An image of a computer screen listing html code and met

Iowa's New Data Privacy Law: What Businesses Need to Know

September 16, 2024 | Corporate and Commercial

In 2023, Iowa joined the ranks of states enacting consumer data privacy legislation. The Iowa Consumer Data Protection Act, Senate File 262 (the “ICDPA”), is slated to take effect on January 1, 2025, as Chapter 715D of the Code of Iowa.

The ICDPA applies to entities conducting business in Iowa and entities producing products or services targeted to Iowa consumers that, during a calendar year, (a) control or process personal data of at least 100,000 Iowa consumers, or (b) control or process personal data of at least 25,000 Iowa consumers and derive over 50% of their gross revenue from the sale of personal data. An entity controls personal data and is a “controller” where it determines the purpose and means of processing a consumer’s personal data. An entity processes personal data and is a “processor” where it performs operations on personal data (including collecting, using, storing, analyzing, or modifying personal data). The ICDPA does provide exemptions from its requirements both with respect to certain kinds of entities (such as nonprofits and entities subject to federal sector-specific data privacy laws) and certain kinds of data (such as health records and data maintained for employment purposes).

The ICDPA provides consumers a number of rights with respect to their personal data, including rights to access, delete, obtain copies of, and opt-out of the sale of their personal data. Entities subject to the ICDPA will be required to respond to consumers’ requests to exercise such rights. If an entity declines a request, the entity will be required to provide the consumer an appeal process in accordance with the ICDPA.

Companies constituting controllers will also be required to adopt reasonable data security practices protecting personal data, provide consumers with a privacy notice detailing the company’s handling of personal data, and establish contractual obligations with its processors governing the processing of personal data, among other requirements. Processors shall assist controllers with meeting their obligations under the ICDPA.

As we approach the ICDPA’s upcoming effective date, Iowa businesses and the attorneys serving them should familiarize themselves with the contours of the ICDPA and begin taking steps to ensure compliance with it, including understanding what data the business collects, stores, uses and discloses, preparing data security and privacy policies, and training individuals within the business on the business’s policies and how to comply with them.

Originally published in the ISBA Business Law Section Newsletter (August 2024).
Joseph P. Malanson is qualified as a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals. Learn more about Joseph's practice here.