On March 28, 2023, Iowa passed a law meant to protect consumer data. The Iowa Consumer Data Protection Act (“ICDPA” or “Act”), codified at Iowa Statute Section 715D, will take effect on January 1, 2025.
Who is Covered by the Act?
The Act places certain restrictions and obligations on companies or persons that hold and process personal data (referred to as “Controllers.”) The new law will only apply to Controllers who (A) control or process personal data of at least 100,000 Iowa consumers or (B) control or process personal data of at least 25,000 Iowa consumers and derive over 50 percent of gross revenue from the sale of personal data. “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” It does not include aggregate data or publicly available information. “Sensitive data” is defined as data regarding (A) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; (B) genetic or biometric data; (C) personal data collected from a child; and (D) precise geolocation data.
What does the ICDPA Require?
The ICDPA requires Controllers to comply with requests by consumers (A) to confirm whether the Controller holds or is processing data of the consumer; (B) to delete personal data provided by the consumer; (C) to obtain a copy of the consumer’s personal data; and (D) to opt out of the sale of personal data. A Controller must respond to the consumer’s request within 90 days, with a 45-day extension when “reasonably necessary.” Information is to be provided free of charge, up to two times per year.
Controllers are also required to adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Controllers must also provide consumers with clear notice and an opportunity to opt out of having their sensitive data processed. Finally, Controllers must provide consumers with a privacy notice that includes the following: (A) the categories of personal data process by the Controller; (B) the purpose for processing personal data; (C) how consumers may exercise their consumer rights; (D) the categories of personal data that the Controller shares with third parties, if any; and (E) the categories of third parties, if any with whom the Controller shares personal data.
What is Exempt from the Act?
Some types of data are exempt from the requirements of the IDCPA. Most importantly, data about employees is not covered by the Act. Protected health information and health records are also exempt from the Act. Data governed by the Children’s Online Privacy Protection Act (COPPA) is also exempt.
May types of businesses and entities are also exempt from the Act, including the state government, banks and financial institutions, healthcare institutions, non-profits, and institutions of higher education.
How is the Act Enforced?
The ICDPA does not create a private right of action by consumers. The Iowa Attorney General has the authority to investigate non-compliance and may assess penalties of up to $7,500 per violation.
So What Types of Companies are Impacted by this Law?
Iowa joins five other states that have enacted similar laws. The application of this Act will primarily impact tech companies, apps, and social media platforms that collect and share data for targeted advertising. It also applies to retailers, both brick and mortar and on-line, that collect data from customers. If you have questions about your rights as a consumer in Iowa contact the Iowa Attorney General’s office.
About the Firm:
The Minnesota privacy law attorneys of Trepanier MacGillis Battina P.A. can be reached at 612.455.0500. TMB is a business law firm located in Minneapolis, Minnesota.