Iowa has become the sixth state in the country to enact a comprehensive consumer privacy law, joining California, Virginia, Colorado, Connecticut, and Utah. The “Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions Act” (the “Iowa Act”) will apply to businesses producing products or providing services that are targeted to Iowa residents and that either (a) control or process personal data of at least 100,000 Iowa consumers during a calendar year; or (b) control or process personal data of at least 25,000 Iowa consumers and derive more than 50% of their annual gross revenue from the sale of personal data. “Consumers” are defined as a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context. The Iowa Act does not apply to non-profit organizations. The new law will go into effect on January 1, 2025.
The Iowa Act adopts a virtually identical definition of “controller” and “processor” as the Virginia, Colorado, Connecticut and Utah laws. Controllers determine the purposes for and means by which personal data is processed, and processors process personal data on behalf of controllers.
Similar to other state privacy laws, the Iowa Act gives consumers the following rights:
Notably, the Iowa Act does not: (1) give consumers a right to correct inaccuracies in their personal data; (2) include any requirement for controllers to conduct data protection assessments, or (3) hamper controllers with obligations to minimize data collection only to what is reasonably necessary.
The Iowa Act mandates the following duties to controllers and processors:
The Iowa Act will be exclusively enforced by the State Attorney General and does not provide for a consumer’s private right of action. Iowa provides controllers and processors a permanent 90-day cure period to fix alleged violations before the Attorney General can commence an enforcement action, and damages are limited to civil penalties of up to $7500 per violation.
If you have questions about the Iowa Act or other state privacy law compliance, contact an attorney in our Privacy, Data Protection, and Cybersecurity practice group.