Iowa Passed a Consumer Data Protection Law… So What?

September 18, 2023

By: Wesley M. Greder, Todd A. Van Thomme, Neal Westin

On March 28, 2023, Governor Kim Reynolds signed into law Senate File 262 (SF 262) after unanimous passage in the Iowa House and Senate. The bill goes into effect January 1, 2025. SF 262 provides comprehensive data privacy regulations, and in doing so Iowa joins California, Colorado, Connecticut, Indiana, Montana, Tennessee, Texas, Utah, and Virginia as one of ten states to enact comprehensive consumer data privacy laws. The risks of confidentiality breaches and data loss are higher than ever before in our rapid, ever-changing tech landscape. Accordingly, these laws are of crucial importance to both consumers and businesses.



Iowa Consumers… Why Should You Care?

Legal restrictions on the expansive power of those that collect consumer data, who are often called “controllers” and are people that determine the purpose and means of processing personal data, provide consumers with security and newfound confidence in both commerce and the rule of law. Under the new Iowa law, Iowa consumers and businesses share equally many desires for having a comprehensive consumer data protection law in place.


The new law allows Iowa consumers to:


  • Confirm whether the controller is processing the consumer’s data and request their data
  • Delete personal data provided by the consumer
  • Request copies of the consumer’s personal data
  • Opt out of the sale of the consumer’s personal data


Under the new Iowa law, those that collect data are required to respond to the inquiring consumer within 90 days of receipt of a request. This response period may be extended up to 45 days depending on the complexity of the request and the number of requests made by the consumer. Information provided in response to a request is free of charge to the consumer up to twice annually. However, if a request is “manifestly unfounded, excessive, repetitive, technically unfeasible, or the controller reasonably believes that the primary purpose of the request is not to exercise a consumer right,” a reasonable fee for the request may be assessed by the controller.


If the controller declines to act on a consumer request, the controller must inform the consumer of this decision and provide instructions to appeal. Within 60 days of receipt of an appeal, the controller must inform the consumer of action taken or not taken in response. If the appeal is denied, the controller must provide the consumer with means of filing a complaint with the Attorney General of Iowa.



Iowa Businesses… Why Should You Care?

As a consumer, of course you want to know who has access to your information and how it is being used and stored. However, Iowa’s new law is also critical to businesses’ data practices moving forward. Your business’s compliance with the new law will build trust with your customers as well as provide protection against potential data breaches. Company stakeholders (e.g., shareholders, customers, creditors, and the local community) will want to be assured that you are protecting information such as:


  • Employees’ personal information
  • Online and facility security protocols
  • Online banking information and software
  • Email and other messaging data
  • Intellectual property


Compliance with Iowa’s new law and transparency regarding the types of data stored by your business will assure your stakeholders that you are using their data in an ethical way.



Obligations of Iowa Businesses

Iowa businesses meeting one or both of the thresholds listed below have several compliance obligations regarding consumer data privacy. Perhaps the most important business requirements of Iowa’s new law are the provisions for consumer privacy notices. Businesses (as controllers) must provide all Iowa consumers with a privacy notice including the following:


  • Categories of personal data processed
  • Purpose for processing personal data
  • Process for consumers to exercise their consumer rights under the statute, including how a consumer may appeal a controller’s decision regarding a consumer request
  • Categories of personal data shared with third parties, and the identity of such third parties


The new Iowa law requires businesses to implement reasonable administrative, technical, and physical data security practices to protect consumer data. Businesses must not process sensitive consumer data (for a nonexempt purpose) without presenting the consumer with clear notice and an opportunity to opt out of such data processing. Importantly, “sensitive data” is defined as a category of personal data including (a) racial or ethnic origin, (b) religious beliefs, (c) mental or physical health diagnosis, (d) sexual orientation, or (e) citizenship or immigration status (except to the extent such information is used in order to avoid discrimination against a protected class). This category also includes (x) genetic or biometric data processed for uniquely identifying an individual, (y) personal data collected from a child, and (z) precise geolocation data.


If a business sells consumers’ personal data to third parties or engages in targeted advertising (defined as the display of certain advertisements to a consumer based on personal data obtained from the consumer’s online activities to predict the consumer’s preferences or interests), the business must clearly and conspicuously disclose such activity, along with the manner by which the consumer may opt out of such data sales or targeted advertising.


The new law also has implications on businesses’ contracting practices. Provisions in an agreement that waive or limit consumer rights laid out in Section 715D.3 of the new law will be unenforceable.



Who Must Comply?

Iowa’s new law applies to a party conducting business in Iowa or producing products or services targeted to individual Iowans and that does either of the following during a calendar year:


  • Controls or processes personal data of 100,000 or more individual Iowans
  • Controls or processes personal data of 25,000 or more individual Iowans and derives over 50% of gross revenue from personal data sales


Notably, the new law does not apply to personal data controlled or processed by: (1) the State of Iowa and its political subdivisions, (2) financial institutions or data subject to the Gramm-Leach-Bliley Act, (3) HIPAA-covered entities, (4) nonprofit organizations, or (5) higher education institutions. Iowa’s new law only applies to controllers, discussed above, and “processors,” defined as persons that process personal data on a controller’s behalf. The new law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural purpose.” However, this definition excludes “de-identified or aggregate data or publicly available information.”  This is significant.  If the data is aggregated or publicly available the new law would not apply.



Consumer Data Processing Practices Moving Forward

There are three main things to do when crafting an approach to Iowa’s new law. You should first confirm whether your business is subject to the new law based on the volume of consumers for which it processes personal data. If so, your business (as a controller) will need to adopt and implement reasonable data security practices, consumer privacy notices, mechanisms for consumers to exercise their consumer rights, and a process for consumers to appeal your decisions regarding personal data usage.


Second, if the new law does apply, your business will be required to enter into contracts with any parties processing personal data performed on your behalf. These contracts shall delineate processing instructions, types of data subject to processing, duration of data processing, and the rights and duties of both the business and the processor. In this contract, your business will also need to ensure the processor (1) is subject to a duty of confidentiality with respect to the data, (2) deletes or returns all personal data to your business as requested, (3) demonstrates the processor’s compliance with SF 262, and (4) when engaging any subcontractor or agent, does so by a written contract binding the subcontractor or agent to comply with all applicable personal data requirements. Since processors act on behalf of controllers, it will be paramount that your business enacts appropriate risk mitigation measures when dealing with processors.


Finally, you must appropriately revise current privacy policies of the business, taking into account the obligations imposed on controllers in the new law. Updates to privacy policies should be communicated to consumers, making mention of implemented mechanisms by which consumers may exercise their consumer rights and appeal adverse decisions.


Iowa’s new law, SF 262, will take effect on January 1, 2025, as Chapter 715D of the Code of Iowa. For legal advice on current and future data privacy policies, please do not hesitate to contact your Nyemaster attorney.