March 17, 2023
Iowa passes comprehensive privacy bill
5 Min Read
On March 15, 2023, the Iowa House passed SF262, An Act Relating To Consumer Data Protection. The Bill now awaits the signature of the State Governor before being formally passed into law and making Iowa the sixth state to pass comprehensive privacy legislation. Once passed, the Bill is expected to enter into effect on January 1, 2025.
In comparison to the other five existing state privacy laws, Iowa’s addition to the US privacy landscape tracks closely with the Utah Consumer Privacy Act (UCPA) offering a more business-friendly approach to privacy. Generally speaking, the Iowan privacy bill contains fewer requirements for businesses to contend with, such as no requirement for data minimization or risk assessments and offers consumers a narrower set of rights.
What does Iowa’s new privacy bill contain?
Scope of application
Iowa’s privacy bill will apply to businesses that operate in Iowa or that produce goods or services that are targeted at residents of Iowa and meet certain thresholds. This bill does not apply to Iowa residents acting in a commercial or employment context.
Unlike laws in California and Utah, Iowa’s privacy bill does not contain a monetary threshold. However, it does outline an application threshold for businesses that;
- Processes the personal data of either 100,000 individuals, or
- Process the personal data of 25,000 individuals while also deriving 50% of annual revenues from the sale of personal information
Consumer rights under the new privacy bill are limited in comparison to other state privacy laws. The new bill will offer consumers the following rights:
- The right to confirm processing
- The right to access personal information
- The right to deletion
- The right to data portability (in limited circumstances)
- The right to opt out of sale, where sale is defined as the exchange of personal data for monetary consideration by the controller to a third party
Some of the rights listed above, in particular to deletion and the right to portability, only apply to personal data that was provided to the business by the consumer. The new privacy bill does not contain rights for correction or for opting out of profiling and does not require businesses to honor opt-out signals such as the Global Privacy Control (GPC). While the rights to opt out of targeted advertising and the right to non-discrimination are not explicitly called out under the consumer rights section, these are both mentioned elsewhere in the bill as requirements for data controllers.
Businesses have 90 days to respond to consumer requests with the possibility of a 45-day extension.
The new privacy bill in Iowa outlines a definition of sensitive data that resembles that found under most privacy laws. Sensitive data is personal data that reveals:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Data collected from a known child
- Precise geolocation
Data controllers will not be permitted to process sensitive data without the consumer being presented with a clear and transparent privacy notice as well as the opportunity to opt out of the use of their sensitive data.
As with most modern privacy laws, the incoming Iowa privacy bill includes a provision for developing and displaying a clear and accessible privacy notice to consumers.
Privacy notices under the Iowan bill should include:
- Categories of personal data processed
- Purposes of processing
- Details relating to consumer rights and how to exercise them
- Categories of personal data shared with third parties
- Details of third parties to which personal data is shared
The Iowa Attorney General will have the exclusive power to enforce the provisions of the bill. Businesses found to have violated the law will be subject to monetary penalties of up to $7500 per violation.
There is a 90-day cure period under the new bill that does not have a sunset clause.
There is no private right of action.
What businesses need to consider
While the new privacy bill in Iowa will not enter into effect until January 1, 2025 there are several ways that businesses that would fall under its scope can prepare.
Initially, you should ensure that your business’s data map is up to date. This up-to-date view into what personal data you have collected, how it is classified, and how it flows to different third parties will help to inform privacy notices and ensure they meet the requirements of the new bill.
While not a specific requirement of the new bill, PIA and DPIAs are considered a best practice when processing sensitive data. By putting in place a robust assessment process you can begin to ensure that sensitive data and other high-risk processing activities won’t violate security requirements is processed lawfully and with the correct protections in place.
Consumer rights under the new bill are not as extensive as other similar privacy laws. However, you should still have a defined and repeatable process for fulfilling consumer requests when they are submitted. Your DSAR fulfilment process should include a clear and accessible method for consumers to submit requests and this should be detailed in your privacy notice. You must also include methods for ID verification as well as data discovery solutions to ensure that the correct personal data is found and communicated back to the requestor.
To find out how the OneTrust Privacy & Data Governance Cloud can help you prepare for the new privacy bill in Iowa with automated solutions, request a demo and speak to one of our experts today.