Iowa’s consumer data privacy legislation, Senate File 262, passed the state’s House and Senate unanimously in March 2023 and was signed into law by Governor Kim Reynolds on March 28, 2023. The law imposes significant requirements on companies processing the personal data of Iowa consumers. Unlike its counterparts in other states, however, the law appears more “business friendly” in several key respects. Clients should engage their cyber insurance brokers now about how their policies would respond to claims brought under the law on or after its January 1, 2025 effective date.
The law protects both the “personal data” and “sensitive data” of Iowa consumers. Like other state consumer privacy laws, it defines “personal data” to mean any information that is linked or reasonably linkable to an identified or identifiable natural person. The law defines “sensitive data” to mean racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; children’s personal data; and precise geolocation data.
The law applies to companies doing business in the state, or otherwise targeting Iowa consumers, if they control or process the personal data of (1) at least 100,000 Iowa consumers; or (2) at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data. Unlike laws in other states, Iowa’s does not include a revenue threshold. All companies that meet the above requirements accordingly must comply by providing Iowa consumers with a privacy notice that describes:
Under the law, data “controllers” must have contracts in place with their “processors” that include clear instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of processing and the rights and duties of both parties. The required contracts also must specify processes for retention, deletion, access, and subcontractor accountability.
The law also requires companies subject to its provisions to adopt reasonable data security practices, to not retaliate against a consumer exercising their consumer rights, to disclose their data practices, and to establish a consumer appeals process. Unlike in other states, however, the law does not establish collection limitations or data minimization principles or require that covered entities conduct data protection impact assessments.
The law gives consumers the right to (1) confirm whether their personal data is being processed and to access such data; (2) delete personal data provided by the consumer; (3) obtain personal data in a portable / shareable format (except when such data is subject to security breach protection); and (4) opt out of the sale of personal data and targeted advertising. The opt out right for targeted advertising, however, is not entirely explicit. The law instead cryptically requires companies engaging in targeted advertising to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”
The law does not provide for a private cause of action. Instead, it designates the Iowa Attorney General as its exclusive enforcer. Before the Attorney General can act on a consumer rights request, however, entities alleged to have violated the law have 90 days to cure and may request a 45-day extension to do so “when reasonably necessary.” Following that period, the Attorney General can seek injunctive relief and impose up to $7,500 in fines per violation.
Unlike other recently enacted state consumer privacy laws, Iowa’s new law does not establish a consumer right to correct inaccurate information. It likewise does not establish a consumer right to delete information that has been collected or bought from third party sources.
The law also does not require companies to obtain affirmative consent for any processing activities. Instead, when it comes to “sensitive data,” it requires companies to provide (1) notice to consumers that their data will or could be processed; and (2) an opportunity for consumers to opt out. In short, Iowa places the burden on individual consumers to affirmatively shield their information from use by companies. If they don’t, companies can use that data freely. A number of items of note:
The only exception to Iowa’s notice and opt-out approach arises with children’s data, the processing of which must comply with the Children’s Online Privacy Protection Rule (COPPA). Specifically, Iowa does follow the approach taken by Colorado, Connecticut, and Virginia which require opt-in consent for the collection of personal data from a user known to be under 13 years of age.
In addition, the law adopts a narrow definition of “sale” to mean the exchange of personal data for monetary consideration. Other states – including California, Colorado, and Connecticut – extend the definition of “sale” to include “other valuable consideration” (i.e., other benefit). Iowa’s definition accordingly further shrinks the pool of personal data subject to the law’s purview.
Finally, the law specifically exempts “pseudonymous data” – personal data that cannot be attributed to a specific natural person without additional information – from its reach. In short, Iowa consumers have no right to confirm processing of such data, to obtain a copy of it, to have it deleted, or to opt out of its sale or use for targeted advertising. These exemptions do not exist in other states.
The Iowa consumer data privacy law’s compliance requirements are similar to those imposed by other states, albeit less stringent in several ways. Companies should review their privacy policies and procedures now to prepare for the legislation’s January 1, 2025 effective date. Companies likewise should work with their brokers to ensure that their cyber insurance policy provides coverage for the defense of privacy regulatory claims and related awards and fines stemming from the Iowa law and other similar state laws.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
