IDC Names Securiti a Worldwide Leader in Data PrivacyView
Iowa has become the sixth state in the US to adopt a comprehensive data privacy law. Known as Senate File 262, the Iowa Senate and House unanimously passed the bill on March 15, 2023, before it was signed into law by Gov. Reynolds on March 28, 2023. The law shall go into effect on January 1, 2025.
Iowa’s data privacy law joins five other US states and follows a format similar to California, Colorado, Connecticut, Utah, and Virginia state privacy laws. Due to its similarity to existing state laws, the law is not anticipated to impose significant compliance requirements on businesses already complying with pre-existing comprehensive state privacy regulations.
An entity conducting business in Iowa or producing products or services targeted to consumers who are Iowa residents shall be subject to the law if it meets the following requirements during a calendar year:
The law exempts certain types of entities and data from its application. Following entities do not fall under the scope of the law:
The law also does not have any application to the following types of data:
Biometric data means data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual; but does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a written statement, a statement written electronically, or any other unambiguous affirmative action.
Consumer means a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.
Controller means a person that, alone or jointly with others, determines the purpose and means of processing personal data.
De-identified data means data that cannot reasonably be linked to an identified or identifiable natural person.
Personal data means any information that is linked or reasonably linkable to an identified or identifiable natural person, but does not include de-identified or aggregate data or publicly available information.
A processor is a person that processes personal data on behalf of a controller.
Pseudonymous data means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Sensitive Data means a category of personal data that includes the following:
Based on the volume and nature of the personal data, the controllers are required to adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
The law obligates the controllers to present the consumers with a clear notice and an opportunity to opt-out in case of processing of sensitive data for a nonexempt purpose. For processing sensitive data belonging to a known child, the controllers must comply with the provisions of COPPA.
The controllers are barred from discriminating against the consumers for exercising their rights under the law or processing their personal data in violation of state and federal laws that prohibit unlawful discrimination. However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
The controllers are required to provide the consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:
With respect to the disclosure of de-identified or pseudonymous data, the law requires the controllers to exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous or de-identified data is subject and to take appropriate steps to address any breaches of those contractual commitments.
The law requires the processor to assist the controller, by adopting appropriate technical and organizational measures to fulfill the controller’s obligations to respond to consumer data requests and to meet security obligations with respect to the personal data processed.
The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:
Under the law, the consumers may invoke the following rights by making an authenticated request (DSR) to the controller:
The consumer has a right to confirm whether the controller is processing his/her personal data and to access that data.
The consumer has a right to get his/her personal data with the controller deleted.
The consumer has a right to obtain a copy of his/her personal data.
The consumer has a right to opt-out of the sale of his/her personal data.
With respect to the processing of personal data belonging to a child, a known child’s parent or legal guardian may invoke such consumer rights on his/her behalf.
A controller must respond to a DSR without undue delay, but in all cases, within ninety (90) days from the receipt of the request. However, in cases where it is reasonably necessary, considering the complexity and number of the consumer’s requests, the controller may seek an extension of another forty-five (45) days in the response period by informing the consumer of any such extension within the initial ninety-day response period along with the reason for an extension.
In case of a suspected fraudulent DSR, the controller may decline to take action by stating that the DSR could not be authenticated. In all other cases of denial to take action on a DSR, the controller must inform the consumer, without undue delay, about the justification for and instructions to appeal against such denial.
A consumer can make a DSR free of charge twice a year; however, where a DSR from a consumer is manifestly unfounded, excessive, repetitive, technically infeasible, or the controller reasonably believes that the primary purpose of the DSR is not to exercise a consumer right, it may charge the consumer a reasonable fee to cover the administrative costs of complying with the DSR or decline to act on the DSR. However, the controller shall bear the burden for demonstrating the unfounded, excessive, repetitive, and technically infeasible nature of a DSR.
The controller may decline to take action on a DSR that the controller is unable to authenticate using commercially reasonable efforts and may request the consumer to provide additional information reasonably necessary to authenticate the consumer and the DSR.
A controller must establish a process, similar to the process for submission of DSR, for a consumer to file an appeal against the denial of DSR. The controller is required to inform the consumer about the decision of the appeal within sixty (60) days from the receipt of the appeal and, in case the appeal is denied, provide the consumer with an online mechanism to submit a complaint with the attorney general.
The law provides for certain exemptions for the controllers and processors in relation to their processing of the consumers’ personal data. These exemptions are as follows:
Limiting its scope of application, the law provides that it cannot restrict the ability of the controllers and the processors to do the following:
Further, the law provides that the obligations imposed on a controller or processor under its provisions shall not restrict a controller’s or processor’s ability to collect, use, or retain data to:
However, it is pertinent to note that while processing the personal data under any of the exemptions mentioned above, the controller must ensure the following:
Moreover, the law exempts the controllers and the processors from compliance with obligations under its provisions if such compliance would violate an evidentiary privilege under the laws of the state of Iowa. The law also states that a controller or a processor shall not be in violation of the law if at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.
The controllers and the processors are also exempt from fulfilling an obligation under the law if that adversely affects the privacy or other rights or freedoms of any other persons.
The Iowa attorney general has the exclusive authority to enforce the law. The attorney general is empowered to issue civil investigative demands to the controllers and processors and, in case the violations are not cured, to initiate a civil action.
The law does not prescribe any penalties for cases where the violation is cured by the controller or the processor within the ninety-day notice from the attorney general identifying the specific provisions of the law being violated. However, in case of continuous violation or breach of an express written statement made regarding the cure of the violation, the attorney general may initiate an action in the name of the state and may seek an injunction to restrain any violations of the law and civil penalties of up to $7,500 for each violation.
Organizations can operationalize Iowa’s data privacy law by taking the following important steps:
As states within the US and countries witness a profound transition in the digital landscape, automating privacy and security processes for quick action is essential. Organizations must become even more privacy-conscious in their operations and diligent customer data custodians.
Securiti uses the PrivacyOps architecture to provide end-to-end business automation, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Iowa’s Data Privacy Law – Senate File 262 and other privacy and security standards worldwide. Examine how it functions.
Request a demo right now.
Senate File 262 is an Iowa state privacy law that applies to entities conducting business in Iowa or producing products or services targeted to consumers who are Iowa residents and controls or processes the personal data of over 100,000 Iowa residents or controls or processes the personal data of over 25,000 Iowa residents and derives over 50% of its gross revenue from the sale of personal data during a calendar year.
Iowa became the sixth US state to enact a data privacy law known as the Senate File 262.
On March 29, 2023, Iowa Gov. Kim Reynolds signed Senate File 262 into law, the Iowa Act Relating to Consumer Data Protection (ICDPA).
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128