Data Points: Privacy & Data Security Blog

On March 29, 2023, Iowa’s governor made Iowa the sixth state with a comprehensive privacy law, following in the footsteps of California, Colorado, Connecticut, Virginia and Utah. The Iowa Act Relating to Consumer Data Protection (ICDP) goes into effect on January 1, 2025.

The ICDP (which can be found here: https://custom.statenet.com/public/resources.cgi?id=ID:bill:IA2023000S262&cuiq=8e04c833-ee30-5394-bd10-4b61a2d27686&client_md=d7215793292e6d8c9cb26a1382d8546d&mode=current_text )

is most similar to the Utah Consumer Privacy Act, although the ICDP does not have a minimum annual revenue threshold for coverage.  Instead, the ICDP covers entities conducting business in Iowa or producing products or services that are targeted to residents of Iowa if the entity either (i) controls or processes the personal data of at least 100,000 consumers in a calendar year, or (ii) controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. 

The ICDP contains familiar entity exemptions, including for financial institutions and affiliates subject to GLBA, entities subject to and required to comply with HIPAA and HITECH, and nonprofits, as well as information exemptions for PHI and various health records, information covered under FCRA, FERPA, DPPA,  the Farm Credit Act, and COPPA.  Like other comprehensive privacy laws in the U.S., Iowa deviates from California and does not cover data collected in the course of an individual applying to, being employed by or acting as an agent or independent contractor of a controller, processor or third party.

The ICDP  will be enforced by the Iowa Attorney General (AG).  There is no private right of action.  In addition, the AG must provide 90  days’ notice of a violation and an opportunity to cure.  Cure requires submission of proof to the AG and  a statement that there will be no further such violation.  If the  violation continues or the statement is breached, the AG can bring a civil action for injunctive relief and civil penalties of up to $7,500 per violation.

Personal data under the ICDP is broadly defined, as we have come to expect.  Covered entities will need to provide consumers with the right to know what data is collected about the consumer, the right to access personal data, the right to transfer certain personal data the consumer provided to the controller, and the right to delete personal data that the consumer provided to the controller.  The right to transfer carves out personal information” under section 715C.1 of the Iowa Code. Section 715C.1 is the Iowa data breach statute and covers social security numbers, driver’s license numbers, certain financial account and payment card data in combination with security codes or other access data, unique identifiers or codes enabling access to financial account, and unique biometric data. 

Consumers also have the right to opt-out of the sale of  personal data and the processing of “sensitive personal information” for a non-exempt purpose.   “Sale” is limited to transfers to third parties for monetary consideration.   Sensitive personal information includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status except if the data is used to avoid discrimination based on protected characteristics under applicable law; genetic or biometric data used to identify a person;  personal data of a known child, and precise geolocation data (within 1750 feet).  Information of a known child must comply with COPPA.  The ICDP does not expressly include the right to opt out of targeted advertising in its list of consumer rights, but if the contractor engages in targeted advertising,  it must clearly and conspicuously disclose the activity and the manner in which the consumer can opt out.  The controller also must establish an appeal process for denials of consumer rights and make the process conspicuously available.    Processor obligations are similar to those under other comprehensive data protection laws on the books, and the controller must have a contract with the processor.  Controllers are not required to have data protection assessments or honor global opt-out signals.  The ICDP does require data minimization, purpose limitations, privacy notices, security measures, nondiscrimination, and disclosure of whether the controller sells the consumer’s data. 

Iowa certainly will not be the last state to pass comprehensive privacy law, and businesses will continue to be challenged by the patchwork of statutes.  However, for entities already in compliance with the other comprehensive privacy laws, Iowa will not pose a heavy lift.