On March 28, 2023, Iowa’s governor signed Senate File 262 into law, making Iowa the sixth U.S. state to pass a comprehensive privacy law. The law will take effect on January 1, 2025, with no stated grace period for enforcement.
Like Utah’s law, Iowa’s law is business-friendly in that it imposes fewer obligations than the other state privacy laws. As discussed in more detail below, Iowa’s law:
- Provides more limited consumer rights;
- Does not require controllers to conduct data protection impact assessments;
- Requires notice and opt out of processing sensitive data rather than consent; and
- Does not regulate dark patterns.
The law applies to a person that conducts business in Iowa or produces products or services targeted at Iowa residents (“consumers”) and that, during a calendar year, either:
- Controls or processes personal data of at least 100,000 consumers; or
- Controls or processes personal data of at least 25,000 consumers and derives 50% or more of its gross revenue from the sale of personal data.
Like the Colorado, Virginia, Utah, and Connecticut laws, Iowa’s law does not apply to employee or B2B data. It exempts government entities, nonprofits, financial institutions, institutions of higher education, and certain data or entities that are subject to certain federal privacy laws.
Iowa’s law provides consumers with the rights to access, delete, and request a copy of personal data, and to opt out of the sale of personal data. “Sale” means the exchange of personal data with a third party for monetary consideration, the narrow definition adopted by Virginia and Utah. Iowa’s law follows Utah and California by requiring notice and the ability to opt out of the processing of sensitive data (defined similarly to other state privacy laws). Iowa also follows Utah in not providing the right to correct personal data and not defining or providing a right to opt out of profiling that produces legally or similarly significant effects.
Breaking with other state privacy laws, Iowa’s law does not provide the right to data portability or an express right to opt out of the use of personal data for targeted advertising purposes —though the law does require controllers to disclose how users may opt out of such activity. It remains to be seen if the Iowa Attorney General (“AG”) will interpret this to imply a right to opt out of targeted advertising. The law does not require controllers to recognize opt-out preference signals. Controllers initially have 90 days to respond to consumer requests, instead of the 45 days required by the other state laws. As in Colorado and Virginia, consumers have the right to appeal the denial of a request.
Security & Contracting Provisions
As noted above, Iowa’s law (like Utah’s) does not require controllers to perform data protection impact assessments or evaluate “dark patterns.” In other respects, the core controller and processor obligations under Iowa’s law are similar to those in other state privacy laws in that controllers must:
- Implement reasonable security measures;
- Present consumers with a privacy notice that contains the typical provisions; and
- Enter into contracts with processors that include familiar provisions (such as stating the purposes and nature of the processing and requiring the processor to flow down its obligations to subprocessors).
There is no private right of action under the law, which will be exclusively enforced by the Iowa AG. The law provides a mandatory ninety-day notice and cure period before the AG can commence an enforcement action. However, an action can commence sooner if an entity breaches an express statement to the AG that it has cured the identified non-compliance. The AG may seek monetary damages of up to $7,500 per violation of the law and injunctive relief. Lastly, as in Virginia’s law, Iowa’s law does not provide for any regulatory or rule-making authority.