Introduction
Iowa has become the sixth state in the US to adopt a comprehensive data privacy law. Known as Senate File 262, the Iowa Senate and House unanimously passed the bill on March 15, 2023, before it was signed into law by Gov. Reynolds on March 28, 2023. The law shall go into effect on January 1, 2025.
Iowa’s data privacy law joins five other US states and follows a format similar to California, Colorado, Connecticut, Utah, and Virginia state privacy laws. Due to its similarity to existing state laws, the law is not anticipated to impose significant compliance requirements on businesses already complying with pre-existing comprehensive state privacy regulations.
Who Needs to Comply with the Law
i) Material Scope
An entity conducting business in Iowa or producing products or services targeted to consumers who are Iowa residents shall be subject to the law if it meets the following requirements during a calendar year:
- controls or processes the personal data of over 100,000 Iowa residents; or
- controls or processes the personal data of over 25,000 Iowa residents and derives over 50% of its gross revenue from the sale of personal data.
ii) Exemptions
The law exempts certain types of entities and data from its application. Following entities do not fall under the scope of the law:
- Government entities;
- Financial institutions, their affiliates, and entities subject to the Gramm-Leach-Bliley Act;
- Entities who are subject to and comply with:
- the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- the Health Information Technology for Economic and Clinical Health Act (HITECH)
- Non-profit organizations; and
- Institutions of higher education.
The law also does not have any application to the following types of data:
- Medical data covered under any medical laws: Many forms of health information, records, data and documents protected and covered under HIPAA, or other federal or state medical laws;
- Personal data used for research: Identifiable private information collected, used or shared in research conducted in accordance with applicable laws;
- FCRA covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
- Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
- FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
- FCA data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
- COPPA data: Personal data used in accordance with the federal Children’s Online Privacy Protection Act (COPPA);
- Employment data: Personal data maintained for employment records.
Definitions of key terms
i) Biometric Data
Biometric data means data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual; but does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
ii) Consent
Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a written statement, a statement written electronically, or any other unambiguous affirmative action.
iii) Consumer
Consumer means a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.
iv) Controller
Controller means a person that, alone or jointly with others, determines the purpose and means of processing personal data.
v) De-identified Data
De-identified data means data that cannot reasonably be linked to an identified or identifiable natural person.
vi) Personal Data
Personal data means any information that is linked or reasonably linkable to an identified or identifiable natural person, but does not include de-identified or aggregate data or publicly available information.
vii) Processor
A processor is a person that processes personal data on behalf of a controller.
viii) Pseudonymous Data
Pseudonymous data means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
ix) Sensitive Data
Sensitive Data means a category of personal data that includes the following:
- Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law.
- Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person.
- The personal data collected from a known child.
- Precise geo-location data.
Obligations of Controllers
i) Security Measures
Based on the volume and nature of the personal data, the controllers are required to adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
ii) Processing of Sensitive Data
The law obligates the controllers to present the consumers with a clear notice and an opportunity to opt-out in case of processing of sensitive data for a nonexempt purpose. For processing sensitive data belonging to a known child, the controllers must comply with the provisions of COPPA.
iii) Non-discrimination
The controllers are barred from discriminating against the consumers for exercising their rights under the law or processing their personal data in violation of state and federal laws that prohibit unlawful discrimination. However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
iv) Privacy Notice
The controllers are required to provide the consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:
- the categories of personal data processed by the controller;
- the purposes of the personal data processing;
- mechanism for exercising the rights under the law including the right to appeal the denial of a consumer data request;
- the categories of personal data the controller shares with third parties; and
- the categories of third parties with whom the controller shares the personal data.In addition, if a controller sells a consumer’s personal data to a third party or engages in targeted advertising, the controller must clearly disclose the activity to the consumer along with the mechanism through which the consumer may opt-out of any such activity.
v) Disclosure of De-identified or Pseudonymous Data
With respect to the disclosure of de-identified or pseudonymous data, the law requires the controllers to exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous or de-identified data is subject and to take appropriate steps to address any breaches of those contractual commitments.
Obligations of Processors
i) Assistance to Controller
The law requires the processor to assist the controller, by adopting appropriate technical and organizational measures to fulfill the controller’s obligations to respond to consumer data requests and to meet security obligations with respect to the personal data processed.
ii) Processing under Contract
The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:
- ensure the confidentiality of the personal data;
- delete or return the personal data to the collector on the direction of the controller, unless retention of personal data is required by the law;
- upon reasonable request from the controller, make available all the information in possession necessary to demonstrate compliance with its obligations; and
- engage any subcontractor or agent through a written instrument requiring them to fulfill obligations towards the personal data.
Data Subject Rights
Under the law, the consumers may invoke the following rights by making an authenticated request (DSR) to the controller:
-
Right to Access
The consumer has a right to confirm whether the controller is processing his/her personal data and to access that data.
-
Right to Delete
The consumer has a right to get his/her personal data with the controller deleted.
-
Right to Data Portability
The consumer has a right to obtain a copy of his/her personal data.
-
Right to Opt-Out of the Sale
The consumer has a right to opt-out of the sale of his/her personal data.
With respect to the processing of personal data belonging to a child, a known child’s parent or legal guardian may invoke such consumer rights on his/her behalf.
-
Response Period for DSRs
A controller must respond to a DSR without undue delay, but in all cases, within ninety (90) days from the receipt of the request. However, in cases where it is reasonably necessary, considering the complexity and number of the consumer’s requests, the controller may seek an extension of another forty-five (45) days in the response period by informing the consumer of any such extension within the initial ninety-day response period along with the reason for an extension.
