Iowa May Soon Adopt Its Own Data Privacy Law

Iowa will soon vote to adopt a comprehensive data privacy law, thus potentially joining California, Colorado, Connecticut, Nevada, Utah, and Virginia in their endeavor to protect the privacy of US consumers. The bill moved fast through the State Senate who voted on it on March 6th and the Iowa House of Representatives who passed it on March 15th and is now awaiting the governor’s signature.

Application and exemptions

As far as application would be concerned, the law would apply to entities that conduct business in Iowa or offer services targeted towards Iowa residents and meet at least one of two conditions, namely, during a calendar year control or process the personal data or at least 100,000 consumers; or control or process the personal data or at least 25,000 consumers and derive more than 50% of their gross revenue from personal data selling. 

Additionally, the law would protect individuals acting in an individual or household context and individuals acting in a non-commercial way and employment records would be exempt. In this, the law distinguishes itself from, for example, California, which also protects employee data. It would also exempt financial institutions, nonprofits, institutions of higher education, or HIPAA covered entities. 

Controller obligations

Controller obligations include the following: 

• Adopting and implementing “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
• Providing data subjects with “ a reasonably accessible, clear, and meaningful privacy notice.”
• Providing data subjects with “secure and reliable means for consumers to submit a request to exercise their consumer rights.”
• Establishing an appeals process for data subject access requests that are refused.
• Replying to data subjects requests no later than 90 days after receiving the request with the possibility to extend this period by an additional 45 days when reasonably necessary. 
• Providing consumers with a clear notice as well as an opportunity to opt out of the processing of their sensitive personal data. 
• Establishing contractual obligations for processors to ensure the adherence to the business’ instructions.

Data Subject Access Rights

Iowa’s privacy law would grant individuals the following rights:

• The right to confirm whether their personal data is processed and to access this data
• The right to delete their personal data
• The right to obtain a copy of the data “in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.”
• The right to opt out of the sale of personal data.

Enforcement and penalties

There is no private right of action under Iowa’s privacy law and the enforcing authority would be the Iowa Attorney General, who before initiating action against a controller who is in violation of the law, would grant said controller a 90 day cure period. 

If the violation is not cured within the 90 day period, penalties can go up to $7,500 for each violation.

Once signed by Iowa’s Governor, Kim Reynolds, the effective date for this law will be January 1st, 2025.

Update - 1st of April 2023

On March 29th, 2023 Iowa became the sixth state to enact a consumer data privacy bill with its being signed by the Governor of Iowa. The law will become effective as of January 1st, 2025, and we have included an overview of the law, which can be found here.