Updated: May 8
The snowballing network of comprehensive state privacy laws in the United States is about to take another step forward.
Iowa has become the 6th US state to implement Data privacy laws after it was proposed by the Iowa Senate and the House and now awaits the Governor's Signature.
But before we begin to dig deeper into this newly enacted law, here are two key takeaways:
Iowa privacy law is not as strict as CPRA. Minimum restrictions on Corporations
It gives customers fewer rights
Compared to the other five state privacy laws already in place, Iowa's accession to the US privacy scene closely resembles the Utah Consumer Privacy Act (UCPA), which takes a more pragmatic stance on privacy.
Iowa Privacy Law: Will it be any different?
Businesses operating in Iowa or creating goods or services intended for Iowa people and meeting specific requirements will be subject to Iowa's privacy law.
This statute does not cover residents of Iowa who are engaged in business or employment activity.
Unlike legislation in California and Utah, Iowa's privacy statute does not have a set of numbers. But it does give a ballpark estimate that will be implemented when it comes into effect. Iowa will apply to for-profit organizations that:
(1) control or process data of at least 100,000 Iowa consumers or;
(2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data.
Rights of Data Subject or Consumers
Compared to other state privacy laws, the new privacy bill doesn't give much scope to consumers to exercise their privacy rights. Consumers will have the following rights under the new legislation:
the right to confirm the processing of personal data
the right to obtain access to personal data
the right to removal or withdrawal of personal data
the right to data portability or data transfer (in limited circumstances)
The option to refuse a sale, where a sale involves the exchange of personal data with a third party for money under the authority of the controller.
Certain rights mentioned above, like the rights to removal or withdrawal and the right to data transfer, are only applicable to personal data that customers have voluntarily submitted to businesses.
The new privacy law does not mandate that enterprises act on the opt-out signals like those set forth by the Global Privacy Control (GPC) or provide for rights of correction or opting out of profiling.
Although they haven't explicitly mentioned the right to opt out and targeted advertising in the section on consumer rights, they have done so in the later passage of the bill concerning data controllers.
Businesses must address consumer inquiries within 90 days, with a 45-day extension possible. This is a business-friendly provision as under most legislation businesses must respond within 30-45 days.
A definition of sensitive data is provided in Iowa's new privacy law, like those found in most privacy regulations. Individually identifiable information that reveals:
Ethnic or Racial background
Diagnosing one's physical or mental health
Immigration or nationality status
Biometric or genetic data
Information obtained from a known child
Without giving the consumer a clear and transparent privacy notice and the chance to opt out of using their sensitive data, data controllers will not be allowed to process sensitive data.
The upcoming Iowa privacy law mandates businesses to create a readily available consumer-friendly privacy notice, as do most current privacy laws.
According to Iowa law, the privacy notice must include the following:
Categories of processed personal data
The Purpose of Data Processing
Consumer rights and instructions on how to exercise them
Types of personal information shared with outside parties
Information about the parties with whom personal data is shared.
Businesses or any other organization starts taking a law seriously when enforced, and its noncompliance has detrimental consequences.
The bill's provisions will only be enforceable by the Attorney General of Iowa. Companies that have broken the legislation may be subject to fines of up to $7500 per violation.
The revised law includes a 90-day cure period with no sunset provision. This also shows that this legislation is very business friendly.
Iowa Privacy Bill: Key Preparation for Businesses
While the new Iowa privacy law will go into effect on January 1, 2025, a few things businesses would be affected by it can do to get ready.
To start, make sure the data mapping for your company is updated. You must understand the data aspects of your business clearly and thoroughly.
What data types does your organization collect and process?
How does your organization keep track of all the data processes, such as data integration, migration, warehouse automation, synchronization, automated data extraction, and other small data management projects?
Apart from Data mapping, ensure that sensitive data and other high-risk data processing operations are handled legally and with the appropriate safeguards by implementing a thorough evaluation procedure.
The new bill's consumer protections are less robust than those of other privacy laws of a similar nature. You should still have a straightforward, repeatable procedure for responding to submitted customer requests.
A means for consumers to submit requests should be part of your DSAR fulfillment process, and this method should be described in your privacy notice. To guarantee that the correct personal data is located and given back to the requestor, you must also incorporate strategies for ID verification and data discovery solutions.
If you are still trying to figure out how to gear up your business for privacy compliance, talk to one of our privacy experts and learn why you might need it the most.