Iowa’s Consumer Data Protection Act

Iowa is set to become the sixth US state to pass comprehensive privacy legislation. Five new privacy laws will take effect in other states throughout 2023. Once the state governor signs Iowa’s new bill, it will take effect in January 2025.

Like several other states, Iowa’s Consumer Data Protection Act (ICDPA) draws heavily from Virginia’s privacy law. The bill strongly resembles another Virginia copycat, Utah, except Iowa’s law will apply more widely.

This article will examine who the ICDPA will cover and consider the main provisions around “selling” personal data, working with processors, facilitating consumer rights, creating privacy notices, implementing security measures, processing sensitive data, and enforcement.

Who is covered by the law?

The ICDPA applies to a business that targets Iowan consumers and:

• Controls or processes personal data about at least 100,000 consumers, or
• Controls or processes personal data about at least 25,000 consumers and derives at least 50% of revenue from selling personal data.

This application threshold mirrors new state privacy laws in Virginia and Utah.

Definition of a ‘Sale’ and ‘Targeted Advertising’

“Selling” personal data means exchanging personal data for money with a third party. Selling does not include disclosing personal data:

• To a processor (see below).
• To a third party for the purposes of providing a service requested by the consumer.
• To an affiliate.
• That the consumer intentionally made public via “mass media” and did not restrict to a specific audience.
• On the directions of the consumer.
• As part of a merger, acquisition, or bankruptcy.

The ICDPA also defines “targeted advertising” as displaying an ad based on personal data obtained “over time” and from across “unaffiliated” websites or apps to predict the consumer’s preferences or interests.

Working with processors

A “processor” under the ICDPA is “a person that processes personal data on behalf of a controller” (a controller is, essentially, any business covered by the law).

As noted, disclosing personal data to a processor does not count as a “sale”.

A processor’s duties under the ICDPA are:

• Assisting the controller with its duties under the ICDPA, including:
  • Facilitating consumer rights requests (see below).
  • Meeting reasonable security requirements (see below), including by notifying the controller of a security breach.

Processors must operate under a contract with the controller that sets out:

• Instructions for processing personal data.
• The nature and purpose of the processing.
• The duration of the processing.
• The rights and duties of each party.
• The processor’s duties, including:
  • Imposing a duty of confidentiality on anyone responsible for data processing.
  • Deleting or returning all personal data on request by the controller.
  • Providing all relevant information regarding the processing to the controller on request.

A processor may be liable for violating the IDCPA if it deviates from the controller’s instructions.

Consumer rights

The ICDPA provides Iowa consumers with the following rights over their personal data:

• The right of access: To confirm whether the controller processes their personal data and to access the personal data.
• The right to delete: To delete personal data provided by the consumer.
• The right to data portability: To access a copy of personal data provided by the consumer (with some exceptions, see below) in a portable and machine readable format.
• The right to opt out: To opt out of the sale of personal data.

Consumers may submit a consumer rights request up to twice per year.

Controllers must establish a “secure and reliable” way to authenticate consumers’ identities before fulfilling a request. This must not require the creation of a new account.

Controllers must not normally charge for facilitating the request. Controllers can charge a fee to cover the admin costs if the request is:

• Manifestly unfounded.
• Excessive
• Technically unfeasible.
• Not made for the primary purpose of exercising a consumer right.

Controllers must fulfil a consumer rights requests without undue delay and within 90 days. A further 45-day extension is available to the controller when reasonably necessary.

If the controller decides to reject a request, they must give their reasons in writing and allow the consumer to appeal the decision.

Privacy notice

Consumers must publish a “reasonably accessible, clear, and meaningful” privacy notice that sets out:

• The categories of personal data the controller processes.
• The purposes of the processing.
• How consumers may exercise their consumer rights and appeal against a decision.
• The categories of personal data that the controller shares with third parties, if any.
• The categories of third parties, if any, with whom the controller shares personal data.

If the controller sells personal data to third parties or images in targeted advertising, it must also disclose this together with an explanation of how to exercise the “right to opt out”.

Note that, despite this obligation, the ICDPA’s consumer rights do not explicitly include a right to opt out of targeted advertising. This appears to be an area of ambiguity that may be clarified in the future.

Other Controller duties (security, sensitive information)

Controllers must implement “reasonable administrative, technical, and physical data security practices” to protect the integrity and confidentiality of personal data. Data breaches are subject to Iowa’s data breach notification law.

The bill defines “sensitive data” as information about:

• Racial or ethnic origin.
• Religious beliefs.
• Mental or physical health diagnosis.
• Sexual orientation.
• Citizenship or immigration status.
• Genetic or biometric data used to identify and individual.
• Personal data collected from a known child.
• Precise geolocation.

Except for the last three items above, none of these data types are “sensitive data” if processed for the purposes of avoiding discrimination.

Before processing sensitive data, a controller must provide the consumer with “clear notice” and an opportunity to opt out of the processing. Children’s data must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).

Enforcement

The Iowa Attorney General will enforce the ICDPA.

The law grants a 90-day “notice and cure” period. The Attorney General may only bring a case against a business that fails to fix its violation within this 90-day period.

Enforcement actions will be brought as an action in the name of the state, and can include injunctive relief and a civil penalty of up to $7,500 per violation.

The ICDPA does not include a private right of action, so only the Attorney General may enforce the law.