Iowa Governor Signs into Law Comprehensive Consumer Privacy LawMarch 29, 2023

On March 28, 2023 Iowa Governor Kim Reynolds signed into law Senate File 262 (SF 262). SF 262, scheduled to go into effect January 1, 2025, makes Iowa just the sixth U.S. state to pass a comprehensive state privacy law. The new law is a “global” consumer rights privacy law focused largely on general consumer rights and compliance requirements for data “controllers” and “processors” of personal data.

What Data is Covered?

The new law protects consumers’ “personal data” and “sensitive data.” Personal data is defined as “any information linked or reasonably linked to an identified or identifiable natural person.” Sensitive data includes the following:

• Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination laws.
• Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person.
• The personal data collected from a known child.
• Precise geolocation data.

Several types of data are excluded from coverage, including HIPAA protected health information, health records, patient identifying information, information collected for research purposes, information collected only for public health activities, information relating to consumer credit worthiness or standing, information regulated by the Federal Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act, and others.

What Business Entities Must Comply?

Broadly, SF 262 applies to “controllers” and “processors.” A controller is “a person that, alone or jointly with others, determines the purpose and means of processing personal data.” A processor is defined as “a person that processes personal data on behalf of a controller.”

Of all data controllers and processors, SF 262 applies to any “person conducting business in the state [of Iowa] or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

• controls or processes personal data of at least one hundred thousand consumers,
• controls or processes personal data of at least twenty-five thousand consumers and derives over fifty percent of gross revenue from the sale of personal data.”

Notably, the State itself (along with political subdivisions of the State), financial institutions and affiliates thereof, data regulated by the Gramm-Leach Bliley Act (GLBA), entities regulated under the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH), nonprofits, and institutions of higher education are exempted from complying with SF 262.

What Consumer Rights are Created?

The law empowers consumers to submit requests to data controllers (e.g., businesses collecting and using their personal information) in order to learn whether a controller is processing the consumer’s personal data, access/obtain a copy of that personal data, delete the personal data, and opt out of the sale of personal data. In situations where data controllers refuse to comply with one or more of these requests, consumers also have a right to appeal the decision by the data controller.

What is Required for Compliance?

Controllers regulated by SF 262 must:

• Review and authenticate consumer inquiries about their personal data.
• Respond to consumer requests “without undue delay” and in all cases within ninety days of the receipt of a request submitted (with an extension period possible upon showing of good cause).
• Upon request, provide to each consumer a copy of their personal data collected/used by the controller.
• Establish a process for consumers to appeal a controller’s refusal to take action in response to a consumer inquiry.
• Implement and adopt “reasonable administrative technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
• Refrain from processing sensitive data collected for purposes within the scope of the law without prior consent from the consumer.
• Comply with other applicable state and federal laws.
• Provide consumers with a privacy notice that details the categories of personal data processed, the purpose for processing personal data, how consumers may exercise their rights under the law (e.g., how consumers can submit an inquiry about their consumer rights), categories of personal data shared with third parties, whether the personal data is sold to third parties, whether the controller engages in targeted advertising, and how to opt out of the sale of personal data.

Processors regulated by SF 262 must:

• Assist controllers in their duties required by SF 262 (e.g., help controllers respond to consumer requests about personal information, notify the controller of a security breach).
• Have a contract with the controller that specifies the processor’s data processing procedures, ensure the processor will maintain confidentiality of the data, and upon request by the controller, agree to make available, delete or return the personal data to the controller.

What are the Penalties for Lack of Compliance?

The enforcement of SF 262 is the exclusive responsibility of the Iowa State Attorney General (AG). SF 262 does not create a private right of action. Individuals may submit complaints to the Attorney General in order to alert the AG that a violation of SF 262 is occurring. Regardless of how the AG becomes aware of a violation, the AG will send a written notice to a controller or processor in violation of SF 262, giving the entity 90 days to cure any such violation(s). If a controller or processor continues to violate SF 262, the AG may initiate an action in the name of the state, seeking an injunction of any violations and civil penalties of up to $7,500 USD for each violation.

Comparison with Other States

Iowa’s SF 262 is most comparable to Utah’s Consumer Privacy Act (UCPA). SF 262 provides exemptions for consumer rights where “pseudonymous data” and “de-identified data” (as defined by the bill) are involved, including certain opt-out rights. Like Utah and Virginia, Iowa’s new law has a fairly narrow definition of “sale” of personal data (specifically, the exchange of personal data for monetary consideration by the controller to a third party).

SF 262 does differ from existing state privacy laws on a few grounds. For example, it only requires “clear notice” (different from affirmative “consent” and potentially satisfied by a privacy notice) and an option to opt-out of processing of sensitive data, while other states like Colorado, Connecticut, and Virginia adopted opt-in requirements. The Iowa bill also lacks a consumer right to correct data. There are also no explicit requirements for covered entities to conduct privacy impact assessments or implement data minimization principles beyond the implementation of “reasonable” data practices. Finally, unlike California, SF 262 does not create a private right of action.

Questions?

If you have more questions about becoming compliant with SF 262 or other data privacy and cybersecurity laws, Sarah will be presenting on data privacy at the Technology Association of Iowa (TAI) Technology Summit held on April 3-4, 2023 and the Iowa Association of Business and Industry (ABI) Taking Care of Business Conference held on June 13-15, 2023. You can also contact Sarah directly at sarah.luth@ipmvs.com.

Sarah M.D. Luth is an Intellectual Property Attorney in the MVS Biotechnology & Chemical Practice Group. To learn more, visit our MVS website.