Iowa became the sixth state to implement its consumer data privacy law when Governor Kim Reynolds signed bill S.F. 262. This bill passed unanimously in Iowa’s House and Senate and is set to take effect on January 1, 2025. The Iowa Consumer Data Privacy Law resembles Utah’s law, the Utah Consumer Privacy Act (UCPA), as both focus on defining personal data and providing similar consumer protections.
Overview of the Iowa Consumer Data Privacy Law
To grasp the full impact and requirements of this groundbreaking legislation, organizations should be aware of the following:
Scope of the Law
The Iowa Consumer Data Privacy Law applies to businesses that collect, process, or store the personal data of Iowa residents. These businesses must meet certain thresholds to fall under the jurisdiction of the law, such as having an annual gross revenue of over $25 million, processing the personal data of 100,000 or more Iowa residents, or deriving 50% or more of their annual income from selling personal data.
Personal Data Definition
Personal data, or personally identifiable information (PII), as defined by the Iowa Consumer Data Privacy Law, refers to any information that can be directly or indirectly linked to an individual. This includes but is not limited to names, addresses, email addresses, phone numbers, Social Security numbers, and any other information that can be used to identify a person. The law also covers data linked to an individual through other data points, such as IP addresses, geolocation data, and browsing history.
Key Provisions of the Iowa Consumer Data Privacy Law
To better understand the implications of this legislation, it is essential to examine the key provisions that define consumer rights, outline business obligations, and establish enforcement mechanisms within the Iowa Consumer Data Privacy Law.
The Iowa Consumer Data Privacy Law grants several rights to consumers to enhance their control over their data. These rights are similar to those found in other state privacy laws and the General Data Protection Regulation (GDPR) in the European Union. Some of those that you need to know about include:
1. Right to Access
Consumers have the right to request access to the personal data a business has collected about them. This includes the specific pieces of information, the sources from which the data was collected, the purposes for collecting and processing the data, and any third parties with whom the data has been shared. Businesses must respond to such requests within 45 days and provide the information free of charge unless the demand is excessive or repetitive.
2. Right to Deletion
Consumers have the right to request that a business delete their data under certain circumstances, such as when the data is no longer necessary for the purposes it was collected or processed or if the consumer withdraws their consent for processing. Businesses must comply with a valid deletion request within 45 days unless an exception applies, such as a legal obligation to retain the data or if the data is needed to complete a transaction.
3. Right to Data Portability
Consumers can request data in a commonly used, machine-readable format to transfer to another service provider. This promotes data interoperability and enables consumers to switch between service providers without losing their data. Businesses must fulfill data portability requests within 45 days and provide the data free of charge.
4. Right to Opt Out
Consumers can opt out of selling their data to third parties. Businesses must provide a clear and conspicuous method for consumers to exercise this right, such as a “Do Not Sell My Personal Information” link on their website. Upon receiving a valid opt-out request, businesses must stop selling the consumer’s data and refrain from doing so for at least 12 months.
5. Right to Non-discrimination
Businesses cannot discriminate against consumers for exercising their rights under the law. This means they cannot charge higher prices, provide inferior services, or deny goods and services to consumers who choose to exercise their privacy rights. However, businesses may offer incentives or discounts to consumers who voluntarily provide their data as long as the motivations are reasonably related to the value of the data provided.
In addition to granting rights to consumers, the Iowa Consumer Data Privacy Law also imposes several obligations on businesses that collect, process, or store personally identifiable information (PII). These obligations aim to ensure that companies handle personal data responsibly and transparently.
1. Transparency and Notice
Businesses must provide clear and easily accessible privacy notices to consumers, informing them about the types of personal data collected, the purposes for which it is used, and any third parties with whom the data may be shared. The privacy notice must also include information on how consumers can exercise their rights under the law. This requirement ensures that consumers know the data collection and processing practices before sharing their data.
2. Data Minimization and Purpose Limitation
Businesses must adhere to data minimization and purpose limitations when collecting and processing personal data. This means they should only collect the data necessary to fulfill the specific purposes for which it was obtained and not use it for unrelated purposes. By limiting the collection and use of personal data, businesses can minimize the risk of unauthorized access, data breaches, and other security threats.
3. Data Security
The Iowa Consumer Data Privacy Law mandates that businesses implement reasonable security measures to protect personal data from unauthorized access, disclosure, or destruction. These measures may include double encryption, pseudonymization, access controls, and regular security assessments. By ensuring robust data security, businesses can minimize the risk of data breaches and maintain consumer trust.
