On March 28, 2023, a new bill unanimously passed by the Iowa legislature stands to make the Hawkeye state the latest one to implement a comprehensive consumer privacy law, joining the ranks of California, Colorado, Connecticut, Utah, and Virginia.
Senate File (SF) 262, which awaits the signature of Governor Kim Reynolds, is similar in many respects to other state privacy laws, and most closely resembles the Utah Consumer Privacy Act (UCPA). However, unlike its sister states, the proposed Iowa statute does not impose any onerous requirements on companies, nor does it confer any novel rights to consumers, thus making it far more friendly to the businesses it is poised to cover.
Iowa SF 262 Entails
SF 262 is notable for its broad exemptions and the limited obligations it imposes on covered companies. It will enable consumers to opt out of sales of their personal data and targeted advertising, obtain a copy of any personal data held by a covered company, and submit requests to delete their personal data. However, the bill also includes broad exemptions for all these rights for companies that employ data pseudonymisation (replacing any information which could be used to identify an individual with a value that prevents such identification).
As with Utah and Virginia’s privacy laws, SF 262 narrowly defines the term “sale” to the exchange of personal data in exchange for a monetary payment. The term “Targeted Advertising” is defined in a similar manner to other state privacy laws and excludes:
- Ads based on activities within a controller’s own website or app.
- Ads based on the context of a consumer’s search query or website visit.
- Ads directed to consumers in response to their specific request for information.
- Processing personal data solely for internal purposes, such as measuring or reporting.
Furthermore, SF 262 also offers data controllers 90 days in which to respond to consumer rights requests, which is double the time granted by other states.
SF 262 empowers the Iowa Attorney General to pursue monetary penalties up to $7500 for each violation, without regard to intent.
On a related note, Colorado recently finalized rules implementing the Colorado Privacy Act (CPA).
The CPA grants Coloradans access to their personal data collected by businesses, nonprofits, and other entities, with the right to delete or correct that data. It also provides more control over their personal data usage, including a universal opt-out mechanism. The CPA also requires covered companies to disclose how they use the personal data they collect and grants the Colorado AG the authority to clarify and enforce CPA compliance.