With the governor signing SF 262 into law last week, Iowa became the sixth US state with a comprehensive privacy law. The law goes into effect January 1, 2025. It applicability is similar to other states’ laws. It applies to companies that do business in Iowa and either: (1) control or process personal data of at least 100,000 Iowans; or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Iowans. These thresholds are calculated annually.
Key provisions include:
- Data subject rights. As with other states, Iowa residents will have rights of access, deletion, and portability. They can also opt out of the sale of their personal data. Like Utah, though, Iowa’s law does not give right of correction.
- A Limited Definition of Sale. Iowa follows the more limited definition of “sale” under the Virginia and Utah laws. Sale includes only exchanges of personal data for “monetary consideration.”
- Longer Time Period for Responding to Consumer Rights Requests. Businesses have the longest time frame under the Iowa law to respond to rights requests. They have 90 days to respond (unlike the initial 45 days granted by the other state privacy laws). That time frame can be extended by an additional 45 days.
- Processing of Sensitive Personal Data. Similar to Utah, Iowa’s law requires that businesses provide notice and the ability to opt out of the processing of sensitive personal data.
- Contracts with Processors. As with other states, businesses must enter into contracts with their personal data processors that contain certain required provisions.
- 90 Day Cure Period/No Private Right of Action. Businesses will have 90 days to cure alleged violations of the law before the state attorney general can bring an enforcement action. The law does not give a private right of action. Instead, following the 90 day cure period, the attorney general can bring an action and seek civil penalties of up to $7,500 for each violation.