Iowa became the sixth state to pass a comprehensive data privacy law, joining California, Colorado, Connecticut, Utah, and Virginia. Instead of standing out from the crowd, the Iowa legislature passed a law that imposes attenuated obligations stated in those other states’ laws . Below are some highlights from the Act relating to consumer data protection (the “Iowa Act”):
- Opt-Out for Sensitive Data. The Iowa Act requires entities to present consumers clear notice and the opportunity to opt-out before the collection of “sensitive data” (e.g. precise geolocation data or biometric data).[1] This is in contrast to Colorado, Connecticut, and Virginia, which require express consent prior to the collection of this type of information.
- No Private Right of Action & Cure Period. The Iowa Act limits enforcement authority to the Iowa Attorney General and does not provide a private cause of action for Iowa consumers.[2] Additionally, even if an entity violates the statute, the AG must issue a written notice of the violation(s) and allow for a 90-day cure period before proceeding with any action (to the extent the noted violations were not cured).[3]
- Numerous Exceptions and Exemptions. The Iowa Act contains the typical exclusions found in other data privacy laws. It excludes data and entities subject to Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). As is typical outside California, it also exempts employment data (HR and job applicant) and business-to-business data.[4]
- No Data Impact Assessments. Colorado, Connecticut and Virginia require entities to conduct risk assessments of certain processing activities with “heightened risks of harm” (referred to as data protection impact assessments or data protection risk assessments). California allows the regulatory authority to require assessments from entities. Iowa, like Utah, does not have such a requirement.
- No Revenue Threshold for Application. The Iowa Act applies to an entity if (a) it controls or processes personal data of at least 100,000 Iowa consumers or (b) if it derive more than 50% of its gross revenue from the sale of personal data and if it controls or processes personal data of at least 25,000 Iowa consumers.[5] The law does not recognize a minimum revenue limit and thus could affect smaller businesses.
- Standard Consumer Rights and Privacy Policy Requirements. The Iowa Act provides conventional consumer data rights: (a) right to access, (b) the right to delete, (c) the right to portability and (d) the right to opt out of sale of their personal data[6]. The law also requires that privacy policies cover: (a) the categories of personal data processed by the controller (b) the purpose for processing personal data (c) methods by which a consumer can exercise rights and appeal controllers’ decisions, (d) the categories of personal data the controller shares with third parties, and (e) the categories of third parties with whom the controller shares personal data.[7]
- Minimum Vendor Oversight. The Iowa Act follows suit with other comprehensive data privacy laws by requiring the execution of a written contract between controllers and processors setting forth (a) instructions for processing personal data, (b) the nature of and purpose for processing, (c) the type of data subject to processing, and (d) the duration of processing, and (e) the rights and duties of both parties.[8] The contracts must also ensure (a) confidentiality, (b) deletion of the personal data, (c) assistance with consumer and (d) a flow-down of requirements on the sub-processors.[9]
- Long Effective Date. One area in which Iowa’s statute departs from the pack is in its long effective date – January 1, 2025, the better part of two years from now. It is not clear why such a far-off date was chosen; however, one could speculate that is designed to notch a consumer victory while reducing blowback from business interests, reduce burdens on local governments (which are subject to the act), or possibly take a “wait-and-see” attitude on preemptive federal legislation.
Takeaways:
- Compliance with Other States as Compliance with the Iowa Act. Generally, compliance with the other comprehensive data privacy laws like California will lead to an entity’s compliance with the Iowa Act.
- New Privacy Requirements for Local Entities. While these obligations do not represent novel obligations on states conducting business in states like Colorado or Virginia, businesses collecting only personal information of Iowa residents will need to invest in a privacy compliance program. But with the Iowa Act’s long effective date (January 1, 2025), there is plenty of time to develop one.
- Trend toward State by State Laws. Given the standstill of the America Data Privacy and Protection Act, the pattern of state by state passage of data privacy laws will continue. And, with pending data privacy legislation in 17 states, more local businesses should begin the process of implementing good data privacy practices.