Iowa Passes Comprehensive Consumer Privacy Law

PDF

This week, Iowa joins the ranks of states who have enacted comprehensive privacy legislation in the absence of a federal privacy law. Iowa’s Senate File 262 will go into effect on January 1, 2025.

What is Senate File 262?

Senate File 262 is a cross-industry privacy law that provides “consumers,” defined as Iowa residents, with certain privacy rights over their personal data. “Personal data” includes any information that is linked or reasonable linkable to an identified or identifiable natural personal. It does not include de-identified, aggregate, or publicly available data. Additional compliance requirements apply to more narrowly defined categories of “sensitive data” concerning children under 13 years of age.

Similar to the EU’s General Data Protection Regulation (“GDPR”), Senate File 262 utilizes a controller/processor distinction and imposes specific duties on the controllers and processors of personal data. A “controller" is a person that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” is a person that processes personal data on behalf of a controller.

What is the Scope of Senate File 262?

Senate File 262 applies to controllers and processors that:

• Conduct business in Iowa or produce products and services that are targeted to Iowa residents;

and, during the preceding calendar year, either:

• Controlled or processed personal data of at least 100,000 Iowa residents; or
• Controlled or processed personal data of at least 25,000 Iowa residents and derived over 50% of gross revenue from the sale of personal data.

Exemptions to Senate File 262 include nonprofit organizations, institutions of higher learning, institutions or data covered under the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the Fair Credit Reporting Act (“FCRA”), the Family Education Rights and Privacy Act (“FERPA”), and information collected in an employment or business-to-business context.

What Are the Responsibilities of Controllers and Processors?

The duties of controllers include:

• Implementing reasonable administrative, technical, and physical data security practices to protect personal data;
• Publishing an accessible, clear, and meaningful privacy notice that discloses how the controller complies with the statute’s requirements;
• Limiting the processing of personal data to only what is reasonably necessary and proportionate to accomplish a specified purpose;

• Providing consumers with the right to access, delete, and obtain a copy of their personal data in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller;
• Providing consumers with a mechanism to opt out of targeted advertising or the sale of their personal data; and
• Providing consumers with a process for appealing the controller’s refusal to take action on a request.

Processors are required to assist the controller with meeting the above obligations, adhere to controller processing instructions, and agree to specific contractual terms governing any processing performed on behalf of the controller.

 How Will Senate File 262 Be Enforced?

 The Iowa Attorney General (“AG”) has exclusive authority to enforce Senate File 262. Prior to initiating any action, the AG is required to provide a controller or processor an opportunity to cure any alleged violations by providing 90-days written notice identifying the specific provisions the AG alleges have been or are being violated. If within the 90-day period, the alleged violations have not been cured, the AG may initiate an action and seek an injunction and civil penalties of up to $7,500 per violation. Senate File 262 does not permit a private right of action.

What Actions Should be Taken Now?

 While Senate File 262 will not take effect until 2025, businesses addressing compliance with other state privacy laws in California, Virginia, Colorado, Connecticut, and Utah can streamline their compliance efforts by assessing the applicability and requirements of Senate File 262 in conjunction with these other privacy laws.

If you have any questions about how Senate File 262 will affect your organization or for assistance with any other privacy issues your business is facing, contact a member of Maynard’s Cybersecurity and Privacy Team.

This Client Alert is for informational purposes only and should not be construed as legal advice. The information in this Client Alert is not intended to create and does not create an attorney-client relationship.