Iowa Data Privacy Law

The Iowa Data Privacy Law was signed into law on March 28, 2023. It will take effect on January 1, 2025.

This article explains what the law aims to accomplish, who it applies to, what it requires, and offers strategies for compliance.

What is the Iowa Data Privacy Law?

The Iowa Data Privacy Law, officially signed into legislation by Governor Kim Reynolds on March 28, 2023, is a comprehensive consumer privacy regulation set to take effect on January 1, 2025.

This law positions Iowa alongside other states such as California, Utah, Colorado, Connecticut, and Virginia, all of which have implemented similar consumer privacy regulations.

Although Iowa has a history of proposing privacy bills, dating back to its first attempt in 2020, it wasn't until 2023 that privacy legislation truly took hold in the state. The Iowa Data Privacy Law ensures that organizations operating within the state are held accountable for protecting the data privacy of its over 3 million residents.

You should be aware that while the new law incorporates many elements found in other state privacy laws, organizations must account for a few critical differences in their U.S. compliance efforts.

With a 21-month window to achieve compliance, businesses need to familiarize themselves with the specific requirements of the Iowa Data Privacy Law and make the necessary adjustments to their data protection practices.

Who Does the Iowa Data Privacy Law Apply to?

The Iowa Data Privacy Law is designed to protect the personal information of Iowa residents. It imposes specific requirements on certain businesses and organizations that handle personal data.

To help you understand if your business or organization falls within the scope of the law, consider the following criteria:

The law applies to data controllers and processors.

A data controller is an entity or person who specifies the purpose and means of processing personal data.
A data processor is an entity or person that processes personal data on behalf of a controller.

Businesses and organizations subject to the law must either:

Conduct business in Iowa, or
Produce services or products targeted to Iowa residents

Additionally, during a calendar year, these organizations or businesses must satisfy at least one of the following criteria:

Control or process the personal data of no less than 100,000 Iowa residents, or
Control or process no fewer than 25,000 Iowa residents' personal data, and derive more than 50% of their total revenue from the sale of personal data

It is crucial to note that the Iowa Data Privacy Law doesn't have a revenue threshold for entities subject to privacy obligations.

Unlike Utah and California, an organization does not fall within the scope of the Iowa law through reference to a revenue threshold. All organizations that meet the above requirements must comply.

Exempted Information

The following types of personal data are exempt from the Iowa privacy law, as existing federal laws already cover them:

Health Insurance Portability and Accountability Act (HIPAA)
Children's Online Privacy Protection Act (COPPA)
Family Educational Rights and Privacy Act (FERPA)
Driver's Privacy Protection Act (DPPA)
Farm Credit Act

Additionally, the law exempts:

Health records
Research data about human subjects covered by federal law or other standards
Data processed or maintained for employment purposes
Exempted Entities

The Iowa privacy law also exempts specific entities from its requirements.

Exempted Entities

The law does not apply to the following:

Government entities
Financial institutions and their affiliates, and entities subject to the Gramm-Leach-Bliley Act
Entities subject to and compliant with the Health Information Technology for Economic and Clinical Health (HITECH) Act and/or HIPAA
Nonprofit organizations
Higher education institutions

What Consumer Rights are Protected by the Iowa Data Privacy Law?

The Iowa Data Privacy Law aims to protect consumers' rights by providing them with control over their personal data. The law grants four main rights to Iowa residents, referred to as "consumers."

Right to access: Consumers have the right to see and confirm if a controller is processing their personal data. Similar to Connecticut's law, there is an exception for data that would reveal trade secrets.
Right to delete: Consumers can request the deletion of personal data they provided to the controller. This right is narrower than the rights granted under Connecticut and Colorado privacy laws, as it does not include the ability to delete personal data obtained from other sources.
Right to data portability: Consumers can obtain a copy of their personal data provided to the controller, except when subject to security breach protection or when the data is already in a portable and readily usable format. This right is similar to Virginia's law, which also limits the right to consumer-provided data.
Right to opt out of sales: Consumers can opt out of the sale of personal data. The law defines "sale" in a specific manner and states that opt-out rights do not apply to pseudonymous data, which is personal data that cannot be attached to a specific person without additional information. Iowa's opt-out rights for pseudonymous data differ from those in Colorado, Connecticut, Virginia, and Utah.

