While momentum for a comprehensive federal privacy law remains sporadic, state legislatures continue to pass privacy laws to protect their citizens. Iowa recently signed into law a comprehensive privacy law, becoming the sixth state to do so. It will go into effect on January 1, 2025.
On March 28, 2023, Iowa Governor Kim Reynolds signed into law Iowa Senate File 262, making Iowa the sixth US state with a comprehensive consumer privacy law, joining California, Colorado, Connecticut, Utah, and Virginia. Similar to other state laws, Iowa’s new law grants Iowa citizens several privacy rights found in most modern laws—the right to access, delete, know, and opt out of the sale of personal information.
Notable differences from other recent privacy laws include:
• Iowa does not require opt-in consent for the collection of sensitive information.
• Iowa’s privacy law does not apply to employee (or job applicant) data produced or collected in an employment-related context.
• Iowa’s law does not grant consumers a private right of action or the right to correct data.
Senate File 262 applies to persons or entities that conduct business in Iowa or sell their products and services to Iowans that meet one of two thresholds:
• They control or process personal data of 100,000 or more Iowa residents.
• They control or process personal data of 25,000 Iowans and derive over half their revenue from the sale of personal data.
Given there are exemptions for entities governed by other privacy laws, state agencies, and financial institutions, the primary target of the law are large, out-of-state companies.
Since there is no private right of action in S.F. 262, Iowans cannot bring lawsuits against companies that violate its requirements. They can report the company to the Iowa Attorney General, who, upon completion of an investigation, can assess penalties of up to $7500 per violation. The Iowa Attorney General may also initiate its own investigation.
Iowa’s new law is yet another piece of fabric woven into the growing patchwork of comprehensive data privacy laws emerging in the US. If it wasn’t clear before, it’s now more important than ever for organizations to strategically think through their compliance strategies. Specifically, organizations should consider whether it now makes sense to address data privacy compliance from a principles-based rather than a state-by-state approach. To reach this answer, organizations should begin or update their data maps, privacy processes, and risk management framework to better understand how the Iowa law may impact their organization. More states will follow suit, and common trends and principles are now forming across the regulatory landscape that can help begin conversations that will allow organizations to take a more holistic approach to US privacy compliance.
While Iowa’s privacy law is new, several laws passed in the recent past are going into effect in 2023, including in California, Colorado, and Connecticut. If you want to make sure you’re able to comply with these laws, check out Exterro’s 3 C's Privacy Pack.
Download the PDF version of this Data Privacy Alert here.