Senate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.
The key features of Senate File 262 are as follows:
Applicability:
It applies to anyone who conducts business in Iowa or produces goods or services targeted to Iowa residents and meets one of two thresholds: (1) controls or processes personal data of at least 100,000 Iowa residents, or (2) derives 50 percent or more of gross revenue from sale of personal data and controls or processes personal data of at least 25,000 Iowa residents. “Sale” is narrowly defined as the exchange of personal data is for monetary consideration by the controller to a third party.
Exemptions
Entity and information exemptions exist for entities complying with and information protected by the Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA). There are also additional entity exemptions for non-profits and institutions of higher education. Information that is “health records,” human subject research records, and information processed in compliance with FCRA, FERPA, Farm Credit Act, COPPA is also exempt. The law does not apply to de-identified or aggregate data, or publicly available information.
Consumer Rights
Under the law, consumers can exercise the following data subject rights against personal data controllers:
Confirmation and Access. To confirm if a controller is processing their personal data, and to access their personal data.
Portable Copy. To obtain a copy of their personal data in a portable form, but only the personal data that the consumer previously provided to the controller (and excluding certain personal data types that trigger data breach notification requirements under Iowa law).
Deletion. To delete personal data that they provided to the controller.
Sale Opt-Out. To opt-out the “sale” of personal data.
Sensitive Personal Data Opt-Out. To opt-out of processing of sensitive personal data unless that processing is exempt from the law’s requirements.
Requests to exercise rights need to be responded to within ninety days, with a right to extend an additional forty-five days when necessary. Controllers need to have appeal processes, and for denied appeals, an online mechanism for submitting complaints to the Iowa attorney general is required.
The right to opt-out of targeted advertising is not clearly established, but controllers are required to disclose how a consumer may exercise the right to opt out of it. There is no right to correct inaccurate information nor a right to opt-put of profiling for automatic decision-making.
Privacy Notices
Controllers must have privacy notices that address:
Categories of personal data processed;
Purposes of processing;
How consumer rights can be exercised, and how decisions can be appealed;
Categories of personal data shared with third parties;
Categories of third parties with whom personal data is shared; and
Whether the controller: (1) sells personal data to third parties; or (2) engages in targeted advertising.
Data Governance Requirements
Controllers are required to implement reasonable administrative, technical, and physical safeguards to protect personal data, but the law does not require particular safeguards.
Controllers that disclose data in a pseudonymous or de-identified form are required to exercise “reasonable oversight” to monitor compliance with contractual commitments for such data and must take appropriate steps to address breaches of those contractual commitments.
There is no requirement to conduct data processing impact assessments or to minimize what personal data is processed.
Contracts and Processor Obligations
Controllers and processors are required to enter into contracts that govern the processor’s data processing activities. Contracts must contain provisions covering the topics specified in the law, including several specific requirements that processors must comply with.
Independent of the contract requirements, the law also imposes some general duties on data processors, including assisting in fulfilling consumer rights and securing personal data.
Enforcement
The Iowa Attorney General has exclusive authority to enforce the law and must provide a controller or processor with a 90-day cure period before taking action. Civil penalties range up to $7,500 per violation.
Sheila Sokolowski is a Partner at Hintze; she has expertise on HIPAA and health privacy and co-chairs the firm’s Health and Biotech Privacy Group.
Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.