The U.S. state of Iowa is no stranger to privacy bills. Since its first attempt in 2020, the state’s legislature has repeatedly proposed and considered comprehensive consumer data privacy legislation. But 2023 is the year privacy took root in Iowa. On 28 March 28, Iowa became the sixth state to pass a comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado and California. The law will go into effect on 1 Jan. 2025, giving organizations 21 months to comply with the new requirements from this state with over 3 million residents. Though the new law includes many familiar elements from other state laws, organizations should note a handful of differences as they expand their U.S. compliance efforts.
Like the other state laws before it, the Iowa privacy law applies to entities that conduct business in Iowa or produce products or services that target consumers in the state. Like other states, except California which defines the term as a state resident who is identifiable, Iowa defines “consumer” as a natural person who is a resident of the state acting in a noncommercial and nonemployment context. The law divides obligations between controllers and processors, embracing the common definitions of those terms.
A business falls within the scope of the Iowa law if it controls or processes personal data of at least 100,000 Iowa consumers, about 3% of the state’s population, during a calendar year. Alternatively, businesses that derive more than 50% of gross revenue from the sale of personal data fall within scope of the law if they control or process personal data of at least 25,000 Iowa consumers. Iowa’s second independent prong, the threshold for revenue derived from sales, incorporates the same test as all prior state laws, except Connecticut’s 25% threshold and Colorado’s still broader any revenue or discount standard.
What about a revenue threshold? Utah’s privacy law applies to organizations that do business in the state and make USD25 million in annual revenue, and California uses the same revenue benchmark as a third independent factor that can place companies within scope of the California Consumer Privacy Act. Unlike California and Utah, an organization does not fall within scope of the Iowa law, or the other state laws, by reference to a revenue threshold. Businesses of any size that meet the above requirements must comply.
Iowa adopts a familiar definition for “personal data:” any information linked or reasonably linkable to an identified or identifiable natural person, excluding deidentified data, aggregate data – information relating to a group or category of consumers that excludes consumer identities and is not linked or linkable to any consumer – and publicly available information. “Sensitive data” under the Iowa law includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status (except when such data is used to avoid discrimination), as well as genetic or biometric data, personal data of children, and precise geolocation data within a radius of 1,750 feet.
Privacy professionals will find Iowa’s data exemptions to be familiar as well. Information exempted from the Iowa privacy law includes personal data covered by existing federal laws like the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, the Driver’s Privacy Protection Act and the Farm Credit Act, as well as health records, human subjects research data covered by federal law or other standards, and data processed or maintained for employment purposes.
The law additionally exempts certain types of entities and data from its requirements. The Iowa privacy law does not apply to:
- Government entities.
- Financial institutions, their affiliates and entities subject to the Gramm-Leach-Bliley Act.
- Entities who are subject to and comply with the Health Information Technology for Economic and Clinical Health Act and/or HIPAA.
- Nonprofit organizations.
- Higher education institutions.
Under the Iowa law, consumers are provided with four main rights: the right to access, the right to delete, the right to portability and the right to opt out of the sale of their personal data. This law notably does not provide the rights to correct personal data, not to be subject to fully automated decisions or to opt out of certain processing, such as for targeted advertising or profiling purposes. More specifically, while there is not an explicit right to opt out of targeted advertising in the law’s consumer rights section, it does include a peculiar requirement for controllers that engage in targeted advertising to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”
Unlike Colorado, Connecticut, and Virginia, the new law does not require an opt-in choice for sensitive data processing but rather requires covered entities to provide notice and an opportunity to opt out. This requirement is more in keeping with California and Utah.
Right to access. Consumers have the right to confirm whether a controller is processing their personal data and to access that data. Like Connecticut’s law, it has an exception for data that would reveal trade secrets.
Right to delete. Consumers have the right to delete the personal data they provided to the controller. This right is narrower than in the Connecticut and Colorado privacy laws, which include the ability to delete personal data obtained about the consumer from other sources.
Right to data portability. Consumers have the right to obtain a copy of the personal data they provided to the controller, except when such data is subject to security breach protection, or previously provided to the controller in a portable and readily usable format that allows the consumer “to transmit the data to another controller without hindrance, where processing is carried out by automated means.” This is similar to the Virginia law, in which the right is also limited to consumer-provided data.
