personal data with certain limitations.
- To opt out of processing for the sale of personal data or targeted advertising.
Covered Business Obligations
Covered businesses under the statute must comply with requests by consumers to exercise their rights as follows:
- Respond to consumer requests without undue delay, but in all cases within 90 days of receipt of the request. The response period may be extended by 45 days when reasonably necessary, based on the complexity of the request and the number of consumer requests.
- If the covered business declines to take action, it must inform the consumer.
- Information provided in response to a consumer request must be provided to the consumer free of charge twice annually per consumer.
In addition to complying with consumer requests covered businesses must:
- Adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Protect sensitive data, which is a broad category under the statute that includes racial information, biometric data, and even geolocation under the statute but not processing such data without the consumer having been presented clear notice and an opportunity to opt-out of such processing.
- Avoid processing data in such a way as to violate the state or federal laws that prohibit unlawful discrimination against a consumer. Moreover, a covered business may not discriminate against a consumer for exercising rights under the statute including denying goods or services or changing the prices or rates.
- Contractually obligate processors to adhere to the business’s instructions, where the business is a controller, and implement appropriate technical and organizational measures to assist the controller in meeting its obligations under the Act.
- Develop a privacy notice and a secure and reliable means for consumers to submit requests to exercise their rights.
The statute does not include a private right of action and the attorney general of the state has exclusive authority to enforce the provisions of this chapter.
For additional information on Iowa’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.