Companies around the world should start preparing for the Iowa Consumer Data Protection Act (“Iowa Act“) with respect to personal data of consumers in Iowa. With the Iowa Act, Iowa follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA), but excludes consumers acting in a commercial or employment context.
Businesses that have implemented measures to comply with the CCPA and other US state privacy laws can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Iowa Act.
The Iowa Act becomes effective January 1, 2025 and does not include a look-back period for violations.
Who and what data are protected?
“Consumers” are protected under the Iowa Act, defined as Iowa residents acting in an individual or household context. Individuals acting in an employment or commercial context are expressly excluded from protection.
The Iowa Act defines “personal data” to mean information that is linked or reasonably linkable to an identified or identifiable natural person, but does not include information that is de-identified, aggregate or publicly available.
The Iowa Act includes exemptions for certain types of data and entities. These exemptions include institutions governed by the Gramm-Leach-Bliley Act (GLBA), persons who are subject to and comply with the Health Insurance Portability and Accountability Act (HIPAA) and data that is protected health information under HIPAA, nonprofit organizations, and personal data used in accordance with the Children’s Online Privacy Protection Act (COPPA).
Who must comply?
Unless an entity or data based exemption applies, the Iowa Act applies to data processing activities of “controllers” and “processors” that conduct business in Iowa or produce products or services that are targeted to Iowa residents, and that during a calendar year does either of the following (i) controls or processes personal data of 100,000 or more Iowa residents; or (ii) controls or processes personal data of at least 25,000 Iowa residents and derives over 50 percent of gross revenue from the sale of personal data.
“Controller” is analogous to a “business” under the CCPA and is defined as a person that, alone or jointly with others, determines the purposes and means of processing personal data. “Processor” is analogous to a “service provider” under the CCPA and is defined as a person who processes personal data on behalf of a controller. The Iowa Act defines the “sale” of personal information more narrowly than the CCPA; for example, the CCPA defines “sale” to mean a disclosure in exchange for monetary or other valuable consideration, whereas the Iowa Act’s definition only refers to monetary consideration.
How to comply?
Privacy Notices. Under the Iowa Act, controllers shall provide a reasonably accessible, clear, and meaningful privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their rights and how a consumer may appeal a controller’s decision with regard to a consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any (note that the Iowa Act does not have a specific and unintuitive definition of “sale” like the CCPA does); (v) the categories of third parties, if any, with whom the controller shares personal data, and (vi) information on a secure and reliable means for consumers to submit a request to exercise their consumer rights under the Iowa Act. The Iowa Act does not require controllers to include certain elements that the CCPA requires to be included in privacy disclosures, such as information on sources of personal data, or information on financial incentives offered in exchange for the collection, retention or sale of personal information. Nevertheless, and depending on what notices a business currently issues and what they cover, many businesses can leverage current privacy notices to comply with the Iowa Act by updating such notices to include statements regarding the right under the Iowa Act to appeal a controller’s decision with respect to data subject requests.
The Iowa Act also requires controllers that “sell” personal data to third parties or engages in “targeted advertising” (as defined in the law) to clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. This disclosure requirement is potentially inconsistent with the Iowa Act not explicitly giving consumers the right to opt out of targeted advertising.
Sensitive Data. Like the CCPA, which has an “opt-out” regime for the processing of sensitive personal information beyond certain authorized purposes, the Iowa Act requires a controller to not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out. Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizen or immigration status are included in the Iowa law as “sensitive data” except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law.
Technical and Organizational Measures, Assessments. The Iowa Act requires controllers to adopt and implement reasonable administrative, technical and physical data security practices. Unlike in California, where the California Privacy Protection Agency is tasked under the CCPA with issuing regulations that will require audits and risk assessments, the Iowa Act does not require assessments.
Processor Duties, Data Processing Agreements. Processors are required to assist controllers in their duties under the law including with respect to obligations to respond to consumer rights requests. Before a processor performs any processing on behalf of a controller, the parties must enter into a contract that includes terms similar to those required under other US state privacy laws (and the GDPR). Businesses should continue to update their contracts while keeping standardization in mind where possible (see standardizing data-processing agreements globally).
Data Subject Rights. Under the Iowa Act, a consumer has the right to know whether a controller is collecting their personal data, to access their collected personal data, to download and remove personal data from a platform in a format that allows the transfer to another, and to delete personal data provided by the consumer. Consumers also have the right to opt out of the sale of their personal data, and the right not to be discriminated against for exercising their rights under the Iowa Act. But, unlike the CCPA, the Iowa Act: (i) does not include restrictions on profiling; and (ii) provides that, if a controller reasonably believes that the primary purpose of a data subject request is not to exercise a consumer right, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The Iowa Act appears to impose purpose limitation and data minimization requirements on companies that wish to process Iowans’ personal information for a number of specified purposes, such as providing products or services to consumers, taking steps at the request of a consumer prior to entering into a contract, detecting security incidents, and performing internal operations that are reasonably aligned with the expectations of the consumer. However, the Iowa Act also states that it shall not be construed to restrict a company’s ability to process personal information for the specified purposes, so it is unclear whether companies are actually bound by the Iowa Act’s purpose limitation and data minimization requirements.
Responding to Data Subject Rights Requests. The Iowa Act provides that consumers, once they have been authenticated, receive responses to consumer requests without undue delay but in any case within 90 days of receipt of the request (which is a longer timeline than those found in the CCPA and the consumer privacy laws of Virginia, Colorado, Connecticut and Utah). Controllers may extend this time period by another 45 days where reasonably necessary, and the consumer will ultimately have the ability to appeal any decision made by the controller under the controller’s appeal process (which the Iowa Act requires controllers to put into place). The appeals process must provide the consumer with an appellate response within 60 days and must provide consumer information on how to contact the Iowa Attorney General online if the consumer has concerns about the results of any appeal. This contrasts with the CCPA, which does not mandate an appeals process, but is similar to other US state laws such as the Virginia Consumer Data Protection Act.
Overall, businesses that have taken measures to comply with the Virginia Consumer Data Protection Act should find it easy to comply also with the Iowa Act. Businesses do not need to expand measures concerning California residents protected by CCPA (including employees and business representatives) to Iowa residents.
Sanctions and remedies. Iowa consumers do not receive a private right of action under the Iowa Act. The Iowa Attorney General can issue a civil investigative demand and may seek an injunction and civil penalties of up to USD 7,500 for each violation. In this respect, the Iowa Act resembles the CCPA and the comprehensive consumer privacy laws in Colorado, Connecticut, Virginia and Utah (except that the potential fines per violation under Colorado’s law are higher). The CCPA grants a limited right of private action and statutory damages in case of data security breaches, which none of the other state laws match. The Iowa Attorney General must first issue a notice of violation to a controller or processor and allow a 90-day cure period before pursuing an enforcement action, which is longer than any of the analogous cure periods in Colorado, Connecticut, Virginia and Utah (and the CCPA does not establish any statutory cure period).
Similar to the CCPA, under the Iowa Act, any moneys collected shall be paid into a consumer education and litigation fund.