iapp.org Open in urlscan Pro
35.168.85.238 Public Scan

Back to summary

URL:
https://iapp.org/news/a/iowa-becomes-sixth-us-state-to-enact-comprehensive-consumer-privacy-legislation/
Submission: On May 11 via manual (May 11th 2023, 6:04:56 am UTC) from US — Scanned from US

Form analysis
2 forms found in the DOM

POST /navbar-search

<form class="grey-text text-darken-4 nav-search ng-pristine ng-valid" method="POST" action="/navbar-search">
  <div class="input-field">
    <input id="search" type="search" required="" name="search">
    <label for="search"><i class="material-icons">search</i></label>
    <i class="material-icons nav-search-close">close</i>
  </div>
</form>

POST /navbar-search

<form class="grey-text text-darken-4 nav-search ng-pristine ng-valid" method="POST" action="/navbar-search">
  <div class="input-field">
    <input id="search" type="search" required="" name="search">
    <label for="search"><i class="material-icons">search</i></label>
    <i class="material-icons nav-search-close">close</i>
  </div>
</form>

Text Content

* language English (EN)
* Français
* Español
* Deutsch
* Português
(Brasil)

* About the IAPP
* Enterprise Services
* Contact
* Calendar
* MyIAPP
* search

* News
* Connect
* Train
* Certify
* Resources
* Conferences
* Join
* Store Store
* shopping_cart

* Main Menuclose
search close
* Back to the News Menutouch_app
* Shopping Cart shopping_cart
* * English (EN)language
* radio_button_checkedEnglish
* radio_button_uncheckedFrançais
* radio_button_uncheckedEspañol
* radio_button_uncheckedDeutsch
* radio_button_uncheckedPortuguês (Brasil)
* Homehome
* News
* Connectgroup
* Trainschool
* Certify
* Resourcesassessment
* Conferencesevent
* Joinperson_add
* Storestore
* MyIAPPperson_outline
* About the IAPPinfo_outline
* Enterprise Servicesdomain
* Contactsend
* Calendarcalendar_today

* News Menuclose
search close
* Open the Main Menutouch_app
* Shopping Cart shopping_cart
* radio_button_unchecked News Feed
* radio_button_unchecked Daily Dashboard
* radio_button_unchecked Videos
* radio_button_unchecked Privacy Perspectives
* radio_button_unchecked The Privacy Advisor
* radio_button_unchecked The Privacy Advisor Podcast
* radio_button_unchecked Privacy Tracker
* radio_button_unchecked Privacy Tech
* radio_button_unchecked DPO Confessional
* radio_button_unchecked Canada Dashboard Digest
* radio_button_unchecked Asia-Pacific Dashboard Digest
* radio_button_unchecked Latin America Dashboard Digest
* radio_button_unchecked Europe Data Protection Digest
* radio_button_unchecked U.S. Privacy Digest
* radio_button_unchecked IAPP Westin Research Center
* radio_button_unchecked Books
* radio_button_unchecked Web Conferences
* radio_button_unchecked Advertise
* radio_button_unchecked About IAPP Publications

menu
shopping_cart person_outline

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

U.S. Privacy Digest

A roundup of US privacy news

Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards
Member Directory Privacy List Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter
meetings, taking place worldwide.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with
an exceptional crowd.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job
Board is the answer.

Member Directory

Locate and network with fellow privacy professionals using this peer-to-peer
directory.

IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live
broadcasts, networking events, web conferences and more.

Overview Online Training Live Online Training In-Person Training Books Practice
Exams Train Your Staff Official Training Partners Web Conferences
European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most
significantly the GDPR.

U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws
governing U.S. data privacy.

Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial
data privacy governance systems.

Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection
program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies
and how to deploy them.

Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working
privacy knowledge.

GDPR Training

Learn the legal, operational and compliance requirements of the EU regulation
and its global influence.

Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified
designation.

Overview Certification Programs Get Certified How to Prepare Continuing Privacy
Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification

The global standard for the go-to person for privacy laws, regulations and
frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day
operations

CIPT Certification

As technology professionals take on greater privacy responsibilities, our
updated certification is keeping pace with 50% new content covering the latest
developments.

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must
attain in today’s complex world of data privacy.

Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill,
proficiency and ethics in privacy law, and one of the ABA’s newest accredited
specialties.

