What You Need to Know About Iowa’s New Consumer Privacy Law
On March 28, 2023, Iowa became the sixth state to pass a comprehensive consumer privacy law, joining California, Colorado, Connecticut, Utah, and Virginia. The Iowa Act Relating to Consumer Data Protection (“ICDPA”) will take effect on January 1, 2025.
As compared to the five other state laws that have come before it, the substance of the ICDPA is most similar to the Utah Consumer Privacy Act (“UCPA”). Utah is one of the least stringent laws so far in this new generation of state privacy laws, while the California Privacy Rights Act (“CPRA”) remains the most stringent in most respects. As a result, the compliance lift for companies already subject to the other five states’ laws should be limited.
The ICDPA applies to entities conducting business in Iowa or producing products or services that are targeted to consumers who are residents of Iowa, and that during a calendar year either:
- control or process personal data of at least 100,000 Iowa residents; or
- control or process personal data of at least 25,000 Iowa residents and derive over 50% of gross revenue from the sale of personal data.
The ICDPA’s definition of consumer excludes consumers acting in the commercial or employment context.
Similar to the other states, Iowa’s law includes several exemptions for certain types of entities and data including, for example, exemptions for the following:
- financial institutions, affiliates of financial institutions, and data subject to the Gramm-Leach-Bliley Act (“GLBA”);
- entities subject to Health Insurance Portability and Accountability Act (“HIPAA”) and PHI covered by HIPAA, as well as other exemptions related to health records, patient safety, research, and clinical trial data;
- nonprofit organizations (as defined by the ICDPA);
- institutions of higher education (as defined by the ICDPA);
- data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act (“DPPA”);
- data regulated by Family Educational Rights and Privacy Act (“FERPA”);
- exceptions for certain information about employees, agents, or independent contractors to the extent the information is collected in the context of those roles and information about benefits and emergency contacts; and
- the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user of a consumer report, but only to the extent such activity is regulated by the Fair Credit Reporting Act (“FCRA”).
The ICDPA also expressly excludes de-identified data, aggregate data, and publicly available information, and does not apply to personal information collected in the employment or commercial context.
Under the ICDPA, Iowa residents will have the right to:
- confirm whether a controller is processing the consumer’s personal data and to access the personal data;
- delete personal data provided by the consumer;
- data portability; and
- the right to opt-out of the sale of personal data.
The “sale” of personal data is defined narrowly in the ICDPA — especially as compared to its definition in the CPRA — as “the exchange of personal data for monetary consideration by the controller to a third party.” Rather than including an express consumer right to opt-out of targeted advertising, the ICDPA frames this as a controller obligation. That is, any controller who engages in targeted advertising is obligated to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”
Also, like Utah’s UCPA, the ICDPA does not contain the right to correct or the right to opt-out of profiling and automated decision-making. In addition, unlike California, Colorado, and Connecticut, the ICDPA does not require businesses to recognize universal opt-out signals such as the Global Privacy Control (“GPC”).
Also, unlike Colorado, Connecticut, and Virginia, the ICDPA does not require consumers to opt-in to processing of “sensitive personal data” (which includes biometric information to the extent processed for the purpose of uniquely identifying a natural person), but only requires controllers to provide notice and opportunity for consumers to opt-out of such processing.
The ICDPA provides consumers the right not to be discriminated against for exercising their rights under the ICDPA and the right to appeal a controller’s refusal to take action on a consumer request.
Controller and Processor Obligations
The ICDPA requires controllers to provide a privacy notice containing the familiar content required by the other states, such as the categories of personal data processed, the purpose for processing, the categories of personal data disclosed, the third parties to whom personal data is disclosed, and how consumers can exercise their consumer rights.
Controllers must also respond to consumer rights requests, and they have 90 days to do so (the longest timeframe of any of the six state laws). The ICDPA also imposes specific contractual requirements for agreements between controllers and processors that overlap with those mandated by the other states’ laws. In addition to entering into a contract with the controller, processors must assist the controller to meet its obligations under the ICDPA regarding responding to consumer rights requests, maintaining security of personal data, and notification of a security breach. The ICDPA does not require data protection assessments.
The ICDPA contains no private right of action, and enforcement authority is held exclusively by the Iowa attorney general, who can issue fines of up to $7,500 per violation, following a 90-day notice and cure period. The ICDPA does not create a privacy-focused regulatory agency or give the attorney general rulemaking authority.
Businesses should continue to monitor similar privacy bills under consideration in state legislatures. As the proliferation of state consumer privacy laws continues, businesses should consider (1) whether, and to what extent, each state’s law applies to them; and (2) whether they will offer consumer rights broadly to all consumers or will continue to offer them on a state-by-state basis only where legally mandated.
- Kevin L. Coy
- Erin E. Doyle