On March 28, 2023, Iowa Governor Kim Reynolds signed into law Senate File 262 ("Iowa Data Privacy Law"), Iowa's new state consumer privacy law, which will go into effect on January 1, 2025. By passing this law, Iowa joins California, Utah, Colorado, Connecticut and Virginia as states with their own consumer privacy laws (together, "US State Data Privacy Laws"). The Iowa Data Privacy Law is similar to (though somewhat more limited than) the Virginia Consumer Data Protection Act ("VCDPA") and Colorado Privacy Act ("CPA"), and businesses that are already compliant with other state privacy laws should have little difficulty adapting to the Iowa Data Privacy Law.
Who does the Iowa Data Privacy Law apply to?
Similar to US State Data Privacy Laws, the Iowa Data Privacy Law imposes transparency and disclosure obligations on a "controller" (a person or entity who determines the purpose and means of processing personal data) or "processor" (a person or entity who processes personal data on behalf of a controller), who either:
- conducts business in Iowa; or
- produces products or services that are targeted to the residents of Iowa;
and that, during a given calendar year:
- controls or processes personal data of at least 100,000 Iowa residents; or
- controls or processes personal data of at least 25,000 Iowa residents and derives over 50 percent of their gross revenue from the sale of personal data.
Notably, the Iowa Data Privacy Law does not have a revenue threshold for entities to be subject to privacy obligations. In addition, the Iowa Data Privacy Law does not apply to government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private) and Gramm-Leach-Bliley Act-regulated entities and data. The Iowa Data Privacy Law also does not apply to certain classes of data including health records, scientific research data, consumer credit-reporting data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act and employment-related information.
What rights does the Iowa Data Privacy Law grant consumers?
The Iowa Data Privacy Law grants Iowa residents, acting only in an individual or household context ("consumers"), certain access and control rights concerning their personal data. Consumers may submit verified requests to businesses, to:
- confirm whether it is processing the consumer's data and provide access to their data;
- delete personal data provided by the consumer;
- obtain a copy of the consumer's personal data (i.e., data portability); and
- opt out of the sale of personal data.
A controller must respond within 90 days, though that time period may be extended for an additional 45 days if necessary depending on the complexity and number of requests. The Iowa Data Privacy Law also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights.
What obligations does the Iowa Data Privacy Law impose on businesses?
The Iowa Data Privacy Law applies to "personal data." Personal data is defined as "any information that is linked or reasonably linkable to an identified or identifiable natural person," but the definition of personal data notably excludes "de-identified or aggregate data or publicly available information."
The Iowa Data Privacy Law requires controllers to:
- Adopt and implement reasonable administrative, technical and physical data security practices.
- Process consumers' non-exempt sensitive data only after providing the consumer clear notice and an opportunity to opt out. Sensitive data is defined to include genetic or biometric data, data of known children, precise geolocation data and sensitive personal information such as race, religious belief and health status.
- Process consumer data in a non-discriminatory manner, and refrain from discriminating against consumers who exercise the rights granted by the statute.
- Provide a clear privacy policy that includes the categories of personal data processed, the purpose for processing personal data, the categories of data shared with third parties, the types of third parties, the consumer's rights and the manner in which consumers may securely and reliably exercise their rights.
- Clearly disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out.
- Establish a process for consumers to appeal the refusal to take action on requests to exercise their rights.
The Iowa Data Privacy Law imposes additional requirement on processors. Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding consumer rights requests, security of data processing and breach notification. The Iowa Data Privacy Law also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.
Key Aspects of the Iowa Data Privacy Law
- Right for Consumers to Opt Out: The Iowa Data Privacy Law permits consumers to opt out of the processing of personal data for the sale of personal data or for targeted advertisements. This right is similar to that granted by the VCDPA and CPA, though unlike those laws, the Iowa law does not grant consumers the ability to opt out of profiling.
- Processing Agreement Required between Controllers and Service Providers: Like certain other US State Data Privacy Laws, the Iowa Data Privacy Law requires controllers to enter into contracts with data processors that regulate how processors process data. Contracts under the Iowa Data Privacy Law must set forth clear instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the parties' rights and obligations. The contracts also must include a duty of confidentiality, and require processors' agents or subcontractors to sign contracts with the same requirement. Like the VCDPA and CPA, and unlike the Utah Consumer Privacy Act ("UCPA"), the Iowa Data Privacy Law also requires processors to delete or return personal data upon the controller's request.
- Attorney General Investigations and Enforcement: Like the CPA, UCPA and VCDPA, the Iowa Data Privacy Law does not provide for a private right of action. The Iowa office of the Attorney General has authority to conduct enforcement actions, issue investigative demands and impose sanctions. The Iowa Data Privacy Law provides a 90-day cure period for alleged violations. A controller or processor who continues to violate the law after this cure period may be subject to an injunction and civil penalties of up to $7,500 for each violation.
Iowa Data Privacy Law Compliance checklist
The similarities between the Iowa Data Privacy Law, the California Consumer Privacy Act (("CCPA") as amended by the California Privacy Rights Act), CPA, UCPA and VCDPA will permit companies to develop a general uniform approach to data privacy compliance obligations in the U.S, at least with regard to those obligations that are common among the various frameworks. Accordingly, entities operating in Iowa should consider the following framework in assessing compliance obligations under the Iowa Data Privacy Law:
- Confirm That Your Business is Subject to the Iowa Data Privacy Law. Entities must determine whether they meet the jurisdictional threshold of the Iowa Data Privacy Law, which notably does not include a minimum revenue threshold.
- Privacy Policies. Revise privacy policies to reflect personal data processing activities, communicate the new rights available to consumers and identify the mechanisms implemented for consumers to exercise those rights. Importantly, business should be prepared to provide an appeal process similar to that required under the VCDPA.
- Implement "Reasonable Security Practices." Assess cybersecurity policies, practices and controls to ensure they are consistent with industry-recognized standards.
- Enable Consumer Opt Out of Sale of Personal Data (when applicable). Businesses must develop a method to permit and honor consumer requests to opt out of the sale of their personal data. Of note, the Iowa Data Privacy Law defines sale as the exchange of monetary consideration and does not include disclosure of personal data to a processor or to third parties for purposes of providing a product or service requested by the consumer.
- Provide Notice for Collecting Sensitive Data and Implement Opt Out Mechanism. Businesses who process non-exempt sensitive data from consumers must provide consumers clear notice and an opportunity to opt out. As the Iowa Data Privacy Law does not provide clear instructions on the opt out mechanism to be utilized, Controllers can likely leverage the opt out mechanism for the opting-out of the sale of personal data (and vice versa) to the extent both are applicable to its personal data practices.
- Facilitate Receipt and Response to Consumer rights Requests. Develop mechanisms for accepting, tracking, verifying and honoring consumer rights requests to exercise their access, portability, deletion and opt out rights under the Iowa Data Privacy Law.
- Implement Training Program. Ensure employees who are responsible for handling consumer rights requests understand and are trained to handle those requests in a timely and consistent manner that is ultimately compliant with the Iowa Data Privacy Law. To the extent the same employees are responsible for handling consumer inquires under other U.S. State Data Privacy Laws, employees should be trained on understanding the various nuances of each.
As we have noted in previous client alerts, the privacy landscape in the United States is rapidly evolving. As such, businesses should keep apprised of the developments in the evolving area of United States consumer data privacy compliance. White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as these laws and regulations emerge.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP