Iowa is joining the select club of states (California, Colorado, Connecticut, Utah, and Virginia) that have passed comprehensive consumer privacy legislation. Iowa’s legislation will go into effect on January 1, 2025, giving companies plenty of lead time to prepare for the changes. And that is the theme of the Iowa legislation: business-friendly. California is often touted as the most consumer-friendly, data-protective of the US privacy statutes, while Utah has taken a more business-centric approach that is seen as the least restrictive of the 5 that have already been passed. Iowa is similar to Utah in many ways, but it will have broader coverage than the Utah law, as explained below.
Iowa’s law applies to any organization that controls or processes the personal data of at least 100,000 Iowa residents—called “consumers” in the law—during a calendar year. A business could also be covered by the law if they control or process the personal data of at least 25,000 Iowans and derive 50% or more of their gross revenue from the sale of personal data.
Unlike California and Utah, Iowa does not have any thresholds related to a company’s revenue amount. This makes it more broadly applicable than Utah’s, which requires that companies meet a revenue threshold as well as a threshold of the number of Utahns whose data it handles. We anticipate that the majority of companies covered by the Iowa law will be those that control or process the personal information of at least 100,000 Iowans.
Exempt Entities & Data
Some organizations will be entirely exempt from the coverage of the law, even if they do meet one of the thresholds described above. Those exemptions are for:
- Government entities;
- Nonprofit organizations;
- Higher education institutions;
- Financial institutions, their affiliates, and entities subject to the Gramm-Leach-Bliley Act; and
- Entities that are subject to and comply with the Health Information Technology for Economic and Clinical Health Act (HITECH) and/or the Health Insurance Portability and Accountability Act (HIPAA).
These organization exemptions are similar to those we have seen in other states that passed consumer privacy legislation.
There are also a number of types of data that are exempted from the law, which will be an important distinction for some institutions that may deal in data that is exempt even though they are not entirely exempt as an institution.
The collection, maintenance, disclosure, or sale of any information that is governed by certain federal statutes is exempt from Iowa’s new law. Those federal laws resulting in an exemption for the covered data include: the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act, the Family Education and Privacy Rights Act (FERPA), and the Farm Credit Act. Health records and patient health information is also exempt, as well as information collected from human test subjects in compliance with various guidelines related to those activities.
Whose Data Are We Talking About?
When Iowa talks about a “consumer” in this law, they mean a person acting as an individual, not as an employee, potential employee, contractor, or other type of business representative. Unlike California, Iowa draws a line between people acting in their personal and professional capacities. Emergency contact information and beneficiary information collected from your employees is also exempted. Keep in mind of course that these exemptions only apply so long as the employer only uses the data for those employment-related purposes. If you start using your employees’ personal information to market to them or their beneficiaries, the exemption no longer applies.
Companies that “determine the purposes and means of processing” personal data are called controllers. That means they make the decisions about what personal information is collected and how it is used. They may engage “processors” to process personal data on their behalf. At the end of the day, there are more obligations for controllers than for processors because they have the ultimate responsibility for the data in the eyes of the law.
Like the less restrictive Utah law, Iowa’s law does not require organizations to perform risk assessments for any of their activities.
Controller obligations can be summarized as follows:
- Security: Controllers have to implement reasonable security measures to protect the confidentiality, integrity, and accessibility of the personal data they process. These measure should take into account the volume and nature of the data in question.
- Sensitive Data: Controllers must give consumers clear notice and an opportunity to opt out of the processing of their sensitive data for a non-exempt purpose. (Sensitive data of a known child must be processed in accordance with COPPA.)
- Nondiscrimination: Controllers cannot process personal information in violation of state and federal nondiscrimination laws. They are also barred from discriminating against consumers for the exercise of their privacy rights. However, they are allowed to offer consumers different prices if the differences are based on participation in “a bona fide loyalty, rewards, premium features, discounts, or club card program.”
- Privacy Requests: A controller shall establish secure and reliable means for consumers to submit privacy requests. The means should take into account the ways in which consumers normally interact with the controller, the need for security and reliability of communications, and the need for the controller to authenticate the requestor’s identity.
- Notice: Controllers have to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice. The notice should include:
- The categories of personal data processed by the controller;
- The purpose for processing personal data;
- How consumers may exercise their privacy rights, including how to appeal a controller’s decision with regard to a privacy request;
- The categories of personal data that the controller shares with third parties, if any;
- The categories of third parties, if any, with whom the controller shares personal data;
- Whether the controller sells personal data or participates in targeted advertising, as well as instructions for how to opt out of those processing activities; and
- A description of the method whereby consumers should make their privacy requests.
In order to properly fulfill their obligations, controllers are also required to enter into data processing agreements with their processors, which are described in the Processor Obligations section below.
Processing data means “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data.” Processing activities can include the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. Every controller in modern business uses a number of processors in order to accomplish its work. They range from email service and payment processing providers to ecommerce platforms and customer relationship management (CRM) systems.
