Iowa is About to Have a Data Privacy Law

UPDATE: On March 28, 2023, Governor Kim Reynolds signed Senate File 262 into law. Iowa is the sixth state in the nation to adopt this type of comprehensive consumer data protection. 

Three years after this blog first covered Iowa’s efforts to pass a data privacy bill, Iowa is poised to be the sixth state in the country to adopt a data privacy statute. Iowa will join California, Utah, Colorado, Connecticut, and Virginia with a law governing collection and retention of consumer data from individual Iowans. The new Iowa law, Senate File 262, passed the Iowa Senate and Iowa House without opposition. The bill is waiting for the governor’s signature.

Most Iowa businesses will not be affected by the new law. The law only applies to companies that (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data. The law also has carve outs for the state, municipalities and political subdivisions, banks, certain financial companies, certain healthcare organizations, and other entities subject to a federal standard. Thus, the law’s focus is primarily on large, out of state organizations. Any company doing business in Iowa that might meet the thresholds for compliance should closely examine the various exemptions to determine whether they must comply.

Compliance with Iowa’s law will be familiar to any company that is already operating in California, or other states with similar statutes. Generally, companies will be required to provide notices when the company collects certain sensitive data. Consumers must have an opportunity to obtain copies of their data, and request that the company delete the data. There are exemptions depending on the nature of the request and type of business the company is engaged in that companies should review as part of building their compliance program.

The Iowa law does not create a private right of action, so consumers cannot sue the companies that fail to comply. Consumers can make reports to the Iowa Attorney General, which can then open an investigation into the company’s practices. The Iowa Attorney General can assess a civil penalty of up to $7,500 for each violation of the statute.

While the new law will not affect many Iowa businesses, it is an example of increasing regulation of the collection and retention of consumer data. Even if a company does not need to comply with the new Iowa law, it is still a good idea to review collection and retention policies. Organizations are often surprised to learn that they collect a substantial amount of data, and that it is stored all over the organization. Companies will find compliance with future data privacy laws much easier if they already have a clear understanding of the data they collect and where it is stored.

After the statute is signed by the governor, it will take effect on January 1, 2025.

Shareholder Attorney John Lande is chair of Dickinson Law's Cybersecurity, Data Breach, & Privacy practice group. For more information on his practice, click here.