On March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive state privacy law bill. If enacted, SF 262 would be the sixth state level privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut, and it would go into effect on January 1, 2025.

Iowa’s new law is closest to the Utah Consumer Privacy Act (UCPA), having broad exemptions and more limited obligations for controllers. Notably, SF 262 provides exemptions for consumer rights where “pseudonymous data” and “de-identified data” (as defined by the bill) are involved, including certain opt-out rights.

For the most part, Iowa’s bill treads familiar territory. Its scope extends to entities that conduct business in Iowa or produce products or services targeted to Iowa residents, and that meet the following requirements, in a calendar year: (1) control or process personal data of at least 100,000 consumers; or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from sale of personal data.

Iowa’s bill does not create new obligations for businesses compared to what is already required under other states’ privacy laws. For example, the Iowa bill’s privacy notice requirements are not unique to SF 262 – companies with privacy policies drafted to comply with the CCPA (California Consumer Privacy Act) and VCDPA (Virginia Consumer Data Protection Act) are not likely to have to amend their policies in order to comply with Iowa’s requirements. In addition, like Utah and Virginia, Iowa’s bill includes a narrow definition of “sale” of personal data (the exchange of personal data for monetary consideration by the controller to a third party), as well as numerous exceptions. 

Iowa’s bill notably diverges from consumer protections found in most existing state privacy laws. For example, it only requires clear notice and opt-out for sensitive data, while other states like Colorado, Connecticut, and Virginia adopted opt-in requirements. The Iowa bill also lacks a consumer right to correct data. There are no requirements for covered entities to conduct privacy impact assessments or establish data minimization principles. Furthermore, responses to consumer requests not only have a 90-day response period (compared to 45-days in other states) but also are subject to a potential 45-day extension.

This bill does not contain a private right of action; enforcement rights belong exclusively with the Iowa State Attorney General. The AG may seek injunctive relief and civil penalties of up to $7,500 per violation. However, this first requires providing a 90-day cure period before bringing any enforcement, and such cure period does not sunset.

We will continue to monitor the developments and keep you informed of any further updates.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sarah Rippy Sarah Rippy

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She…

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She joins the firm after a year serving as a Westin Research Fellow at the International Association of Privacy Professionals, where she focused on state law developments, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA).

Photo of Maria Sokova Maria Sokova

Maria Sokova is an attorney in the San Francisco office of Crowell & Moring, where she is a member of the Litigation Group.

Maria has experience representing clients in state and federal courts in technology-related litigation, copyright infringement and DMCA, trade secret and…

Maria Sokova is an attorney in the San Francisco office of Crowell & Moring, where she is a member of the Litigation Group.

Maria has experience representing clients in state and federal courts in technology-related litigation, copyright infringement and DMCA, trade secret and trademark misappropriation, and complex commercial matters. Using her litigation experience, Maria also counsels clients on matters related to technology transactions, IP protection, and terms and policies for companies ranging from start-ups to market leaders.