Clifford Chance

On March 28, 2023, Iowa became the sixth state in the U.S. to enact comprehensive data privacy legislation with Iowa Governor, Kim Reynolds, signing Iowa Senate File 262, an Act relating to consumer data protection, providing civil penalties and including effective date provisions (the Iowa Consumer Data Protection Act or IACDPA). The IACDPA comes into effect on January 1, 2025. The IACDPA joins other U.S. state data privacy laws that are either in effect or will soon come into force (together with the IACDPA, the "State Data Privacy Laws"). This article summarizes key provisions of the IACDPA.

Scope and Applicability

The IACDPA applies to a person that conducts business in Iowa or produces products or services that are targeted at Iowa consumers, and which during a calendar year either:

• controls or processes personal data of at least 100,000 Iowa consumers or 
• controls or processes personal data of at least 25,000 Iowa consumers and derives over fifty percent (50%) of gross revenue from the "sale" of personal data.

The IACDPA is similar to most other State Data Privacy Laws with respect to exclusions and exemptions. For example, the IACDPA only applies to personal data collected from "a natural person who is a resident of the state" and, like most State Data Privacy Laws other than the California Consumer Privacy Act and California Privacy Rights Act, expressly excludes personal data collected or processed from natural persons acting in an employment or commercial context (e.g., business-to-business activities). The IACDPA also includes typical exemptions in line with most other State Data Privacy Laws, such as for state political subdivisions or entities, nonprofit organizations, institutions of higher education, and any information or data regulated by certain other privacy laws, including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.

Controller and Processor Regime

The IACDPA, like certain other State Data Privacy Laws, contains the regulatory framework of the European Union's General Data Protection Regulation, which distinguishes roles and responsibilities between controllers and processors. The IACDPA defines a "controller" as a person that, alone or jointly with others, determines the purpose and means of processing personal data and a "processor" as a person who processes personal data on behalf of a controller.

The IACDPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice, which, among other things, discloses:

• the categories of personal data processed by the controller and the purpose of such processing
• the categories of personal data and third parties with whom the controller shares personal data
• how consumers may exercise their privacy rights, including the appeals process. 

Controllers may only process personal data to the extent such processing is "reasonably necessary and proportionate" and "adequate, relevant, and limited to what is necessary" for certain specified purposes. Controllers are also required to implement reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data.

In contrast to certain other State Data Privacy Laws, the IACDPA does not expressly require controllers to conduct and document data protection impact assessments or similar reports in connection with the collection or processing of personal data.

However, like most other State Data Privacy Laws, the IACDPA requires controllers and processors to enter into a written contract, which governs the processor's data processing procedures performed on behalf of the controller. The IACDPA requires contractual provisions that clearly set out instructions for the processing of applicable data, describe the type of data subject to and the duration, nature, and purpose of such processing, and specify the rights and duties of each party. Processors also must be subject to a duty of confidentiality with respect to the applicable data and enter into subcontracts with sub-processors to ensure similar protections. Processors are required to assist controllers with complying with applicable obligations (1) under the IACDPA (e.g., responding to consumer rights requests) and (2) related to the security of personal data processing and notification of security breaches under Iowa Code § 715C.2.

Consumer Rights and Requests

The IACDPA provides a variety of individual consumer rights that align with those found in most other State Data Privacy Laws. These rights provide consumers with a right to access, obtain a copy of, and delete their personal data, and to opt-out of the selling of personal data and/or sharing of personal data for targeted advertising. However, similar to the Utah Consumer Privacy Act, the IACDPA does not include an express consumer right to "correct" personal data.

The IACDPA also permits parents and guardians to exercise rights on behalf of their children (defined as individuals under the age of thirteen (13)). Children's data must be processed in accordance with the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (COPPA), which requires consent from parents or guardians.  

