On March 15, 2023, the Iowa House passed Senate Bill 262 on a 97-0 vote. The Bill had previously passed the Iowa Senate on March 6, 2023.  If ultimately signed by Iowa Governor Kim Reynolds, Iowa would join California, Colorado, Connecticut, Utah, and Virginia as the sixth U.S. state with a comprehensive consumer data privacy law. The Bill would also become law if it is sent to the governor and remains unsigned for three days.

The proposed Iowa privacy law follows a similar path as other U.S. state privacy laws. At a high-level, the Iowa Bill would:

  • Apply to entities that control or process personal data of at least 100,000 consumers or that control or process person data of at least 25,000 consumers but derives over 50% of its gross revenue from the sale of personal data.
  • Provide the Iowa Attorney General with exclusive enforcement authority.
  • Provide consumers with: A right to confirm whether a controller is processing the consumer’s personal data; a right to request deletion of personal data provided by the consumer; a right to obtain a copy of the consumer’s personal data from the controller; and a right to opt out of the sale of personal data.
  • Require a controller to present consumers with a clear notice and opportunity to opt-out of the processing of their sensitive data, if processing is for a nonexempt purpose. Likewise, the Bill would require a controller who sells personal data to 3rd parties to clearly and conspicuously disclose such activity to consumers, as well as the manner in which a consumer may exercise the right opt-out of such activity.
  • Require a contract between a controller and processer to include: That each person processing personal data is subject to a duty of confidentiality with respect to the data being processed; that at the controller’s direction, the processor must delete or return all personal data to the controller as requested at the end of the service, unless retention of the personal data is required by law; that upon the reasonable request of the controller, the processor make available all information in the processor’s possession necessary to demonstrate the processor’s compliance with the Bill; and that any engaged subcontractor or agent enter into a written contract that requires the subcontractor or agent to meet the duties of the processor with respect to personal data.

However, the Bill would not provide consumers with a right of private action; a right to correct inaccuracies with their data; or  require that businesses recognize “do not track” signals.

At the time of this post, the Bill has been messaged back to the Senate. If passed into law, its provisions would take effect on January 1, 2025. As drafted, the Bill would not provide for additional rulemaking.