Six and Counting: Iowa Enacts Consumer Privacy Law

On March 28, 2023, Iowa Governor Kim Reynolds signed Senate File 262 (“SF 262”) into law, making Iowa the sixth US state to enact a comprehensive consumer privacy law, following California, Colorado, Connecticut, Utah, and Virginia. Iowa’s new privacy law takes effect on January 1, 2025, and adopts several familiar provisions of existing state privacy laws, but some notable differences will make compliance more complex for businesses operating across these six states. In some respects, the Iowa law provides a narrower set of rights than the laws in other states—it does not provide a right of correction or an opt-out from targeted advertising or profiling. The statute embraces other concepts familiar to state privacy laws, including assigning obligations to controllers and processors of personal data.

Scope and Exemptions

Under SF 262, personal data is defined as any information that is “linked or reasonably linkable to an identified or identifiable natural person.” Unlike California’s definition of personal data, the Iowa statute does not include personal information that is linked or linkable to a household or employer data that is processed or maintained in the course of an individual applying to or employed by a business “to the extent the data is collected and used within the context of that role.” Similar to other state privacy laws, personal data also expressly excludes de-identified or aggregate data or “publicly available information.” Iowa defines publicly available information as “information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media” by the consumer.

SF 262 applies to any business that (1) conducts business in Iowa or produces products or services that are targeted to consumers who are residents of Iowa; and (2) satisfies one of the following thresholds: (a) the business controls or processes personal data of at least 100,000 consumers; or (b) the business controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. In contrast to privacy statutes in California and Utah, SF 262 does not include a general revenue threshold of applicability.

The statute exempts Iowa governmental entities, financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act, nonprofit organizations, institutions of higher education, and other personal consumer credit data to the extent that it is regulated by other federal privacy laws, including the Fair Credit Reporting Act, the Driver’s Privacy Protection Act of 1994, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Children’s Online Privacy Protection Act (COPPA).

Consumer Rights

SF 262 provides Iowa consumers four specific rights:

• The right to confirm whether a controller is processing the consumer’s personal data and to access such personal data;
• The right to delete personal data provided by the consumer;
• The right to data portability; and
• The right to opt-out of the sale of personal data.

Notably missing from the Iowa statute are the right to correct personal data and the right to opt-out of targeted advertising and profiling. Despite the absence of an express consumer right to opt-out of targeted advertising, the Iowa law does require controllers who sell a consumer’s data to third parties or engage in targeted advertising to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”

The sale of personal data is defined as “the exchange of personal data for monetary consideration by the controller to a third party,” which does not follow the broader definition under California law that also includes exchanges for “valuable consideration.” The sale of personal data does not include disclosures of personal data:

• To a processor that processes the personal data on behalf of the controller;
• To a third party for purposes of providing a product or service requested by the consumer or a parent of a child;
• To an affiliate of the controller;
• That the consumer intentionally made available to the general public and did not restrict to a specific audience;
• When a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties; and
• To a third party as an asset as part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

In contrast to certain provisions in some other states’ privacy laws, an Iowa consumer may not appoint a representative to exercise these rights on their behalf; only the Iowa resident whose data is at issue (or a minor’s parent or legal guardian) may exercise their rights. Companies must respond to consumer requests within 90 days of receipt, twice as long as the response period prescribed by the five existing state privacy laws. This response period may be extended once by 45 additional days when reasonably necessary considering the complexity and number of requests. Companies must provide consumers instructions for appealing a controller’s refusal to act on a request within a reasonable period of time.

Data Controller Duties

Controllers, defined as entities who determine “the purpose and means of processing personal data,” must adopt and implement reasonable administrative, technical, and physical data security practices to protect personal data, which must be proportionate to the volume and nature of personal data collected. Iowa does not require data security assessments or audits.

Under SF 262, a controller must provide consumers with a reasonably accessible, clear, and meaningful privacy policy, which outlines the following:

• The categories of personal data processed by the controller;
• The purpose for processing personal data;
• How consumers may exercise their consumer rights;
• The categories of personal data that the controller shares with third parties, if any; and
• The categories of third parties, if any, with whom the controller shares personal data.

Controllers must allow consumers to opt-out of the processing of their “sensitive data,” although the consumer’s consent for processing such data is not required. Processing of a known child’s sensitive data must comply with the federal COPPA. Sensitive data is defined to include:

• A person’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person;
• The personal data collected from a known child (younger than 13 years old); or
• Precise geolocation data.

Controllers may not process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer. Further, controllers may not discriminate against consumers for exercising any of the consumer rights set forth above.

Enforcement and Penalties

Similar to other state privacy laws, SF 262 expressly does not provide for a private right of action. Rather, the Iowa Attorney General holds exclusive authority to enforce the statute’s requirements. Prior to initiating an action, the Attorney General must provide 90 days' written notice identifying the specific provisions that are alleged to have been violated. If, within the 90 days, the controller or processor cures the violation and provides the Attorney General an express, written statement that the alleged violation has been cured and that no further violations will occur, then no action may be initiated. However, if the violation persists, the Attorney General may seek up to $7,500 for each violation of the statute.

What is on the horizon?

States will continue to enact comprehensive data privacy laws, and several states’ legislatures have introduced and advanced bills this year. Eighteen state legislatures are currently debating active privacy bills, with proposals in Indiana, Kentucky, Montana, New Hampshire, and Oklahoma receiving approval from one chamber of the legislature. Although bills in these states are not yet finalized, proposals in Kentucky and Oklahoma generally follow the model set by Utah and Iowa, with a narrower set of consumer rights and business obligations, while bills in Montana, Indiana, and New Hampshire include at least some broader provisions similar to California, Colorado, Connecticut, and Virginia. These provisions include a consumer's right to correct their personal information, increased consumer control over processing of their sensitive personal information, and a requirement for businesses to conduct data risk assessments. In 2022, three states enacted data privacy laws (Connecticut, Virginia, and Utah); Iowa is the first state to enact a data privacy statute this year, but it is unlikely to be the last.

The growing number and variety of state privacy laws will likely continue as long as there is no federal privacy statute. In recent years, both proponents and opponents of state privacy regulatory schemes have assumed that a growing patchwork of state privacy frameworks would prompt Congress to enact preemptive federal privacy legislation. But federal action remains elusive. The last Congress saw a proposed federal privacy bill advance further than any previous measure. The American Data Privacy and Protection Act (H.R. 8152) passed the House Energy and Commerce Committee but was never taken up by the full House or Senate. Legislators on both sides of the political divide have expressed support for enacting comprehensive privacy legislation in the current Congress, but prior obstacles to passing such legislation remain, including the scope of any preemption of state laws.

© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.