Iowa has recently become the sixth state in the United States to pass a comprehensive data privacy law. The law, which was signed by Governor Kim Reynolds (R) on Tuesday, aims to empower consumers to have more control over safeguarding their personal data. The Iowa Senate and House unanimously passed the law, known as Senate File 262, which will come into effect on January 1, 2025. The state now joins California, Colorado, Connecticut, Utah, and Virginia in adopting data protections.
The Iowa data privacy law applies to companies that either control or process data of at least 100,000 Iowa consumers, or control or process data of at least 25,000 Iowa consumers while deriving 50% of their revenue from the sale of personal data. Notably, the law also exempts data regulated by the Fair Credit Reporting Act (FCRA), which is consistent with the other five states. Additionally, there are exemptions for state and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA), healthcare organizations as specified in the statute subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), non-profits, higher education institutions including Family Educational Rights and Privacy Act (FERPA) data, data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA), and certain employment-related information.
Under the Iowa law, consumers are granted four main rights: the right to access, the right to delete, the right to portability, and the right to opt-out of the sale of their personal data. Like the state privacy laws enacted by Colorado, Connecticut, Virginia, and Utah, the Iowa privacy law does not provide a private right of action. Nevertheless, it does provide the attorney general with the exclusive right to enforce the act through civil investigative demands. If violations occur, the attorney general must notify the offending party in writing, providing them with 90 days to cure the violation(s) and notify the attorney general of the cure, and confirm that no further violations will occur. The Attorney General may seek monetary damages of up to $7,500 per violation of the law, as well as injunctive relief.
In conclusion, the enactment of Iowa’s data privacy law signifies a significant step towards the protection of personal data in the United States
If your company needs advice support or guidance in complying with the Iowa Privacy Law book a meeting with a member of our team