CIPP/E + CIPM = GDPR Ready

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized
combination for GDPR readiness. Learn more today.

Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação
brasileira sobre privacidade.

Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation
française et européenne, agréée par la CNIL.

Tools and Trackers Research Glossary Global Privacy Directory Enforcement
Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace

Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and
resources covering AI connections to the privacy space.

Privacy and AI Governance Report

This report explores the state of AI governance in organizations and its overlap
with privacy management.

Privacy and Consumer Trust Report

This report shines a light on what consumers around the globe think about
privacy and the companies that collect, hold and use their data.

IAPP-EY Annual Governance Report 2022

This year’s governance report goes back to the foundations of governance,
exploring “the way that organizations are managed, and the systems for doing
this."

US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted
comprehensive state privacy bills from across the U.S.

US Federal Privacy Legislation Tracker

This tracker organizes the privacy-related bills proposed in Congress to keep
our members informed of developments within the federal privacy landscape.

International Data Transfers

On this topic page, you can find the IAPP’s collection of coverage, analysis and
resources related to international data transfers.

CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer
Privacy Act and the California Privacy Rights Act.

Reports and Surveys

Access all reports and surveys published by the IAPP.

Privacy Vendor Marketplace

Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report
to easily identify privacy products and services to support your work.

Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring
A-list keynotes and high-profile experts.

Canada Privacy Symposium

Leaders from across the country’s privacy field deliver insights, discuss
trends, offer predictions and share best practices.

Data Protection Intensive: Nederland

Hear expert speakers address the latest developments in data protection globally
and in the Netherlands.

Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting
business across Asia.

Data Protection Intensive: Deutschland

Join DACH-region data protection professionals for practical discussions of
issues and solutions. Presented in German and English.

Privacy. Security. Risk. (P.S.R.)

P.S.R. 2023 is the place for speakers, workshops and networking focused on the
intersection of privacy and technology.

Europe Data Protection Congress

Europe’s top experts predict the evolving landscape and give insights into best
practices for your privacy programme.

Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to
daily operational details.

Speak at an IAPP Event

View our open calls and submission instructions.

Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities
today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should
become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

THE PRIVACY ADVISOR | IOWA BECOMES SIXTH US STATE TO ENACT COMPREHENSIVE
CONSUMER PRIVACY LEGISLATION RELATED READING: IOWA SET TO FINALIZE SIXTH US
COMPREHENSIVE STATE PRIVACY LAW

rss_feed

IOWA BECOMES SIXTH US STATE TO ENACT COMPREHENSIVE CONSUMER PRIVACY LEGISLATION

schedule Mar 29, 2023
queue Save This
*
*
*
* print

Anokhy Desai, CIPP/US, CIPM, CIPT IAPP Staff Contributor
*
*
*
* print

The U.S. state of Iowa is no stranger to privacy bills. Since its first attempt
in 2020, the state's legislature has repeatedly proposed and considered
comprehensive consumer data privacy legislation. But 2023 is the year privacy
took root in Iowa. On 29 March, Iowa became the sixth state to pass a
comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado and
California. The law will go into effect on 1 Jan. 2025, giving organizations 21
months to comply with the new requirements from this state with over 3 million
residents. Though the new law includes many familiar elements from other state
laws, organizations should note a handful of differences as they expand their
U.S. compliance efforts.

SCOPE

Like the other state laws before it, the Iowa privacy law applies to entities
that conduct business in Iowa or produce products or services that target
consumers in the state. Like other states, except California which defines the
term as a state resident who is identifiable, Iowa defines "consumer" as a
natural person who is a resident of the state acting in a noncommercial and
nonemployment context. The law divides obligations between controllers and
processors, embracing the common definitions of those terms.

A business falls within the scope of the Iowa law if it controls or processes
personal data of at least 100,000 Iowa consumers, about 3% of the state’s
population, during a calendar year. Alternatively, businesses that derive more
than 50% of gross revenue from the sale of personal data fall within scope of
the law if they control or process personal data of at least 25,000 Iowa
consumers. Iowa’s second independent prong, the threshold for revenue derived
from sales, incorporates the same test as all prior state laws, except
Connecticut’s 25% threshold and Colorado's still broader any revenue or discount
standard.

What about a revenue threshold? Utah's privacy law applies to organizations that
do business in the state and make USD25 million in annual revenue, and
California uses the same revenue benchmark as a third independent factor that
can place companies within scope of the California Consumer Privacy Act. Unlike
California and Utah, an organization does not fall within scope of the Iowa law,
or the other state laws, by reference to a revenue threshold. Businesses of any
size that meet the above requirements must comply.

Iowa adopts a familiar definition for "personal data:" any information linked or
reasonably linkable to an identified or identifiable natural person, excluding
deidentified data, aggregate data – information relating to a group or category
of consumers that excludes consumer identities and is not linked or linkable to
any consumer – and publicly available information. "Sensitive data" under the
Iowa law includes racial or ethnic origin, religious beliefs, mental or physical
health diagnosis, sexual orientation, citizenship or immigration status (except
when such data is used to avoid discrimination), as well as genetic or biometric
data, personal data of children, and precise geolocation data within a radius of
1,750 feet.

EXEMPTIONS

Privacy professionals will find Iowa’s data exemptions to be familiar as well.
Information exempted from the Iowa privacy law includes personal data covered by
existing federal laws like the Health Insurance Portability and Accountability
Act, the Children’s Online Privacy Protection Act, the Family Educational Rights
and Privacy Act, the Driver’s Privacy Protection Act and the Farm Credit Act, as
well as health records, human subjects research data covered by federal law or
other standards, and data processed or maintained for employment purposes.

The law additionally exempts certain types of entities and data from its
requirements. The Iowa privacy law does not apply to:

* Government entities.
* Financial institutions, their affiliates and entities subject to the
Gramm-Leach-Bliley Act.
* Entities who are subject to and comply with the Health Information Technology
for Economic and Clinical Health Act and/or HIPAA.
* Nonprofit organizations.
* Higher education institutions.

CONSUMER RIGHTS

Under the Iowa law, consumers are provided with four main rights: the right to
access, the right to delete, the right to portability and the right to opt out
of the sale of their personal data. This law notably does not provide the rights
to correct personal data, not to be subject to fully automated decisions or to
opt out of certain processing, such as for targeted advertising or profiling
purposes. More specifically, while there is not an explicit right to opt out of
targeted advertising in the law's consumer rights section, it does include a
peculiar requirement for controllers that engage in targeted advertising to
"clearly and conspicuously disclose such activity, as well as the manner in
which a consumer may exercise the right to opt out of such activity."

Unlike Colorado, Connecticut, and Virginia, the new law does not require an
opt-in choice for sensitive data processing but rather requires covered entities
to provide notice and an opportunity to opt out. This requirement is more in
keeping with California and Utah.

Right to access. Consumers have the right to confirm whether a controller is
processing their personal data and to access that data. Like Connecticut's law,
it has an exception for data that would reveal trade secrets.

Right to delete. Consumers have the right to delete the personal data they
provided to the controller. This right is narrower than in the Connecticut and
Colorado privacy laws, which include the ability to delete personal data
obtained about the consumer from other sources.

Right to data portability. Consumers have the right to obtain a copy of the
personal data they provided to the controller, except when such data is subject
to security breach protection, or previously provided to the controller in a
portable and readily usable format that allows the consumer "to transmit the
data to another controller without hindrance, where processing is carried out by
automated means." This is similar to the Virginia law, in which the right is
also limited to consumer-provided data.

Right to opt out of sales. Consumers have the right to opt out of the sale of
personal data. Here, the definition of "sale" includes the exchange of personal
data for monetary consideration, but not disclosure to a processor, disclosure
to a controller to fulfill a consumer request, disclosure made by a consumer to
a public channel or internal transfers, including merger or acquisition
activity. The law further states opt-out rights do not apply to pseudonymous
data, defining the term as personal data that "cannot be attributed to a
specific natural person without the use of additional information, provided that
such additional information is kept separately and is subject to appropriate
technical and organizational measures to ensure that the personal data is not
attribute to an identified or identifiable natural person." This definition is
consistent across all six states, but unlike Colorado, Connecticut, Virginia and
Utah, Iowa's consumer opt-out rights do not apply to pseudonymous data.

Consumers can invoke their rights by submitting a request specifying those
rights to the controller in the manner described in the controller’s privacy
notice. Controllers have 90 days after receipt of the request to respond, and
after notifying the consumer, may extend that period by 45 days when reasonably
necessary, depending on the complexity and number of requests.