Disclose these rights in your Privacy Policy, like so:

Waitrose Privacy Policy: Overview of user rights clause mentioning right to withdraw consent

While the law does not explicitly grant the right to opt out of targeted advertising, it requires controllers engaged in targeted advertising to clearly disclose their activities and provide consumers with a means to opt out.

To exercise their rights, consumers must submit a request to the controller, specifying the rights they wish to invoke in the manner described in the controller's Privacy Notice (Privacy Policy).

Controllers have 90 days to respond, with a possible 45-day extension, depending on the complexity and number of requests.

Consumers' personal data is further protected by the Iowa Data Privacy Law, which also gives them the ability to challenge a controller's denial of their requests.

Complying with the Iowa Data Privacy Law

Under the Iowa Data Privacy Law, businesses or "controllers" must adhere to specific obligations related to the processing of personal data. These obligations include the following.

Purpose Limitation

Controllers can only process personal data that is reasonably required and proportional to the purposes listed in the Iowa Data Privacy Law, ensuring the data is relevant, adequate, and limited to what is necessary for the specified purposes.

For example, University 365 lets users know in its Privacy Policy that it's obligated by law to only collect limited data that's necessary for specified purposes:

University 365 Privacy Policy: GDPR Processing clause excerpt

Data Security

Controllers must implement reasonable technical, administrative, and physical data security practices to guard the integrity, confidentiality, and availability of personal data on the basis of the nature and volume of the data.

Notice that Amazon details the security measures it implements to protect its users personal data within its Privacy Policy as seen below:

Amazon Privacy Notice: How Secure Is Information About Me clause

Consent Requirements

The law requires controllers to obtain clear, affirmative consent from consumers for processing their personal data, with certain restrictions on processing sensitive data and additional requirements for children's data.

One of the most effective ways to gain clear, affirmative consent of users is through a clickwrap agreement. This is a type of online legal contract used by websites, software, and mobile applications to obtain active consent from users regarding their Terms of Service, Privacy Policies or other agreements.

In a clickwrap agreement, you, as the user, are required to actively acknowledge and accept the terms presented by clicking a button, checking an "I Agree" checkbox, or taking an active step towards a visual indicator.

This active consent ensures that you have been made aware of the contract terms and have agreed to them before proceeding with the use of the service or product.

Here's an example:

American Airlines Agree to Terms checkbox

And another:

Generic Create Account form with I Agree checkbox highlighted - example

By clicking "Accept" or a similarly labeled button, you actively consent to the terms and conditions laid out in the agreement, which governs how Facebook may use and share your personal data, as well as other aspects of their service.

Nondiscrimination

Controllers are forbidden from processing personal data in breach of state and federal laws that prohibit unlawful discrimination against consumers and cannot make a distinction against consumers for exercising their rights under the privacy law.

Apple has a clause in its Privacy Policy addressing compliance with regulations prohibiting unlawful discrimination against consumers. In the "Your Rights" section of Apple's Privacy Policy, the company writes the following:

"... if you choose to exercise these privacy rights, you have the right not to be treated in a discriminatory way nor to receive a lesser degree of service from Apple."

Apple Privacy Policy: Your Privacy Rights at Apple clause

Transparency

Controllers must provide a clear and meaningful Privacy Policy that includes:

The categories of personal data processed
The reason why personal data is processed
How to utilize your rights as a consumer and challenge a controller's judgment
The types of personal data that may have been disclosed to other parties
The kinds of third parties, if any, with whom personal data is shared

Include this information in clauses, similar to this one:

Cluse Privacy Policy: Personal Data - Which Data and Why clause

Make sure the information is well-organized and easy to read. Consider formatting styles like charts to help with readability. Here's an example of this:

Molson Coors Privacy Policy: Information collected chart excerpt

Data Processing Contracts

Controllers must have contracts with their processors outlining the details of processing personal data, including the rights and duties of both parties and processes for retention, deletion, access, and subcontractor accountability.

