Iowa Passes Privacy Law

Iowa has become the sixth state to pass its own privacy law. Governor Kim Reynolds signed Senate bill 262 into law after it passed both chambers of the Iowa Legislature unanimously. It is scheduled to go into effect on January 1^st, 2025.

The Iowa privacy law is similar to those passed in other states, with the strongest resemblance to Utah’s law. Because this law is modeled after existing state laws, it will result in very little, if any, new compliance burdens on organizations already complying with other laws.

The Iowa law applies to entities that control or process personal data on at least 100,000 Iowans or that derive more than 50% of their revenue from selling the data of 25,000 or more consumers.

Here’s a breakdown of the law.

Consumer Rights

Affirmative Consent

Under the Iowa privacy law businesses are not required to obtain affirmative consent for data processing activities. However, any covered entity processing sensitive data is required to provide consumers with “clear notices and an opportunity to opt out of such processing.” This law defines sensitive data as:

• Racial or ethnic origin, religious beliefs, mental or physical diagnosis, sexual orientation, citizenship or immigration status, except to the extent such data is used in an order to avoid discrimination on the order of a protected class that would violate a federal or state anti-discrimination law
• Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
• The personal data collected from a known child
• Precise geolocation data

Data Subject Rights

The Iowa law gives consumers the following rights regarding their data:

• To confirm whether personal data is being processed and access to that data
• To have personal data provided by the consumer deleted. The deletion right does not apply to data that was obtained from a third party
• To obtain personal data in a portable format

The right for consumers to correct inaccurate information is not included in the Iowa privacy law.

Businesses have 90 days to respond to these consumer requests, longer than the 45 days in other states.

Consumer Opt Outs

Consumers do have the right to opt out of the sale of their personal data, but there are the following exceptions:

• Controllers may deny an opt-out request if they are unable to authenticate it using commercially reasonable means
• Consumer opt-out rights do not apply to “pseudonymous data”
• Consumers may not exercise opt-out rights via authorized agents or global device settings

The Iowa privacy law also provides consumers with the ability to opt out of targeted advertising.

Business Requirements

The Iowa privacy law has many of the business requirements you would expect, including:

• Detailed privacy disclosures
• Service provider agreements
• The obligation to only process data if necessary
• Reasonable data security
• Establish a consumer appeals process
• Non-retaliation

Entities are not required to conduct data protection assessments. The law does not establish collection limitations or minimization principles; however, these principles are required by other states and are generally expected by consumers and we recommend meeting them.

Enforcement

The Iowa privacy law has no private right of action, all enforcement will come from the Attorney General. There is a 90-day right to cure that does not sunset. Fines will be up to $7500 per violation.

You can learn more about how the other existing state privacy laws compare to each other here.

CompliancePoint has a team of experienced privacy professionals that can help your organization establish and maintain compliance with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more.