As expected, the number of state consumer privacy laws continues to rise. Joining the ranks of California, Colorado, Connecticut, Utah and Virginia is now Iowa. On March 28, 2023, Iowa’s Governor signed the Iowa Data Privacy Act into law, which will go into effect on January 1, 2025. The Hawkeye State’s law closely mirrors Utah’s law, and it deviates in some of the same ways that Utah did from the model in Colorado, Connecticut and Virginia. The bad news, therefore, is growing discordance among the states as to a “model” for state consumer privacy bills. We now have California with its own model, Colorado, Connecticut and Virginia substantively aligned on most major items, and Utah and Iowa in a third camp. Iowa’s new law serves as yet another reminder of why having a federal consumer privacy bill, with preemption, could be critical to easing the compliance burden on companies.
Back to Iowa, those already in compliance or working towards compliance with the laws of the other states’ privacy laws may find it straightforward to incorporate the obligations of Iowa’s new law and have until 2025 to become compliant. Below we provide an overview of some of the key aspects of Iowa’s new consumer privacy law.
To whom does Iowa’s Data Privacy Act (IDPA) apply to?
Unlike California and Utah, the IDPA does not include a revenue threshold. To be subject to the IDPA, a business must do business in Iowa or target products or services to Iowa consumers and either…
Control or process personal data of 100,000 or more Iowa consumers; or
Control or process personal data of 25,000 or more Iowa consumers and derive over 50% of gross revenue from the sale of that data.
Who is a “consumer”?
In the IDPA, a “consumer,” is a natural person who is a resident of Iowa acting in a personal (noncommercial and nonemployment) context. This means that employees and B2B contacts are expressly excluded from the definition of “consumer”; this is similar to all other state laws except for California.
Who can enforce the IDPA?
The Iowa Attorney General has exclusive enforcement authority, and there is an express provision disclaiming any private right of action. Before initiating any enforcement proceeding, the Attorney General must give 90 days’ written notice and an opportunity to cure to the controller. If an enforcement action follows, violations of the IDPA can be up to $7,500 per violation.
Who is exempt?
The exemptions of the IDPA closely mimic those of other state privacy laws. For example, personal information covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act and a litany of other federal laws.
In addition, the IDPA does not apply to government entities, nonprofit organizations or higher education institutions.
What obligations are imposed?
The IDPA imposes what should now be considered “standard” obligations on data controllers in jurisdictions with consumer privacy laws. That means controllers subject to the IDPA must:
Limit the purpose of processing personal data to that which is reasonably necessary and proportional;
Take steps to implement reasonable safeguards for the personal data within their control;
Refrain from discriminating against consumers for exercising their rights and from processing personal data in violation of federal laws that prohibit discrimination;
Be transparent in their reasonably accessible, clear and meaningful privacy notice; and
Ensure contracts control relationships with their processors (note: the law itself details the minimum necessary provisions of these contracts).
What is not there?
The IDPA does not include certain features of other state consumer privacy laws, including, for example:
No data protection or privacy risk assessment requirements.
No consumer right to correct.
No specific language around automated decision making.
What consumer rights are created by the IDPA?
Controllers must provide a limited, but standard, set of consumer rights to Iowa consumers:
Opt-out rights (to the sale of personal data, targeted marketing and the use of sensitive personal information for nonexempt purposes);
Deletion rights (with respect to the data provided by the consumer);
Access rights (including a right to confirm whether the controller is processing any data at all);
Appeal rights; and
Data portability rights.
Sensitive Personal Information
Under the IDPA, “sensitive information” is considered personal data that includes information such as racial/ethnic origin, religious beliefs, mental or physical health diagnosis, certain uses of citizenship status, information from a known child and geolocation data within a 1,750-foot radius, among others. Controllers must provide clear notice and an opportunity to the consumer to opt out of nonexempt processing. With respect to the sensitive data collected from a known child, data controllers must abide by COPPA obligations.
So, what is nonexempt processing? That phrase is not defined in the IDPA, but likely refers to those internal data uses expressly permitted in Section 7 of the IDPA, including, for example, compliance with state law, fraud detection and other internal data uses.
Respond to consumer inquires
Controllers must respond to a consumer personal data request within ninety (90) days of receipt of the request, with a forty-five (45) day extension available. This is a longer period of time for response than in any of the other states that have passed consumer privacy laws. If a consumer appeals a decision of the controller to deny a consumer request, the appeal response must be delivered within sixty (60) days.
When does the IDPA take effect?
The IDPA comes into effect on January 1, 2025.
Creating a successful and effective, comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders or Allison Tassel.