As we continue to wait for a potential federal privacy law, the State of Iowa became the sixth state to pass a comprehensive state privacy law (Senate File 262) on March 28^th when Governor Kim Reynolds signed the legislation.  Despite some opposition from consumer advocacy groups who argue that the law is too lenient on businesses, the Iowa bill passed unanimously in both the Iowa House and Senate. The law will go into effect on January 1, 2025 and marks the start of the next wave of state privacy laws.

Application

The law applies to businesses that control or possess the personal data of 100,000 Iowa consumers or derive 50% of revenue from selling the data of more than 25,000 consumers.

Comparison to Other State Privacy Laws

The law largely aligns with the other state privacy laws, but most closely resembles the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act.  Note, however, the Iowa privacy law does not include a private right of action, businesses are not required to undertake data protection assessments, and consumers do not have the ability to opt out of targeted advertising.

Notice Requirements

The law requires that businesses, operating as controllers of personal data, provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that includes details related to the following:

• The categories of personal data processed by the controller.
• The purpose for processing personal data.
• How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.
• The categories of personal data that the controller shares with third parties, if any.
• The categories of third parties, if any, with whom the controller shares personal data.

Further, where a controller sells a consumer’s personal data to a third party or otherwise engages in targeted advertising, the controller must “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”  The “sale of personal data” is narrowly defined as “the exchange of personal data for monetary consideration by the controller to a third party.”

Consumer Rights

As with the other state privacy laws, the Iowa law provides consumers with the following rights with respect to their personal data:

• To confirm whether a controller is processing the consumer’s personal data and to access such personal data.
• To delete personal data provided by the consumer.
• To obtain a copy of the consumer’s data (subject to certain exceptions).
• To opt out of the sale of personal data.

Sensitive personal data is defined as data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data of a child, or precise geolocation.  Subject to certain exemptions, consumers must be provided clear notice of the processing of sensitive data and provided with the opportunity to opt out of such processing.  Where the sensitive data concerns a child (defined as a person under the age of thirteen), the processing of data much be in accordance with the Children’s Online Privacy Protection Act (“COPPA”).

Preparing for Effective Date

Like the other state privacy laws, businesses have some time to ensure compliance requirements are implemented and, given the similarities to the other state privacy laws, businesses will likely already have many of the requirements in place.  However, businesses should prepare to assess their operations in Iowa and plan now for implementation, including how the requirements of the Iowa privacy law can be integrated into current state privacy law processes.

Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.