With Governor Kim Reynolds signing S.F. 262 into law on March 29, 2023, Iowa became the sixth state to enact a comprehensive consumer privacy law. The text can be found here. The law goes into effect on January 1, 2025.
As with several of the other recently passed comprehensive state privacy laws, Iowa’s law adopts a General Data Protection Regulation-like controller and processor framework without including the most stringent of the European Union’s requirements. According to Governor Reynolds, the law provides consumers with "a reasonable level of transparency and control over their personal data."
Iowa’s law applies to companies doing business in the state that (i) control or process the personal data of at least 100,000 Iowa consumers or (ii) control or process the personal data of at least 25,000 Iowa consumers and derive over 50% of gross revenue from the sale of personal data. The law contains exclusions that are similar to the other recently enacted state comprehensive privacy laws in the United States, and, like those other laws (except California’s law, which now includes the personal data of employees and B-to-B contacts), Iowa’s law only covers the personal information of consumers. The rights extended to consumer data subjects under Iowa’s law include the right to delete the consumer’s data, the right to confirm what data is being processed and access that data, the right to obtain a copy of the consumer’s data, and the right for the consumer to opt out of data sales. Controllers have a generous 90-day period to respond to consumer rights requests, which can be extended for another 45 days if reasonably necessary. Also, Iowa controllers must have a written contract in place with each processor of personal data that fulfills a number of statutory requirements.
There is no private right of action under Iowa’s new law. Instead, the Iowa attorney general has sole enforcement authority. Controllers and processors have 90 days from receipt of notice from the attorney general to cure potential violations. Only then can the attorney general initiate an action seeking civil penalties of up to $7,500 per violation.
Overall, S.F. 262 is a fairly business-friendly privacy law that belongs on the same end of the spectrum as Utah’s law. Businesses should expect Iowa’s newly-elected Republican Attorney General, Brenna Bird, to take a conservative approach to enforcement. For more information about Iowa’s new privacy law or the other recently enacted comprehensive privacy laws in California, Virginia, Colorado, Connecticut, and Utah, please contact Christopher Dodson and Ben Mishkin.