As expected, another state has joined the privacy party. This month, Iowa positioned itself to become the sixth state in the nation to pass legislation establishing consumer data privacy protections. Iowa Senate File 262 (the “SF 262”) unanimously passed in the Iowa House and Senate and is now awaiting signature by Iowa Governor Kim Reynolds. When signed into law, SF 262 will become effective on January 1, 2025. The new SF 262 mirrors many of the protections and rights provided in the data privacy laws of the five other states (California, Colorado, Connecticut, Utah, and Virginia). Below are the key highlights that businesses should know about the bill.
Who Does it Apply to?
SF 262 applies to a person that conducts business in Iowa or produces products or services targeted to residents of Iowa, and in a calendar year satisfies one of the following:
- Controls or processes personal data of at least 100,000 consumers; or
- Controls or processes personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data.
Similar to other state privacy laws, SF 262 exempts particular entities and certain types of data. The entities and data exempted include, but are not limited to:
- The state or any political subdivisions of the state;
- Financial institutions or data subject to the Gramm-Leach-Bliley Act of 1999;
- Entities subject to HIPAA;
- Non-profit organizations;
- Institutions of higher education;
- Personal data subject to COPPA; and
- Personal data subject to FERPA.
- “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This does not include de-identified data, aggregate data, or publicly available information.
- “Targeted advertising” means “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict consumer’s preferences or interests.” This does not include:
- advertisements based on activity on the controller’s own or affiliated websites or applications;
- advertisements based on the context of a consumer’s search query, visit to a website, or online application;
- advertisements directed in response to a consumer’s request for information or feedback; or
- personal data that is processed solely to report advertising performance metrics.
- “Sale of personal data” is defined as the “exchange of personal data for monetary consideration by the controller to a third party.” This does not include disclosures of personal data in these circumstances:
- disclosure by a controller to a processor;
- disclosure to a third party to provide a product or service request;
- disclosure to the controllers affiliate;
- disclosure of information that a consumer made public on mass media;
- disclosure or transfer of personal data at the direction of the consumer to disclose personal data to a third party; or
- disclosure or transfer to a third party based on a merger, acquisition, bankruptcy, or other transaction where a third party takes control of the controller’s assets.
Iowa residents are provided with rights over their personal data. These rights include the right to:
- confirm whether a controller is processing their personal data and the right to access that data;
- delete personal data provided by the consumer;
- obtain a copy of personal data that is portable; and
- opt out of the sale of personal data or opt out of targeted advertising.
Controllers must comply with consumer requests and must promptly respond, specifically within 90 days of a request. There is an option for a 45-day extension, when reasonably necessary, based on the complexity of the request. In such situations, the controller must inform the consumer of the delay within the first 90-day period.
Responsibilities of Data Controllers:
SF 262 sets out duties that controllers must follow. These duties include, but are not limited to:
- adopting and implementing reasonable administrative, technical, and physical data security practices;
- providing consumers clear notice and opt-out opportunity if processing sensitive data for nonexempt purposes;
- providing clear and conspicuous disclosures to consumers if the controller is selling personal data to third parties or is engaging in targeted advertising and how consumers can opt out of such activity; and
- providing consumers a privacy notice that contains:
- categories of personal data processed by the controller;
- purpose for processing personal data;
- categories of third parties that the controller shares data to;
- categories of personal data shared with third parties; and
- how consumers can reliably exercise their rights and submit requests.
The Iowa Attorney General has exclusive authority and enforcement power over SF 262, and there is no private right of action. Controllers or processors are given a 90-day notice to cure any alleged violations. Violations of SF 262 are subject to civil penalties of up to $7,500 per violation.
Iowa representatives have stated that this is a “baseline bill” and encourages the Iowa General Assembly to continue to update it before the 2025 effective date. As another privacy law enters the scene, it becomes imperative for businesses to take serious steps to ensure they comply with these laws. Thankfully, the laws are following similar patterns. Creating and maintaining strong privacy and security practices now will ensure businesses are equipped and ready to adapt to the ever-changing legal landscape.
We will continue to monitor SF 262 and any developments. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.