Iowa’s data privacy law is expected to be signed by the Governor and will take effect on January 1, ... [+]
Iowa is the sixth state in the US to adopt a comprehensive data privacy law. Senate File 262 was unanimously passed by the Iowa Senate and House and awaits the Governor’s signature.
Iowa’s data privacy law applies to companies that (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data. Of note for employers conducting background checks, Iowa joins California, Colorado, Connecticut, Utah, and Virginia by exempting data regulated by the Fair Credit Reporting Act (FCRA). Exceptions also exist for state and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA), and healthcare organizations as specified in the statute subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), non-profits, higher education institutions including Family Educational Rights and Privacy Act (FERPA) data, data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA) and certain information related to employment.
Like other data privacy laws, Iowa assigns specific requirements to controllers of personal data, which are entities that “determine the purpose and means of processing personal data” and processors who “process personal data on behalf of a controller.” Iowa’s law establishes rights for consumers, or data subjects, including the right to confirm if the processing of personal data will occur and access to personal data. Data subjects are also permitted the right to request that personal data be deleted, obtain a copy of personal data, and opt out of the sale of personal data.
Controllers must provide consumers with a privacy notice that identifies the following:
- The categories of personal data processed,
- The purposes for processing,
- How consumers can exercise their data privacy rights,
- The categories of personal data the controller shares with third parties if any, and
- The categories of third parties, if any, with whom the controller shares personal data.
The law requires that processors and controllers execute an agreement concerning the scope of the processor’s services provided at the direction of the controller.
The new law does not create a private right of action but permits consumers to report violations to the Iowa Attorney General. Before commencing an enforcement action, an entity suspected of violating the data privacy law is provided a 90-day cure period. Subsequently, the Iowa Attorney General may seek injunctive relief and levy a civil penalty of up to $7,500 per violation.
Iowa’s bill is one of several currently under consideration, with measures in Hawaii, Indiana, Kentucky, Montana, New Jersey, and Oklahoma quickly progressing through the legislative process. While the compliance requirements are similar to other states’ data privacy laws, employers are reminded to review their policies and procedures in advance of the law’s effective date.
Iowa’s data privacy law is expected to be signed by the Governor and will take effect on January 1, 2025.
