State Regulatory Developments

Iowa Enacts Comprehensive Consumer Data Privacy Law

Iowa recently enacted a comprehensive state data privacy law (the Act), following other states like Virginia, California, Colorado, Utah, and Connecticut.  The Act will become effective on January 1, 2025.

Scope

The Act applies to persons doing business in the state or targeting products or services towards Iowa consumers that (during a calendar year) either, (i) control or process the personal data from 100,000 or more consumers; or (ii) control or process the personal data from 25,000 or more consumers if over 50% of the person’s gross revenue is from selling personal data.  “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes “de-identified or aggregate data or publicly available information.”

Certain entities are exempt from the Act, including, (i) financial institutions, their affiliates, and data that are subject to Title V of the Gramm-Leach-Bliley Act; and (ii) persons covered by and complying with Title II, subtitle F of HIPAA and Title XIII, subtitle D of the HITECH Act.  Certain kinds of data are also exempt, such as protected health information under HIPAA.

Consumer Rights

The Act grants Iowa consumers certain rights with respect to their personal data.  Consumers may request, (i) confirmation of whether the controller is processing the consumer’s data and access to that data; (ii) deletion of the data obtained; (iii) with some exceptions, a copy of that data; and (iv) an opt-out of any sale of the consumer’s data.

The controller must reply to a consumer’s request within 90 days of receipt, but can extend this time once by 45 days, if reasonably necessary and the consumer is informed of the extension within the original 90-day time period.  Responses to a consumer’s reasonable requests are required to be provided up to twice a year for free.

Notice Requirements and Other Obligations

Among other duties under the Act, the controller must provide a privacy notice that includes certain information, such as the categories of personal data that it processes, the reason it is processing personal data, and any categories of personal data that are shared with third parties.  Additionally, the Act imposes certain requirements on contracts between controllers and processors.

Penalties and Enforcement

There is no private right of action in the Act.  The Iowa attorney general has exclusive enforcement authority.