ADCG Guide: Iowa Data Privacy Bill
On March 28, the Iowa legislature unanimously approved a data privacy law, Senate File 262 (SF262). The law applies to any person or entity conducting business in Iowa or producing products or services targeted at Iowa residents, controls or processes personal data of at least 100,000 consumers, and controls or processes personal data of at least twenty-five thousand Iowa consumers and derives over fifty percent of gross revenue from the sale of personal data.” Read on if this sounds like you.
Consumer Rights Under SF262
Under SF262, consumers are allowed:
- To confirm whether a data controller is processing their personal data
- To request access to and obtain a copy of any of their personal data being processed by a data controller, except for “personal information” that was provided by the consumer to the data controller to be used for automated means
- To delete any of their personal data from a data controller’s information systems
- To opt out of the sale of their personal data
In order for a consumer to invoke the rights granted to them under SF262, they must submit a request to the data controller specifying which rights they would like to invoke. In turn, a data controller must comply with the request “without undue delay, but in all cases within ninety days of receipt of a request[.]” This ninety day period may, however, be extended once by forty-five additional days “when reasonably necessary upon considering the complexity and number of the consumer’s requests” so long as the consumer receives proper notice and information, as defined by the provisions of the Act.
If the data controller declines to take action pursuant to a consumer’s request, the data controller is required to inform the consumer “without undue delay” and provide instructions for appealing their decision.
There are limitations surrounding a data controller’s required consumer response requests. For instance, the data controller does not have to provide a no-fee response to the consumer if the consumer has made more than two requests in a year, if the consumer request “is manifestly unfounded, excessive, repetitive, technically infeasible, or the controller reasonably believes that the primary purpose of the request is not to exercise a consumer right[.]”
Data Controller Duties under SF262
Under SF262, a data controller is required to:
- “Adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data” which are “appropriate to the volume and nature of the personal data at issue”
- Avoid processing sensitive consumer data, unless it is being processed for the consumer’s intended purpose, without presenting the consumer opt-out instructions
- Comply with state and federal laws when processing consumer data, including discrimination laws;
- Provide consumers with a privacy notice that comports with SF262’s parameters;
- Disclose to consumers when their personal data will be sold to third parties or utilized to targeted advertising and give them an opportunity to opt out of the use of their data for these activities; and
- Provide consumers with a privacy notice that instructs consumers on how to exercise their rights under SF262.
Processor Duties under SF262
Under SF262, a data processor shall assist a data controller in meeting obligations related to consumers’ rights requests, and the secure processing of consumers’ personal data.
Any contract between a data processor and a data controller must:
- Give clear instructions for processing personal data, the nature and purpose of processing, the type of data and duration of processing
- Ensure that consumer data processing remains subject to the duty of confidentiality
- Comply with a controller’s direction to “delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law” or the data controller is exempt from doing so under the provisions of SF262
- Provide a controller with all information possessed by the processor to demonstrate the processor’s compliance with SF262
- Ensure that all subcontractor or agent relationships are established via a SF262-compliant written contract
Enforcement of SF262
Under SF262, the Iowa Attorney General (AG) will have the exclusive authority to enforce SF262. The AG is required to provide the data controller or processor with 90 days written notice identifying the specific violations they’re being investigated for.
Notably, during this 90 day period, data controllers or processors will be given an opportunity to cure any violation of the Chapter and avoid any action being initiated against them by providing the AG with “an express written statement that the alleged violations have been cured and that no further such violations shall occur.”
If the data controllers or processors fails to cure the violation, they may face “an injunction to restrain any violations of this chapter and civil penalties of up to seven thousand five hundred dollars for each violation[.]”
Industry Insights on SF262
With the enactment of SF262, Iowa will join Colorado (Colorado Privacy Act), Connecticut (The Connecticut Data Privacy Act), Utah (Consumer Privacy Act), and Virginia (Virginia Consumer Data Protection Act) as one of the few states that have data privacy legislation.
The emergence of new state-level data privacy efforts has come with concerns from industry participants. According to Information Week, “many critics argue against the ‘patchwork’ approach of state-by-state legislation.” According to Andrew Clearwater, chief trust architect at OneTrust, “[t]he continuation of the current state-by-state trend means companies are increasingly complying with a complex and evolving patchwork of regulatory requirements.”
Despite these concerns surrounding “patchwork” compliance, Information Week points out that Iowa’s data privacy legislation shares many similarities with other state legislative efforts. The overlap in legislative requirements will allow companies with existing operations in both Iowa and one of these other four states to easily achieve compliance with SF262.
Not all cross-jurisdictional comparisons of SF262 have been positive, however. According to a statement in Information Week provided by Cobun Zweifel-Keegan, managing director at International Association of Privacy Professionals (IAPP), SF262 “lacks many of the features of the strongest state privacy laws. For example, Iowa’s inclusion of data rights for consumers does not include a right to correct data or a right to opt out of profiling.”
All criticisms aside, each of these industry participants can agree that the implementation of more data privacy legislation will be to the benefit of the citizens. According to Zweifel-Keegan, “comprehensive privacy laws like these enshrine the existing practices of the privacy profession into law. These laws clarify that our minimum standards for privacy are not just best practices, but legally enforceable by state attorneys general[.]”
Effective Date of SF262 and Next Steps
SF262 will go into effect on January 1, 2025. Covered Persons under the legislation should begin a review of their current data privacy practices and policies, and begin the process of updating these practices and policies to ensure compliance with SF262.
* * * * * * *
To read our news alerts discussing: HIPAA privacy expansions, the EU Parliament’s data transfer ruling, and ChatGPT’s clash with privacy organizations, click here.
This week’s breach report covers the following organizations: Iowa Medicaid, IPH (Australia), Common Spirit (Kentucky healthcare system), Hyundai. Click here to find out more.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
90 | AdTech Meets Privacy Laws (with Guest Susan Israel)
89 | Quantum Technologies: What is Possible, Where We Are Headed & Policy Issues to Consider (with Chris Jay Hoofnagle)
88 | TikTok: A Path for Election Interference and Open Source Intelligence? (with guests Berit Anderson, and Evan Anderson)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.