OBLIGATIONS

Under the Iowa law, covered entities have certain obligations that mirror most
of those required by its predecessors. This law notably does not require
entities to perform data protection or privacy risk assessments.

Purpose limitation. Controllers can process personal data that is reasonably
necessary and proportional to the purposes listed in the Iowa privacy law if it
is adequate, relevant and limited to what is necessary in relation to the
specific purposes listed in the law.

Data security. Controllers must implement reasonable administrative, technical
and physical data security practices to protect the confidentiality, integrity
and availability of personal data. Similar to the requirements of the other
states' comprehensive privacy laws, these practices should be appropriate to the
volume and nature of the personal data.

Consent requirements. The statute requires consent to be a clear affirmative act
that indicates a consumer's freely given, specific, informed and unambiguous
agreement to the processing of their personal data. Controllers are prohibited
from processing sensitive data collected from a consumer for a nonexempt
purpose, unless they provide the consumer with clear notice and an opportunity
to opt out of such processing. If the sensitive data belongs to a known child,
the processing must be in accordance with the COPPA. This section follows the
opt-in default requirement set by Colorado, Connecticut and Virginia, all three
of which require opt-in consent for the collection of personal data from a user
known to be under 13 years of age.

Nondiscrimination. Consistent with the five other comprehensive state privacy
laws, controllers are also barred from processing personal data in violation of
state and federal laws that prohibit unlawful discrimination against consumers.
Controllers additionally cannot discriminate against consumers for exercising
their rights, but may offer different prices to consumers based on certain
factors like a consumer's voluntary participation in a bona fide loyalty
program.

Transparency. Controllers must provide consumers with a reasonably accessible,
clear and meaningful privacy notice that includes:

* The categories of personal data processed by the controller.
* The purpose for processing personal data.
* How consumers may exercise their rights and appeal a controller's decision.
* The categories of personal data the controller shares with third parties, if
any.
* The categories of third parties, if any, with whom the controller shares
personal data.

Data processing contracts. Controllers must have a contract with their
processors that clearly sets forth instructions for processing personal data,
the nature and purpose for processing, the type of data subject to processing,
the duration of processing, and the rights and duties of both parties. The
contract must also lay out processes for retention, deletion, access and
subcontractor accountability.

Iowa’s privacy law, like Virginia’s law, makes no mention of universal opt-out
mechanisms such as the Global Privacy Control. The law also deems contract
provisions that waive or limit consumer rights as "contrary to public policy"
void and unenforceable.

ENFORCEMENT

Like the state privacy laws enacted by Colorado, Connecticut, Virginia and Utah,
the Iowa privacy law does not offer a private right of action. It does, however,
provide the attorney general with the exclusive right to enforce the act through
civil investigative demands. The attorney general must provide the violating
party with a written notice listing the violations and, with 90 days to cure the
violations, notify the attorney general of the cure and provide a statement that
no further violations will occur. If a controller or processor is still in
violation of the law after the cure period, or after sending their statement,
the attorney general can initiate civil proceedings. The controller or processor
found to be in violation of the Iowa privacy law is subject to a fine of
USD7,500 per violation, paid into the consumer education and litigation fund.

Organizations will likely find the consistency between the rights and
obligations provided in the Iowa statute and those in the other state statutes
will allow for a smoother transition into compliance. While the Iowa law
provides many of the same protections as the other comprehensive state privacy
laws, the rights and obligations are less prescriptive concerning business
compliance. In that way, Iowa sets a new precedent for states that were unable
to pass their own privacy laws in recent years due to concerns about business
impact and costs.

US State Privacy Legislation Tracker

The IAPP Westin Research Center compiled this updating tracker of proposed and
enacted comprehensive privacy bills from across the country to aid our members’
efforts to stay abreast of the changing state-privacy landscape.

View Here

Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT,
LGPD
Credits: 1

Submit for CPEs

AUTHOR

Anokhy Desai, CIPP/US, CIPM, CIPT IAPP Staff Contributor
shareShare This
*
*
*
* print

iapp.org Open in urlscan Pro 35.168.85.238 Public Scan

Form analysis 2 forms found in the DOM

POST /navbar-search

POST /navbar-search

Text Content

iapp.org Open in urlscan Pro
35.168.85.238 Public Scan

Form analysis
2 forms found in the DOM