Right to opt out of sales. Consumers have the right to opt out of the sale of personal data. Here, the definition of “sale” includes the exchange of personal data for monetary consideration, but not disclosure to a processor, disclosure to a controller to fulfill a consumer request, disclosure made by a consumer to a public channel or internal transfers, including merger or acquisition activity. The law further states opt-out rights do not apply to pseudonymous data, defining the term as personal data that “cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attribute to an identified or identifiable natural person.” This definition is consistent across all six states, but unlike Colorado, Connecticut, Virginia and Utah, Iowa’s consumer opt-out rights do not apply to pseudonymous data.
Consumers can invoke their rights by submitting a request specifying those rights to the controller in the manner described in the controller’s privacy notice. Controllers have 90 days after receipt of the request to respond, and after notifying the consumer, may extend that period by 45 days when reasonably necessary, depending on the complexity and number of requests.
Under the Iowa law, covered entities have certain obligations that mirror most of those required by its predecessors. This law notably does not require entities to perform data protection or privacy risk assessments.
Purpose limitation. Controllers can process personal data that is reasonably necessary and proportional to the purposes listed in the Iowa privacy law if it is adequate, relevant and limited to what is necessary in relation to the specific purposes listed in the law
Data security. Controllers must implement reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and availability of personal data. Similar to the requirements of the other states’ comprehensive privacy laws, these practices should be appropriate to the volume and nature of the personal data.
Consent requirements. The statute requires consent to be a clear affirmative act that indicates a consumer’s freely given, specific, informed and unambiguous agreement to the processing of their personal data. Controllers are prohibited from processing sensitive data collected from a consumer for a nonexempt purpose, unless they provide the consumer with clear notice and an opportunity to opt out of such processing. If the sensitive data belongs to a known child, the processing must be in accordance with the COPPA. This section follows the opt-in default requirement set by Colorado, Connecticut and Virginia, all three of which require opt-in consent for the collection of personal data from a user known to be under 13 years of age.
Nondiscrimination. Consistent with the five other comprehensive state privacy laws, controllers are also barred from processing personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Controllers additionally cannot discriminate against consumers for exercising their rights, but may offer different prices to consumers based on certain factors like a consumer’s voluntary participation in a bona fide loyalty program.
Transparency. Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes:
- The categories of personal data processed by the controller.
- The purpose for processing personal data.
- How consumers may exercise their rights and appeal a controller’s decision.
- The categories of personal data the controller shares with third parties, if any.
- The categories of third parties, if any, with whom the controller shares personal data.
Data processing contracts. Controllers must have a contract with their processors that clearly sets forth instructions for processing personal data, the nature and purpose for processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties. The contract must also lay out processes for retention, deletion, access and subcontractor accountability.
Iowa’s privacy law, like Virginia’s law, makes no mention of universal opt-out mechanisms such as the Global Privacy Control. The law also deems contract provisions that waive or limit consumer rights as “contrary to public policy” void and unenforceable.
Like the state privacy laws enacted by Colorado, Connecticut, Virginia and Utah, the Iowa privacy law does not offer a private right of action. It does, however, provide the attorney general with the exclusive right to enforce the act through civil investigative demands. The attorney general must provide the violating party with a written notice listing the violations and, with 90 days to cure the violations, notify the attorney general of the cure and provide a statement that no further violations will occur. If a controller or processor is still in violation of the law after the cure period, or after sending their statement, the attorney general can initiate civil proceedings. The controller or processor found to be in violation of the Iowa privacy law is subject to a fine of USD7,500 per violation, paid into the consumer education and litigation fund.
Organizations will likely find the consistency between the rights and obligations provided in the Iowa statute and those in the other state statutes will allow for a smoother transition into compliance. While the Iowa law provides many of the same protections as the other comprehensive state privacy laws, the rights and obligations are less prescriptive concerning business compliance. In that way, Iowa sets a new precedent for states that were unable to pass their own privacy laws in recent years due to concerns about business impact and costs.