Iowa Becomes Sixth State to Enact a Comprehensive Data Privacy Law
On March 28, 2023, Iowa—following California, Colorado, Connecticut, Utah, and Virginia—became the sixth state to adopt a comprehensive consumer data privacy law.
On March 28, 2023, Iowa Governor Kim Reynolds signed "An Act Relating to Consumer Data Protection," ("Act"), making Iowa the sixth state to enact a comprehensive data privacy law. The Act will take effect on January 1, 2025. While the Act borrows many core elements from peer legislation in California, Colorado, Connecticut, and Virginia, it most closely aligns with Utah's Consumer Privacy Act.
The Act will apply to entities that: (i) conduct business or target consumers in Iowa; and (ii) either process or control: (a) the personal data of at least 100,000 Iowa consumers; or (b) the personal data of at least 25,000 Iowa consumers and derive more than 50% of their gross revenue from selling personal data. The Act does not require a $25 million annual revenue threshold in order to apply to entities. It also does not apply to individuals acting in an employment or commercial context.
Under the Act, controllers have obligations to, among other things:
- Disclose processing activities in a privacy notice;
- Provide consumers with an opportunity to opt out of the processing of sensitive data;
- Provide consumers with a right to opt out of the sale of personal data, defined as exchanges for monetary consideration;
- Comply with requests to exercise their other rights to access, obtain a copy of, delete, and confirm whether a controller processes their personal data;
- Disclose targeted advertising activity clearly and conspicuously, as well as how a consumer can exercise the right to opt out of such activity; and
- Adopt and implement reasonable administrative, technical, and physical data security practices.
Notably, there is no right to correct, right to opt out of profiling or other automated decision-making, or need for businesses to conduct impact assessments, among other key differences.
The Act also does not create a private right of action, and it grants exclusive enforcement authority to the Attorney General. If businesses do not cure violations within 90 days of notice, the Attorney General can issue an injunction and civil penalties of up to $7,500 per violation.
Businesses should carefully monitor their privacy compliance programs to take into account these new obligations for Iowa residents and prepare for the enactment of other state privacy laws in 2023. Business should continue to monitor legislation as other states—including, among others, Florida, Hawaii, Indiana, Kentucky, Montana, New York, Oklahoma, Tennessee, and Texas—have also introduced comprehensive privacy bills in this legislative session.