Iowa’s New Privacy Law: The Basics

To whom does Iowa’s Data Privacy Act (IDPA) apply to? 

Unlike California and Utah, the IDPA does not include a revenue threshold. To be subject to the IDPA, a business must do business in Iowa or target products or services to Iowa consumers and either…

1. Control or process personal data of 100,000 or more Iowa consumers; or
2. Control or process personal data of 25,000 or more Iowa consumers and derive over 50% of gross revenue from the sale of that data.

Who is a “consumer”?

In the IDPA, a “consumer,” is a natural person who is a resident of Iowa acting in a personal (noncommercial and nonemployment) context. This means that employees and B2B contacts are expressly excluded from the definition of “consumer”; this is similar to all other state laws except for California.

Who can enforce the IDPA? 

The Iowa Attorney General has exclusive enforcement authority, and there is an express provision disclaiming any private right of action. Before initiating any enforcement proceeding, the Attorney General must give 90 days’ written notice and an opportunity to cure to the controller. If an enforcement action follows, violations of the IDPA can be up to $7,500 per violation.

Who is exempt?

The exemptions of the IDPA closely mimic those of other state privacy laws. For example, personal information covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act and a litany of other federal laws.

In addition, the IDPA does not apply to government entities, nonprofit organizations or higher education institutions.

What obligations are imposed?

The IDPA imposes what should now be considered “standard” obligations on data controllers in jurisdictions with consumer privacy laws. That means controllers subject to the IDPA must:

1. Limit the purpose of processing personal data to that which is reasonably necessary and proportional;
2. Take steps to implement reasonable safeguards for the personal data within their control;
3. Refrain from discriminating against consumers for exercising their rights and from processing personal data in violation of federal laws that prohibit discrimination;
4. Be transparent in their reasonably accessible, clear and meaningful privacy notice; and
5. Ensure contracts control relationships with their processors (note: the law itself details the minimum necessary provisions of these contracts).

What is not there?

The IDPA does not include certain features of other state consumer privacy laws, including, for example:

• No data protection or privacy risk assessment requirements.
• No consumer right to correct.
• No specific language around automated decision making.

What consumer rights are created by the IDPA?

Controllers must provide a limited, but standard, set of consumer rights to Iowa consumers:

1. Opt-out rights (to the sale of personal data, targeted marketing and the use of sensitive personal information for nonexempt purposes);
2. Deletion rights (with respect to the data provided by the consumer);
3. Access rights (including a right to confirm whether the controller is processing any data at all);
4. Appeal rights; and
5. Data portability rights.

Sensitive Personal Information

Under the IDPA, “sensitive information” is considered personal data that includes information such as racial/ethnic origin, religious beliefs, mental or physical health diagnosis, certain uses of citizenship status, information from a known child and geolocation data within a 1,750-foot radius, among others. Controllers must provide clear notice and an opportunity to the consumer to opt out of nonexempt processing. With respect to the sensitive data collected from a known child, data controllers must abide by COPPA obligations.

So, what is nonexempt processing? That phrase is not defined in the IDPA, but likely refers to those internal data uses expressly permitted in Section 7 of the IDPA, including, for example, compliance with state law, fraud detection and other internal data uses.

Respond to consumer inquires

Controllers must respond to a consumer personal data request within ninety (90) days of receipt of the request, with a forty-five (45) day extension available. This is a longer period of time for response than in any of the other states that have passed consumer privacy laws. If a consumer appeals a decision of the controller to deny a consumer request, the appeal response must be delivered within sixty (60) days.

When does the IDPA take effect?

The IDPA comes into effect on January 1, 2025.

***

Creating a successful and effective, comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.

If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders or Allison Tassel.