Data Points: Privacy & Data Security Blog

Iowa has become the latest state to enact a consumer privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.  On March 28, Governor Kim Reynolds signed into law Senate File 262, which effective January 1, 2025, will provide Iowa consumers various protections over their personal data.  The law applies to businesses that either conduct business in Iowa or produce products or services targeting Iowa consumers AND that either controls or processes personal data of at least 100,000 consumers or controls or processes personal data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data.  Unlike California’s comprehensive privacy law, the Iowa statute does not have a revenue threshold for application of the statute.  The statute excludes from coverage financial institutions and affiliates and data subject to GLBA, and HIPAA covered entities, among others.

The law defines a “consumer” as a natural person who is a resident of the state “acting only in an individual or household context” and specifically excludes an individual “acting in a commercial or employment context.”  Thus, the law specifically excludes employment-related data, such as personal data a business collects and maintains regarding its own employees.

Among the protections provided to Iowa consumers under the new law is the right to:

• confirm whether the controller is processing their personal data­­;
• demand that their personal data that they provided be deleted;
• obtain a copy of their personal data that they previously provided to the controller; and
• opt out of the “Sale” of their personal data or use of their personal data in “Targeted Advertising.”

The law also prohibits discrimination against consumers for exercising their rights, requires the controller to engage in reasonable security measures, and imposes obligations on processors.

Utah pulls in GDPR terms, referring to controllers, processors and processing.  The law defines “personal data” to include “any information that is linked or reasonably linked to an identified or identifiable natural person,” but excludes “de-identified”, aggregate, or publicly available information.  With regards to “Sensitive Data” – including (a) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (b) genetic or biometric data that is processed for the purpose of uniquely identifying a natural person, (c) the personal data collected from a known child, and (d) precise geolocation (within 1,750 feet) – the law requires a business to provide consumers clear notice of the collection of Sensitive Data and an opportunity to opt-out.  Sensitive Data does not include the information in (a) if it is used to avoid discrimination based on those characteristics.

 “Sale” of personal data is narrowly defined as the “the exchange of personal data for monetary consideration” to a third-party.  There are a variety of now familiar exceptions to the definition of “Sale”, including disclosure of data to a processor for processing on behalf of the controller.   “Targeted Advertising” means advertisements to a consumer that is selected “based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests,” but excludes:

• ads based on activities within a business’s own or affiliated websites or online applications;
• ads based on the context of a consumer’s current search query or visit to a website or online application;
• ads directed to a consumer in response to the consumer’s request for information or feedback; and
• processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

The law also carves-out from coverage “pseudonymous data,” meaning “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural persons.”

The law provides businesses 90-days to respond to a consumer request, and an additional 45-day extension period “when reasonably necessary upon considering the complexity and number of the consumer’s requests.”  Like Virginia’s comprehensive privacy law, the controller must provide the consumer a process to appeal a controller’s refusal to take action on a request. 

As we’ve come to expect, the law requires controllers to publish a privacy policy describing the categories of personal information collected, the purposes for the collection, the categories of personal information shared with third parties, the categories of third parties with whom the information is shared, and a description of the consumer’s rights and how to exercise them.  Like other similar laws, the statute requires the disclosure of whether the controller sells personal information and how the consumer can exercise opt-out rights.

Senate File 262 does not provide Iowa consumers a private right of action.  Instead, the Iowa Attorney General has exclusive enforcement rights and may obtain statutory civil penalties of up to $7,500 per violation, provided that the business must first be provided notice of a violation and a 90-day period to cure before a civil enforcement action can be brought.

Businesses that collect, sell, or use consumer data in targeted advertisements to Iowa residents need to be prepared to come into compliance with this law before its effective date, including providing required notices and establishing a system to allow consumers to opt-out of the sale or use of their personal data. 

Moore & Van Allen’s Privacy and Data Security attorneys are available if your business has questions about this new law and to assist in preparing to come into compliance with these new consumer privacy requirements.