4. Data Breach Notification
In a data breach that compromises personal data’s security, confidentiality, or integrity, businesses must comply with specific notification requirements to ensure that affected consumers and relevant authorities are informed promptly. The following notifications are mandated:
a. Notification to Affected Consumers
Businesses must notify the affected consumers 30 days after discovering the breach. The notification should include the following:
- Details of the violation
- The types of personal data concerned
- Any steps the business has taken to mitigate the impact
This requirement ensures that consumers are informed about data breaches and can take appropriate action to protect themselves.
b. Notification to Iowa Attorney General’s Office
In addition to notifying affected consumers, businesses must report data breaches to the Iowa Attorney General’s Office within the same 30-day period. This report should include a description of the infringement, the number of affected consumers, the types of personal data compromised, and any measures the business takes to address the breach. Reporting to the Attorney General’s Office enables proper oversight and helps authorities to monitor data breach trends and enforce the law.
c. Ongoing Communication With Affected Consumers
Businesses should maintain ongoing communication with affected consumers to provide updates on the data breach and any further steps they can take to protect their personal information. This may include offering identity theft protection services or assisting consumers in placing a credit freeze on their accounts.
d. Data Breach Response Plan
Businesses should have a comprehensive data breach response plan in place. This plan should outline the steps to be taken upon discovering a breach, including identifying the cause, containing the breach, notifying affected consumers and authorities, and implementing measures to prevent future violations.
5. Data Protection Officer
Businesses subject to the Iowa Consumer Data Privacy Law may be required to appoint a Data Protection Officer (DPO) if their core activities involve large-scale processing of sensitive personal data or regular and systematic monitoring of consumers. The DPO oversees data protection activities within the organization and ensures compliance with the law. By having a dedicated DPO, businesses can better manage their data protection responsibilities and minimize the risk of noncompliance.
Enforcement and Penalties
The Iowa Attorney General enforces the Iowa Consumer Data Privacy Law. Businesses found to violate the law may face penalties, including fines of up to $7,500 per violation. Additionally, consumers can seek statutory damages through private lawsuits if their rights under the law have been violated.
Comparison With Other State Privacy Laws
While the Iowa Consumer Data Privacy Law shares similarities with other state privacy laws, such as California’s Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA), there are notable differences. Some of these differences include the following:
1. Opt-in Consent for Sensitive Data
Unlike the CCPA, which requires businesses to obtain opt-out consent for the sale of personal information, the Iowa Consumer Data Privacy Law mandates that companies get opt-in permission before processing sensitive data. Sensitive data includes information related to race, ethnicity, religion, sexual orientation, biometric data, and health information.
2. No Private Right of Action for General Violations
While the CCPA allows consumers to file private lawsuits for general law violations, the Iowa Consumer Data Privacy Law limits the private right of action to cases involving unauthorized access or disclosure of unencrypted, non-redacted personal data due to a business’s failure to maintain reasonable security measures.
3. Data Protection Assessments
Unlike the VCDPA, the Iowa Consumer Data Privacy Law does not require businesses to conduct data protection assessments for high-risk processing activities. However, companies are still expected to maintain records of their data processing activities and implement reasonable security measures to protect personal data.
Preparing for Compliance With the Iowa Consumer Data Privacy Law
Businesses that fall under the jurisdiction of the Iowa Consumer Data Privacy Law should begin preparing for compliance well in advance of the law’s effective date. Some steps businesses can take to ensure compliance include:
- Conducting a data inventory to identify the types of personal data collected, processed, and stored and the purpose for which the data is used
- Reviewing and updating privacy policies and notices to ensure they accurately describe the business’s data practices and inform consumers of their rights under the law
- Promptly implementing processes to respond to consumer requests, such as access, deletion, and opt-out requests
- Evaluating and enhancing data security measures to protect personal data from unauthorized access, disclosure, or destruction
- Training employees on the Iowa Consumer Data Privacy Law requirements and the importance of data privacy and security
How Kiteworks Can Help You Prepare for the Iowa Consumer Data Privacy Law
The Kiteworks Private Content Network (PCN) enables organizations to demonstrate compliance with data privacy regulations like the Iowa Consumer Data Privacy Law. Kiteworks unifies, tracks, controls, and secures sensitive content communications—email, file sharing, managed file transfer (MFT), web forms, and application programming interfaces (APIs). This includes a comprehensive audit trail used for tracking and reporting who accesses sensitive content, who edits it, to whom it is sent or shared and if they opened it, and where it is sent and shared.
Some of the capabilities Kiteworks customers find useful include:
Understand where personal data is stored across your organization’s systems and infrastructure.
Implement secure content access controls to ensure only authorized individuals can access personal data.
Track user activity and maintain an audit trail of data processing activities, consumer requests, and responses.
Secure personal data with strong encryption, including double encryption and the Kiteworks Email Protection Gateway (EPG) that makes email encryption invisible to end-users.
Automated Compliance Reporting
Streamline regulatory compliance reporting by automating the generation of required documentation and reports.
For more information on how Kiteworks can help your organization comply with the Iowa Consumer Data Privacy Law and other data privacy regulations, schedule a custom demo today.
Get email updates with our latest blogs news