Iowa: A Sixth State Privacy Law?

If Iowa Governor Kim Reynolds signs Senate File (SF) 262, the Hawkeye State will become the sixth state to adopt a comprehensive consumer privacy law. Iowa’s House and Senate have both passed Senate File 262 unanimously. If approved, SF 262 will go into effect January 1, 2025.

The potential addition of another state privacy law to those that are already on the books in California, Colorado, Connecticut, Utah, and Virginia is significant in its own right. However, SF 262 doesn’t provide any novel rights for consumers or requirements on companies. Rather, it stays within the boundaries established by other state privacy laws and closely resembles the Utah Consumer Privacy Act (UCPA), with a few additional business-friendly terms.

Broad Exemptions and Limited Controller Duties. SF 262 would provide consumers a rights to confirm processing of personal data; obtain a copy of personal data; delete personal data provided by the consumer; and opt-out of the Sale of personal data and Targeted Advertising.

However, SF 262 provides exemptions for all of these rights where pseudonymous data is involved – including the opt-out rights, which are not exempt in other states.

Like privacy laws in Utah and Virginia, SF 262 adopts a relatively narrow definition of Sale,” limiting the term to the exchange of personal data for monetary consideration. Targeted Advertising” is defined similar in terms similar to other state laws and excludes:

  • Ads based on activities within a controller’s own or affiliated websites or online applications.
  • Ads based on the context of a consumer’s search query, visit to a website, or online application.
  • Ads directed to a consumer in response to a consumer’s request for information or feedback.
  • Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

SF 262 also allows controllers to respond to consumer rights requests within 90 days – in contrast to the 45-day deadline in other states -- with an additional 45-day extension period.

Also omitted from SF 262 are an opt-in consent requirement for sensitive data, a right to correct, a duty to conduct privacy or security risk assessments, and a private right of action.

Sensitive Data. SF 262 also follows Utah’s approach in regulating sensitive data practices. Specifically, SF 262 requires clear notice and an opportunity to opt-out, in contrast to opt-in consent requirements for sensitive data in Colorado, Connecticut, and Virginia. SF 262 follows other states in defining sensitive data to mean personal data concerning the following categories: in other state laws: Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status (except to prevent discriminatory practices, genetic or biometric data that is processed for the purpose of uniquely identifying a natural person; the personal data from a known child; and precise geolocation data. Notably, SF 262 does not expressly mention inferences, or refer to personal data that reveals” any of the foregoing categories of information.

Enforcement. The Iowa Attorney General would have exclusive enforcement rights under SF 262 and would be able to obtain civil penalties of up to $7,500 per violation, regardless of intentionality. However, the AG would need to provide notice and allow a 90-day cure period before bringing an enforcement action against a controller or processor.