On March 29th, Iowa joined California, Colorado, Connecticut, Utah, and Virginia in enacting a comprehensive privacy law. Over the last 3 years, legislators have struggled to get meaningful movement on their proposed bills, but this year resulted in success with a law that goes into effect on January 1, 2025.
Key elements of Iowa’s privacy law
- Scope
- Companies that control or process personal data on 100,000 Iowan consumers or gain 50% of revenue from selling the data of more than 25,000 consumers
- Consumer Rights: 90-day DSAR response data subject request responses and a non-sunsetting right to cure, and enforcement via the attorney general
- Exemptions
- Government entities
- Financial institutions, their affiliates and entities subject to the Gramm-Leach-Bliley Act
- Entities who are subject to and comply with the Health Information Technology for Economic and Clinical Health Act and/or HIPAA
- Nonprofit organizations
- Higher education institutions
- Consumer Rights
- Access
- Delete
- Data portability
- Opt-Out of sale
Important compliance considerations
Data minimization is important as the law outlines that information should only be stored if reasonably necessary and proportional to the purposes listed. Controllers are called upon to make reasonable efforts to protect the confidentiality and integrity of consumer data. In contrast to Colorado, Connecticut, and Virginia, Iowa’s new law mandates that covered companies give notice and an option to opt-out rather than requiring an opt-in choice for the processing of sensitive data, aligning with Utah and California. For opt-ins and consent it must be in clear, unambiguous terms and require affirmative action to approve the processing of their data.
Iowa seeks to further protect consumers through nondiscrimination verbiage to keep controllers from punishing consumers for “exercising their rights, but may offer different prices to consumers based on certain factors like a consumer’s voluntary participation in a bona fide loyalty program.” Additionally, contracts must be in place with any processors with whom the controller shares data that outline the instructions for and reasons for the processing, which data can be processed, how long data can be stored, and duties required of both the controller and processor.
Enforcement of Iowa privacy law
The Iowa privacy law lacks a private right of action, just like the privacy laws passed by Colorado, Connecticut, Virginia, and Utah. Nonetheless, it does provide the attorney general the sole authority to use investigative demands to enforce the law. Written notices by the AG will include a 90-day cure period. If compliance is not achieved during the cure period, a fine of $7,500 can be assessed per violation.
With some overlap between Iowa and the five other comprehensive privacy laws, compliance shouldn’t be excessively challenging for organizations. Iowa’s law outlines straightforward compliance that errs on the side of controllers and may pave the way for other states to follow suit in the hopes of passing a law that doesn’t harm businesses and make compliance feel unachievable.
About Ale Johnson
Ale Johnson is the Marketing Manager at Truyo.