Iowa Passes Comprehensive Data Privacy Law
Iowa became the sixth state to pass a comprehensive data privacy law when Governor Reynolds signed an Act Relating to Consumer Data Protection into law on March 28, 2023. Iowa’s law follows the blueprint of Colorado, Connecticut, Utah, and Virginia in broadly defining personal data and providing thresholds for businesses that are subject to the law. Additionally, the law provides Iowa residents specific rights with respect to their data.
Scope of the Act
The Act applies to all person that conduct business in Iowa or produce products or services that are targeted to residents of Iowa and that in any calendar year do one of the following:
- Control or process personal data of at least 100,00 consumers, or
- Control or process personal data of least twenty-five thousand consumers and derive over 50% gross revenue from the sale of personal data.
Notably, the Act excludes certain entities from being subject to the including, political subdivisions, financial institutions subject to GLBA, persons that are subject to and comply with HIPAA, non-profit institutions, and institutions of higher education. Further, the definition of consumers includes Iowa residents acting in a personal or household capacity and specifically excluding consumers that are acting in a commercial or employment context.
The Act provides consumers key rights with respect to their personal data, including:
- The right to confirm whether a controller is processing the consumer’s personal data and to access such personal data.
- The right to delete personal data provided by the consumer.
- The right to obtain a copy of the consumer’s personal data.
- The right to data portability by providing the consumer their data in a readily usable format that allows the consumer to transfer their data to another controller.
- The right to opt out of the sale of personal data.
Controllers have a number of obligations under the law, including among other requirements:
- Implementing and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Providing consumers the right to opt-out of processing of sensitive personal information, unless the processing is for an exempt purpose.
- Providing a privacy notice to consumers that details the processing of consumers’ personal data.
In addition to the entity level exemptions noted under the Scope of the Law section above, the law exempts certain data as being subject to the law, including protected health information under HIPAA, health records, personal data used or shared in compliant research projects, creditworthiness data protected by the FCRA, personal data protected by the Driver’s Privacy Protection Act, student data protected by the FERPA, and children’s information protected by COPPA, among other data types.
The Iowa Attorney General has exclusive authority to enforce the Act, where controllers and processors are provided with a 90 day grace period to cure any improper activity. If a cure is not successful the Attorney General may seek injunctive relief and up to $7500 per violation of the law.
Iowa’s law takes effect on January 1, 2025.