The IACDPA also grants consumers certain rights with respect to other "sensitive data." The IACDPA's definition of "sensitive data" is similar to definitions seen in most other State Data Privacy Laws, which encompass a consumer's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data. In contrast to certain other State Data Privacy Laws, like the Virginia Consumer Data Protection Act, the IACDPA provides an "opt-out" regime with respect to the processing of sensitive data, which prohibits controllers from processing sensitive data "without the consumer having been presented with clear notice and an opportunity to opt out of such processing" (or in accordance with COPPA if the "sensitive data" is children's data).

Right to Appeal

Under the IACDPA, a controller must respond to a consumer's request to exercise a right within ninety (90) days of receipt of such request. A controller can extend the response period by an additional forty-five (45) days when reasonably necessary and in consideration of the complexity and number of consumer requests received within the initial ninety (90) day period by providing notice and an explanation to the consumer. Like most other State Data Privacy Laws, if the controller denies a consumer's request, the controller must explain the justification for the denial and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests. Within sixty (60) days of receipt of an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal. If the appeal is denied, the controller must provide the consumer with an online mechanism through which the consumer may contact the Iowa Attorney General to submit a complaint.

Selling Personal Data

The IACDPA defines the "sale of personal data" as "the exchange of personal data for monetary consideration by the controller to a third party." The IACDPA also provides exceptions to the "sale of personal data" in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data:

• to a processor that processes personal data on behalf of the controller
• to a third party for purposes of providing a product or service requested by the consumer
• to the controller's affiliates
• that the consumer intentionally made available to the general public and did not restrict to a specific audience
• to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction.

As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data, but the IACDPA does not provide any additional guidance on how controllers must offer and process such consumer opt-out requests from a technical perspective.

Targeted Advertising

The IACDPA defines "targeted advertising" as "displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests." Like most other State Data Privacy Laws, the IACDPA expressly excludes certain activities from the definition of "targeted advertising," such as advertisements based on:

• activities within a controller's own or affiliated websites or online applications
• the context of a consumer's current search query, visit to a website, or online application
• the consumer's request for information or feedback
• the measuring or reporting of the performance, reach, or frequency of an advertisement. 

The IACDPA also imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.

De-identified and Pseudonymous Data

The IACDPA defines "de-identified data" as data that cannot reasonably be linked to an identified or identifiable individual, and such data is expressly excluded from the definition of "personal data." In contrast to certain other State Data Privacy Laws, the IACDPA does not explicitly impose a general obligation on controllers to use reasonable measures to ensure that de-identified data cannot be associated with an individual nor expressly requires controllers to contractually obligate recipients of de-identified data to comply with specific provisions of the IACDPA. Additionally, in contrast to requirements under some other State Data Privacy Laws, such as the Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, and Connecticut Data Privacy Act, controllers are not required to "publicly commit" not to re-identify any de-identified data.

The IACDPA defines "pseudonymous data" as personal data that cannot be attributed to a specific natural person without the use of additional information. Certain consumer rights (e.g., right to access, delete, opt-out, etc.) under the IACDPA do not apply to pseudonymous data if the controller demonstrates that any additional information necessary to identify the consumer is kept separately and subject to appropriate technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.

The IACDPA does require controllers that disclose de-identified data and/or pseudonymous data to exercise reasonable oversight to monitor compliance with any contractual commitments with third parties related to such de-identified data and/or pseudonymous data and to take appropriate actions to address any breaches of such contractual commitments.

Enforcement and Penalties

In contrast to the California Consumer Privacy Act and California Privacy Rights Act, the IACDPA does not provide consumers with a private right of action and is not enforced by a dedicated privacy agency. Rather, the IACDPA is enforced by the Iowa Attorney General. Under the IACDPA, the Iowa Attorney General, prior to initiating an action, will provide a controller and/or processor with ninety (90) days' written notice that identifies the specific provision(s) alleged to be violated. The controller and/or processor may cure such alleged violations within the ninety (90) day period. If uncured, the Iowa Attorney General may initiate an action against the controller and/or processor and recover up to $7,500 in civil penalties per violation.