Iowa has formally joined the ranks of states enforcing comprehensive data privacy legislation, with its law set to take effect from January 1, 2025. This move follows persistent legislative efforts since 2020 to establish robust data privacy frameworks to safeguard the information of over 3 million residents of the state.
This article is aimed at providing an early insight into the scope and implications of the new Iowa privacy law. Following the likes Colorado, Virginia, Utah, and Connecticut, here’s everything you need to know about Iowa privacy law👇
The “Iowa Consumer Data Protection Act” (“ICDPA”) governs entities conducting business in the state or producing services or products targeting its consumers. It affects businesses controlling or processing the personal data of at least 100,000 consumers or those deriving over 50% of gross revenue from the sale of personal data and controlling or processing data of at least 25,000 consumers. Notably, unlike other states, there is no revenue threshold that brings an organization within the scope of the law.
“Personal data” is defined as information reasonably linked to an identified or identifiable natural person, excluding deidentified, aggregate, or publicly available data.
“Sensitive data” is defined as information pertaining, among others, to racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship status, genetic or biometric data, children’s data, and precise geolocation data.
Consumers are endowed with the right to be informed about, access, delete, have portability of, and opt out of the sale of their personal data.
However, the law does not grant rights to correct personal data, avoid fully automated decisions, or opt out of specific processing, like targeted advertising or profiling, unlike laws in some other states.
Entities under this law are obligated to process personal data that is adequate, relevant, and limited to what is necessary, adopting reasonable administrative, technical, and physical data security practices.
Controllers must also provide consumers with a clear, accessible, and meaningful privacy notice, detailing the categories, purposes, and ways in which personal data is processed, and how consumers can exercise their rights.
The Iowa law mandates that consent must be a clear affirmative act, reflecting a:
Entities cannot discriminate against consumers exercising their rights under the law and are prohibited from processing sensitive data without clear notice and an opportunity for the consumer to opt out.
The law does not feature a private right of action, but empowers the attorney general with exclusive enforcement authority. Violating entities will have 90 days to cure violations after receiving written notice.
Failure to comply could lead to civil proceedings and fines of $7,500 per violation, paid into the consumer education and litigation fund.
Certain information and entities are exempt from the purview of this legislation, including data covered by existing federal laws like HIPAA, health records, human subjects research data, and data processed for employment purposes.
The law also does not apply to state governmental entities, financial institutions subject to the Gramm-Leach-Bliley Act, entities compliant with the HITECH Act and/or HIPAA, nonprofit organizations, and higher education institutions.
The enactment of the Iowa Privacy Law marks a significant stride in state-led efforts to secure consumer data. While sharing similarities with laws from other states, it introduces distinctive provisions affecting both consumers and businesses.
Entities must align their operations with this law to ensure seamless compliance and to avoid stringent penalties.
