Iowa House and Senate Unanimously Vote to Approve Comprehensive Privacy Legislation

On
March
6
and
15,
2023,
both
chambers
of
the
Iowa
Legislature
unanimously
voted
to
approve Senate
File
262,
which
could
make
Iowa
the
sixth
U.S.
state
to
enact
comprehensive
privacy
legislation.
The
bill
is
most
similar
to

Utah’s
comprehensive
privacy
law.

Applicability

Senate
File
262
would
apply
to
a
person
that
(1)
conducts
business
in
Iowa
or
produces
products
or
services
that
are
targeted
to
Iowa
residents
and
(2)
during
a
calendar
year,
satisfies
at
least
one
of
the
following
thresholds:
(a)
controls
or
processes
the
personal
data
of
100,000
or
more
Iowa
residents,
or
(b)
controls
or
process
personal
data
of
at
least
25,000
Iowa
residents
and
derives
over
50%
of
its
gross
revenue
from
the
sale
of
personal
data.

Senate
File
262’s
protections
would
apply
only
to
Iowa
residents
acting
in
an
individual
or
household
context,
with
an
express
exemption
for
individuals
acting
in
a
commercial
or
employment
context.
The
law
contains
exemptions
for
financial
institutions,
affiliates
of
financial
institutions
and
personal
data
subject
to
the
Gramm-Leach-Bliley
Act,
persons
who
are
subject
to
and
comply
with
regulations
promulgated
pursuant
to
the
Health
Insurance
Portability
and
Accountability
Act
of
1996,
nonprofit
organizations,
and
institutions
of
higher
education.

Controller
Obligations

Controllers
would
be
required
to
implement
reasonable
security
practices,
provide
a
compliant
privacy
notice
to
consumers
and
enter
into
agreements
with
processors
that
handle
the
controller’s
personal
data.
Unlike
some
of
the
other
comprehensive
state
privacy
laws,
Senate
File
262
would
not
require
controllers
to
undertake
data
protection
assessments.

The
law
also
would
require
controllers
to
first
provide
consumers
with
clear
notice
and
an
opportunity
to
opt
out
of
the
processing
of
their
sensitive
data.

Consumer
Rights

Controllers
would
be
required
to
provide
consumers
with
the
right
to:
(1)
confirm
whether
a
controller
is
processing
the
consumer’s
personal
data
and
obtain
a
copy
of
the
data
in
portable
form;
(2)
delete
personal
data
provided
by
the
consumer;
and
(3)
opt-out
of
the
sale
of
personal
data.
These
rights
notably
exclude
a
right
to
correct
inaccurate
personal
data.

Controllers
would
have
90
days
to
respond
to
consumer
rights
requests,
with
a
potential
45-day
extension
in
certain
circumstances.

Enforcement

Senate
File
262
does
not
contain
a
private
right
of
action
and
would
be
enforced
exclusively
by
the
Iowa
Attorney
General.
The
bill
provides
a
non-sunsetting
right
to
cure
violations
within
90
days
of
receiving
notice
of
a
violation.

Senate
File
262
can
either
be
signed
into
law
by
Iowa
Governor
Kim
Reynolds,
vetoed,
or
become
a
law
without
signature
after
three
days
during
the
legislative
session.
If
Senate
File
262
is
enacted,
it
would
take
effect
on
January
1,
2025.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts