Iowa Enacts Data Privacy Law

In a surprise move, the state of Iowa has become the 6^th U.S. state to enact its own data privacy law. Following in the footsteps of early legislative trailblazers (California, Virginia, Colorado, Utah and Connecticut), Iowa recently passed its own consumer privacy law entitled “An Act Relating to Consumer Data Protection” (ICDPA). Signed into law by Iowa’s governor on March 28, 2023, the ICDPA will go into effect on January 1, 2025, imposing broad data privacy and data security requirements on applicable businesses, including “controller” and “processor” requirements reminiscent of the EU’s General Data Protection Regulation (GDPR).

The following is a summary of the ICDPA’s key provisions:

Scope
The ICDPA applies to any “person” that (i) conducts business in Iowa or produces goods and services that are targeted to consumers who are residents of the state, and (ii) during the  calendar year, either (a) controls or processes the personal data of at least 100,000 consumers OR (b) controls or processes the personal data of at least 25,000 consumers and derives more than 50% of its aggregate gross revenue from the “sale” of personal data. The law defines a “sale” of personal data as the exchange of personal data for monetary consideration by the controller to a third party.

Exemptions
The ICDPA does not apply to companies and information subject to federal privacy laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Family Educational Rights and Privacy Act, and the Fair Credit Reporting Act.  In addition, the ICDPA does not apply to non-profit organizations.

Protected Consumers
The ICDPA protects natural persons who are residents of Iowa acting in an individual or household context (i.e., “consumers”); individuals acting in an employment or commercial context are not covered. 

Covered Personal Data
The ICDPA applies to any information that is linked, or reasonably linkable, to an identified or identifiable natural person.   

Excluded Data
The ICDPA does not apply to de-identified or aggregate data or publicly available information.  Also, the law excludes the personal data of employees, job applicants, and contractors to the extent the data is collected and used within the context of that role.

Sensitive Data Definition
Under the ICDPA, sensitive data includes the following categories of data: race or ethnic origin; religious beliefs; mental or physical health diagnosis; sexual orientation; citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying a natural person; the personal data of a child (younger than 13); or precise geolocation data (within a radius of 1,750 feet). Sensitive data may not be processed without the consumer having been presented with clear notice and an opportunity to opt out of such processing.

Obligations of Controllers
The ICDPA requires controllers to be transparent about their data processing activities by providing a reasonably accessible, clear, and meaningful privacy notice to consumers that includes:

• Categories of personal data being processed
• Purposes of the processing
• Description of a secure and reliable method for exercising consumer rights, including appeals
• Categories of personal data being shared with third parties
• Categories of third parties with whom the controller shares personal data
• A clear and conspicuous disclosure of sales of personal data to third parties or any targeted advertising activity and how consumers can opt-out of such activity

In addition, controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Obligations of Processors
The ICDPA requires processors to do the following:

• Assist the controller in:
  • fulfilling its obligations to respond to consumer rights requests
  • maintaining the security of the personal data
  • notifying of a security breach
• Enter into a contract with the controller that includes:
  • instructions for processing personal data
  • the nature and purpose of the processing
  • the type of data that is subject to processing
  • the duration of processing
  • the rights and duties of the controller and the processor
• Ensure that each person processing data is subject to a duty of confidentiality with respect to such data
  • Delete or return all personal data to the controller at the end of the processor’s provision of services
  • Make available to the controller information necessary to demonstrate the processor’s compliance with the ICDPA
  • Engage subcontractors by written contract that requires the subcontractors to comply with all of the processor obligations of the ICDPA

Processors must also adopt and implement reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, and such practices must be appropriate to the volume and nature of the personal data at issue. 

Consumer Rights
Under the ICDPA, consumers have the rights to:

• Confirm whether a controller is processing the consumer’s personal data
• Delete personal data provided by a consumer
• Obtain a copy of the consumer’s personal data in a portable and readily usable format (to the extent technically practicable) where the processing is effected by automated means; this right only pertains to personal data provided to the controller by the consumer.
• Opt-out of the sale of the consumer’s personal data (does not apply to certain pseudonymous data)
• Opt-out of the processing of the consumer’s sensitive data

Controllers may not discriminate against consumers who exercise their privacy rights under ICDPA.

Under the ICDPA, consumers will not have a right to correct their personal data, a right to not be subject to automated decision making, or the right to opt out of use of personal data for profiling. However, since these rights are available under other state data privacy laws, companies may determine that it makes sense to collectively offer all data privacy rights available to consumers under the various state laws, rather than trying to manage and administer different consumer rights for each state that has enacted data privacy laws.

Time to respond to consumer requests
Controllers must respond to a consumer’s request to exercise its rights without undue delay, but in all cases, within 90 days. The controller may extend the response period once for an additional 45 days when reasonably necessary (with consideration given to the complexity and number of requests from the consumer) by giving notice to the consumer within the initial 90-day period.  

Consent requirements
A consumer’s consent to use their personal data must be a clear, affirmative act signifying the consumer’s freely given, specific, informed, and unambiguous agreement to process the consumer’s personal data. Consent can be given by written statement or by electronic means, provided that it is unambiguous.

Private Right of Action
Like Colorado, Virginia, and Connecticut, there is no private right of action under the ICDPA.

Enforcement and Penalties
The Iowa attorney general will have exclusive authority to enforce the ICDPA, including the right to impose civil penalties up to $7,500 per violation. Prior to initiating any action under the ICDPA, the Iowa attorney general must provide a controller with a notice of the alleged violation and 90 days to cure such violation. 

This summary is intended to highlight the primary requirements of the ICDPA and is not comprehensive. Companies should work with their legal counsel to create a privacy compliance program that best suits their needs. If your business is impacted by Iowa’s new privacy law, it is important to review your privacy policies and practices now and prepare for compliance by 2025. We are happy to help. If you have questions about any state privacy laws and how they may impact your company, please contact Virginia Fournier at [email protected].

---

A member of our California team, Virginia Fournier is a seasoned technology and privacy attorney with over 25 years of legal and business experience in the industry. She regularly handles a wide range of technology-related matters, including negotiating and drafting complex licensing agreements, compliance, data security and privacy, and intellectual property issues. Virginia is also a Certified Information Privacy Professional (CIPP/US).