Iowa is sixth U.S. state to enact comprehensive privacy law

What is Iowa’s new privacy law? 

Iowa’s SF262, An Act Relating to Consumer Data Protection, was passed unanimously by the state Senate and House on March 6 and 15 respectively, and signed into law by the Iowa Governor on March 29, 2023. Iowa is the 6th U.S. state to enact a comprehensive privacy law after California, Virginia, Colorado, Utah, and Connecticut. 

When does the Iowa law go into effect? 

It will go into effect on January 1, 2025. 

How does the Iowa privacy law compare to the other U.S. state privacy laws? 

Iowa’s privacy law most closely resembles Utah’s privacy law in that they are relatively less stringent than the other state privacy laws. 

Both Iowa and Utah’s privacy laws do not require data protection assessments, nor do they require data controllers to honor universal opt out signals. They also allow for the processing of sensitive information as long as consumers are presented with a clear notice and a way to opt-out, whereas Indiana, Connecticut, Virginia, and Colorado require opt-in. 

Like the other states, Iowa’s privacy law does not include a general private right of action. 

Will Iowa require opt-outs for targeted advertising?

This is not totally clear. 

The Iowa law does require data controllers to clearly disclose whether they sell personal data to third parties or process personal data for targeted advertising, as well as the manner in which consumers can opt out of processing for those purposes. But, the consumer rights provision doesn’t explicitly include a right to opt out of targeted advertising, and nothing in the law explicitly requires controllers to honor opt-out requests. 

For now, we can infer that a right to opt out of targeted advertising is intended, but will need to await clarification. 

How does Iowa define targeted advertising? 

Iowa defines targeted advertising as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across non-affiliated websites or online applications to predict such consumer’s preferences or interests. 

Iowa’s definition, like those of other states, is subject to various exceptions, including advertisements based on activities within a controller’s own Internet web sites or online applications, and advertisements based on consumer search queries and web visits. 

Does Iowa have a provision that requires recognition of universal opt-outs? 

No, the Iowa law doesn’t currently include any requirement to honor universal opt-out signals. 

How will the Iowa data privacy law be enforced? What do the penalties look like? 

It will be enforced by the Office of the Attorney General of Iowa. Violations may result in civil fines of up to $7500 each. Violators must be given notice of violation and a 90-day period to cure. 

What types of businesses does Iowa law apply to?

The law applies to entities that: 

Conduct business in Iowa or produce products or services targeted to Iowa residents and that during the preceding calendar year, either:

1. Controls or processes personal data of at least 100,000 consumers; OR
2. Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

How will Sourcepoint and its clients need to adapt to comply with the Iowa law?

Other than expanding existing privacy programs into a sixth state, Iowa’s law will not impose any significant new obligations on covered companies that aren’t already required under existing privacy laws in other states. 

Since the Iowa law will be relatively less stringent than some of the other state laws, companies may choose to adjust their practices to a stricter law in order to cover their obligations under Iowa law. 

How is the Iowa privacy law going to impact the advertising industry? 

With the other 5 state privacy laws all going into effect over the course of 2023, increased levels of enforcement is just beginning to incite more urgency. 

The introduction of Iowa’s privacy law to the U.S. privacy patchwork was also closely followed by the passage of comprehensive privacy law in Indiana, indicating ongoing momentum at the state level.