Controllers governed by Iowa’s law will need to execute a contract with their processors before they can start processing any data on behalf of the controller. The contract should govern the processor’s handling of personal data by (1) giving clear instructions for processing, (2) describing the nature and purpose of the processing, (3) specifying the types of data that will be processed, (4) prescribing how long the data will be processed (remember that storage is a processing activity!), and (5) the rights and duties of both parties. Contracts should also lay out procedures for retaining, deleting, and accessing the personal data. The contract must also require processors to engage subprocessors via a written contract that imposes the same duties on them. Importantly, processors are required to assist controllers in fulfilling their obligations under the law, including responding to privacy rights requests.
Iowans have new rights associated with the law. These closely track what we have seen in the other 5 states that have adopted consumer privacy regulations in the last several years. These are the right to access their data, delete their data, data portability, and to opt out of (1) the sale of their data or (2) the use of their data for targeted advertising. While these rights have become fairly standard, Iowa’s law does not afford a few other rights that other states have included. For example, Iowans will not have the right to correct their personal data or to opt out of the processing of their personal information for profiling purposes.
When controllers respond to consumer privacy requests, they will be able to claim the protection of a number of exemptions, just as in other states. A controller is allowed to deny requests, in whole or in part, (1) when complying with a privacy request would interfere with a company’s obligation to obey a state or federal law (for example, a deletion request regarding information legally required to be retained), (2) to preserve the integrity or security of systems, (3) to prevent or protect against illegal activity, (4) to exercise or defend legal claims, or (5) to provide a product or service requested by the consumer. There are a number of similar exceptions that mirror those seen in the other states.
Controllers are required to provide instructions in their privacy notices as to how consumers can exercise their privacy rights and submit requests. Controllers have 90 days to respond after receiving a request (twice as long as in other states, which give companies 45 days to respond in most situations). Controllers also have the ability to extend a request by an additional 45 days depending on the complexity and number of requests (a common inclusion in data privacy laws, but unique when attached to the already long 90-day period).
Iowa consumers will have the right to confirm that an organization has their data and to access that data.
As in other states, consumers will have the right to obtain a copy of their data in a portable and readily-usable format that they could then send to another organization. This right applies “where processing is carried out by automated means” and only applies to information provided by the individual to the controller.
Iowans will also have the right to delete their data, but this right, like the right to portability, only applies to personal data that the individual provided to the controller (meaning that businesses could keep data they obtained from other sources, even after receiving a deletion request).
Consumers will have the right to opt out of the sale of their personal data. Iowa has been clear in stating that a sale does not include disclosure of the information to processors, in order to fulfill a consumer’s request, or to an acquiring or merging company.
Oddly, the right to opt out of targeted advertising is not listed in the rights section of the law, but the section outlining the duties of data controllers requires that controllers give consumers notice that the organization engages in targeted advertising and inform them how they may exercise the “right to opt out of such activity.” There does not appear to be any way to read the controller’s obligation to honor consumers’ requests to opt out of targeted advertising other than as granting that right.
Like in Colorado, Connecticut, and Virginia, Iowa consumers have the right to appeal denials of their privacy rights requests. The law requires controllers to set up a process to accept appeals within “a reasonable period” after receiving an adverse decision. Information about the appeal process must be “conspicuously available” and similar to the process for submitting other rights requests.
The controller will have 60 days after receiving an appeal to make a final decision and notify the consumer in writing of the final decision and the reasons for it. If the request is denied again, the controller must “provide the consumer with an online mechanism” allowing them to contact the Iowa Attorney General with a complaint. There are no further details about the “online mechanism” for submitting complaints to the AG that controllers must provide, so it is unclear if simply pointing consumers to the Iowa AG’s online form for submitting a complaint will be sufficient.
The Attorney General is the only entity with the authority to enforce the new law. There is no private right of action for any violations of the law, so citizens with concerns will have to go through the AG for assistance. Where the AG has reasonable cause to believe there may be a violation, they can issue an investigative demand. The AG will give a company written notice of any alleged violations, and the company will then have 90 days to cure problems. Companies that are still in violation after the cure period ends are subject to civil action by the AG. Fines will be $7,500 per violation, and all collections will go to the consumer education and litigation fund. At that stage, the AG can also enjoin activities that are in violation.
Iowa’s law is similar in many ways to those we have seen in other states. There are no novel rights afforded to consumers under Iowa’s law, and some rights we have seen in other jurisdictions are not included. Its cure period and long response windows also make it friendlier to business interest than some of the other states’ regimes. The law does not provide for any regulations, so the statutory text will stand on its own.
We anticipate that adding Iowa to a company’s privacy operations will not be overly difficult for those businesses that are already running privacy programs for other US states.
SixFifty’s All-US Privacy tool allows users to generate top-tier, customized privacy documents that comply with all comprehensive data privacy legislation in states across the nation. It currently covers privacy laws in California, Virginia, Colorado, Connecticut, and Utah. Iowa’s regulations will be added to the tool at no additional cost to All-US Privacy customers. We closely monitor updates to privacy laws around the globe and will notify users when their documents need to be regenerated.
Schedule a free demo with SixFifty today!