On March 28, Iowa Governor Kim Reynolds signed Senate File 262 into law, making Iowa the sixth state to adopt comprehensive data privacy legislation. The Iowa Consumer Data Protection Act (ICDPA) is set to take effect on January 1, 2025.
The ICDPA is largely business friendly and mostly comparable to the Utah Consumer Privacy Act. Businesses that are already in compliance with other states’ privacy laws—such as the California Consumer Privacy Act—likely will not need to make any additional changes to their policies or practices to comply with the ICDPA. The ICDPA does not require businesses to conduct risk assessments, practice purpose limitations or data minimization, and businesses have a generous 90-day cure period for suspected violations. Furthermore, as we’ve seen with the other states that have recently passed comprehensive privacy laws, the law does not provide a private right of action for consumers, as enforcement authority sits exclusively with the Iowa Attorney General.
Consumers will receive basic privacy rights under the law, similar to those provided by the other state laws, including a right to access their personal information collected or shared by the business, a right to delete, a right to collect their personal information in a portable manner, and a right against automated decision-making. Additionally, the law prohibits a business from discriminating against consumers who exercise their rights under the law. In addition to omitting a private right of action for individuals, the law notably leaves out the right to opt out of certain processing of personal information and a requirement for the consumer to opt in before the business can process sensitive data.
Applicability and Scope
The ICDPA applies to businesses that (1) control or process personal data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of gross revenue from the sale of personal data. In contrast to other states like California and Utah, the ICDPA does not contain a revenue threshold.
Similar to other comprehensive privacy laws, the ICDPA excludes entities subject to the GLBA, HIPAA, institutions of higher education, nonprofit organizations, and state entities and political subdivisions of the state. The ICDPA also exempts from coverage certain employment-related data, information governed by FCRA, the Driver’s Privacy Protection Act of 1994, FERPA, and COPPA.
Obligations for Controllers and Processors
Similar to the GDPR and other privacy laws, the ICDPA classifies businesses handling personal data as “controllers” or “processors.” The ICDPA defines a controller as a person who determines the purpose and means of processing personal data and a processor as a person who processes that data on behalf of a controller. The law also defines the sale of personal data as the exchange of personal data for monetary consideration by the controller or a third party.
The law requires that controllers “disclose to the consumer the types of data being collected and obtain consent from the consumers regarding the collection of personal data and sensitive personal data processing.” Controllers must also give consumers privacy notices that inform them of the details of personal data transferred and how a consumer can exercise their rights under the law. Controllers must also disclose if they are selling personal data to third parties or using targeted advertising. These requirements provide more transparency for the consumer to understand how their personal data is being used. Consumers do not have the right, however, to consent or opt into these practices, but controllers must disclose how the consumer may opt out. An important exemption from this right to opt out is that controllers or processors are not required to comply with a consumer’s request for certain methods of processing, including pseudonymous data and de-identified data. Other exemptions are also included in the law. In the case of an exemption, the controller bears the burden of showing that an exemption exists.
The ICDPA does not create a private right of action but allows consumers to report violations to the Iowa Attorney General. The business then has 90 days to cure the alleged violation before any enforcement process commences. After the cure period, the attorney general may seek injunctive relief and a civil penalty of up to $7,500 for each violation.
The law provides consumers with a right to delete, a right to portability, a right to opt out of sales if an exemption does not exist, a right against automated decision making, and a right to access their personal information. The law does not provide a right to correct incorrect information, a right for a consumer to opt in before a business processes their sensitive data, nor a right to opt out of all data processing.
* * *
Iowa follows Utah in providing a more business-friendly framework that should be more digestible for businesses to adopt and incorporate into their existing compliance programs, at least compared to more complex statutes such as the CCPA and the Colorado Privacy Act. Over a dozen other states are currently considering similar comprehensive privacy legislation.
As businesses assess the ICDPA and proposed privacy legislation in other states, businesses should try to develop agile compliance programs to more efficiently adapt their compliance programs as additional states enact such laws, as some may not be as business friendly as Iowa. We are closely tracking developments in these states.