Here's an example from Southeast Dental Solutions where the company spells out the fact that it contracts with third parties regarding the use of personal data:

Southeast Dental Solutions: Third party processors section

Updated Privacy Policy

Always keep your Policy up to date, and regularly update your rules to reflect any changes in the ways you process personal data. Make customers aware of any new rights they have, and how they may use those rights.

You can include a clause in your Privacy Policy that lets users know you may update the Policy from time to time, and how that will be handled, as seen here:

Baremetrics: The Privacy Policy Changes clause

Here's how users can be made aware of new rights:

POM Wonderful Privacy Policy: How You Can Access and Update Information clause

You can also let users know about actual updates and material changes in a notice like the following:

Bridgecrest updated Privacy Notice email

Learn more about this process in our article: Best Practices for Material Updates to Your Privacy Policy

How Will the State of Iowa Enforce Compliance With the Law?

Understanding the enforcement mechanisms of the Iowa Data Privacy Law is crucial for businesses and organizations operating within the state.

Similar to privacy laws in Colorado, Connecticut, Virginia, and Utah, the Iowa privacy law lacks a private right of action, granting exclusive enforcement power to the attorney general. Here's a breakdown of how the enforcement process works:

Civil Investigative Demands: The attorney general enforces the act using civil investigative demands, which are legal requests for information or documents from a party alleged to have violated the law.
Written Notice: Before taking any further action, the attorney general must send a written notice to the violating party detailing the specific violations.
90-Day Cure Period: The violating party has 90 days to remedy the listed violations, after which they must notify the attorney general of the cure and provide a statement affirming that no further violations will occur.
Civil Proceedings: If the controller or processor fails to cure the violations within the allotted time or continues to violate the law after submitting their statement, the attorney general can begin civil proceedings against them.
Fines: Controllers or processors found to be in violation of the Iowa privacy law are subject to a fine of USD 7,500 per violation. These fines are paid into the consumer education and litigation fund, which supports consumer protection initiatives.

Checklist for Compliance With the Iowa Data Privacy Law

To ensure compliance with the Iowa Data Privacy Law, follow this checklist:

Determine if the Iowa Data Privacy Law applies to your company. Confirm whether your entity meets the jurisdictional threshold, which specifically does not include a minimum revenue threshold.
Update your Privacy Policy. Revise your policy to reflect personal data processing activities, communicate new consumer rights, and identify mechanisms for consumers to exercise those rights.
Implement reasonable security practices. Assess your cybersecurity practices and controls to ensure they align with industry-recognized standards.
Enable consumer opt-out of the sale of personal data (when applicable). Create a system that complies with consumer requests to not have their personal information sold. Note that the Iowa Data Privacy Law defines sale as the exchange of money and excludes the disclosure of personal data to processors or third parties for providing requested products or services.
Provide notice for collecting sensitive data and provide opt-out mechanisms. If your business processes non-exempt sensitive data from consumers, provide clear notice and an opportunity to opt out.
Respond to inquiries for consumer rights as soon as possible. Create systems for accepting, monitoring, validating, and granting requests for consumer rights, such as those granted by the Iowa Data Privacy Law, which includes the right to access, portability, erasure, and opt-out.
Implement a training program. Ensure employees responsible for handling consumer rights requests are trained to understand and manage those requests in a timely and compliant manner. If employees handle consumer inquiries under other U.S. state privacy laws, train them to understand the nuances of each.

Summary

While the Iowa law offers many of the same protections as other comprehensive state privacy laws, it is less prescriptive concerning business compliance.

This more flexible approach sets a new precedent for states that have been unable to pass their own privacy laws in recent years because of concerns about business impact and costs.

As a result, businesses can benefit from this balanced approach that carefully considers both privacy rights and operational considerations.

We hope the compliance steps and checklist above help you navigate preparing for this rule to take effect in 2025.