-
Denial of DSR
In case of a suspected fraudulent DSR, the controller may decline to take action by stating that the DSR could not be authenticated. In all other cases of denial to take action on a DSR, the controller must inform the consumer, without undue delay, about the justification for and instructions to appeal against such denial.
-
Charges for DSR
A consumer can make a DSR free of charge twice a year; however, where a DSR from a consumer is manifestly unfounded, excessive, repetitive, technically infeasible, or the controller reasonably believes that the primary purpose of the DSR is not to exercise a consumer right, it may charge the consumer a reasonable fee to cover the administrative costs of complying with the DSR or decline to act on the DSR. However, the controller shall bear the burden for demonstrating the unfounded, excessive, repetitive, and technically infeasible nature of a DSR.
-
Unauthenticated DSRs
The controller may decline to take action on a DSR that the controller is unable to authenticate using commercially reasonable efforts and may request the consumer to provide additional information reasonably necessary to authenticate the consumer and the DSR.
-
Appeal against Denial of DSR
A controller must establish a process, similar to the process for submission of DSR, for a consumer to file an appeal against the denial of DSR. The controller is required to inform the consumer about the decision of the appeal within sixty (60) days from the receipt of the appeal and, in case the appeal is denied, provide the consumer with an online mechanism to submit a complaint with the attorney general.
Data Processing Exemptions
The law provides for certain exemptions for the controllers and processors in relation to their processing of the consumers’ personal data. These exemptions are as follows:
- A collected or processor is not obligated under the law to:
- re-identify de-identified data or pseudonymous data;
- maintaining data in identifiable form; or
- collecting, obtaining, retaining, or accessing any data or technology, in order to be capable of associating an authenticated consumer request with personal data.
- A collector or processor is not obligated under the law to comply with a DSR, if:
- the controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
- the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; or
- the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor.
- A collector is not obligated to fulfill a DSR with respect to pseudonymous data where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Limitations
Limiting its scope of application, the law provides that it cannot restrict the ability of the controllers and the processors to do the following:
- comply with federal, state, or local laws, rules or regulations;
- comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
- cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
- investigate, establish, exercise, prepare for, or defend legal claims;
- provide a product or service specifically requested by a consumer or parent or guardian of a child, perform a contract to which the consumer or parent or guardian of a child is a party, or take steps at the request of the consumer or parent or guardian of a child prior to entering into a contract;
- take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis;
- prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
- preserve the integrity or security of systems;
- investigate, report, or prosecute those responsible for any such action;
- engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine the following:
- if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
- the expected benefits of the research outweigh the privacy risks;
- if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.
- assist another controller, processor, or third party with any of the obligations under the law; or
- provide personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the state as part of a privileged communication.
Further, the law provides that the obligations imposed on a controller or processor under its provisions shall not restrict a controller’s or processor’s ability to collect, use, or retain data to:
- conduct internal research to develop, improve, or repair products, services, or technology;
- effectuate a product recall;
- identify and repair technical errors that impair existing or intended functionality; or
- perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or parent or guardian of a child or the performance of a contract to which the consumer or parent or guardian of a child is a party.
However, it is pertinent to note that while processing the personal data under any of the exemptions mentioned above, the controller must ensure the following:
- the processing is reasonably necessary and proportionate to the exemption;
- the processing is adequate, relevant, and limited to what is necessary in relation to the specific exemption; and
- the personal data collected for such processing is subject to administrative, technical, and physical measures to protect its confidentiality, integrity, and accessibility.
Moreover, the law exempts the controllers and the processors from compliance with obligations under its provisions if such compliance would violate an evidentiary privilege under the laws of the state of Iowa. The law also states that a controller or a processor shall not be in violation of the law if at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.
The controllers and the processors are also exempt from fulfilling an obligation under the law if that adversely affects the privacy or other rights or freedoms of any other persons.
Regulatory Authority
The Iowa attorney general has the exclusive authority to enforce the law. The attorney general is empowered to issue civil investigative demands to the controllers and processors and, in case the violations are not cured, to initiate a civil action.
Penalties for Non-compliance
The law does not prescribe any penalties for cases where the violation is cured by the controller or the processor within the ninety-day notice from the attorney general identifying the specific provisions of the law being violated. However, in case of continuous violation or breach of an express written statement made regarding the cure of the violation, the attorney general may initiate an action in the name of the state and may seek an injunction to restrain any violations of the law and civil penalties of up to $7,500 for each violation.
How an Organization Can Operationalize the Law
Organizations can operationalize Iowa’s data privacy law by taking the following important steps:
- Determine whether they meet the jurisdictional threshold of the law, including whether they hold personal data of Iowa residents and whether they meet the data volume threshold;
- Determine their data inventories and classify data stores containing personal data of Iowa residents;
- Develop clear and accessible privacy notice laying out consumers’ rights and information about the processing of the personal data;
- Implement a robust framework for swiftly processing the DSRs as well as the consumer appeal against the denial of a DSR; and
- Ensure personal data security by taking appropriate security measures.
How Can Securiti Help
As states within the US and countries witness a profound transition in the digital landscape, automating privacy and security processes for quick action is essential. Organizations must become even more privacy-conscious in their operations and diligent customer data custodians.
Securiti uses the PrivacyOps architecture to provide end-to-end business automation, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Iowa’s Data Privacy Law – Senate File 262 and other privacy and security standards worldwide. Examine how it functions.
Request a demo right now.