On March 15, the Iowa state legislature passed a comprehensive state privacy legislation (“SF 262”) providing rights to residents in the state of Iowa. Similar to privacy laws in five other states, SF 262 requires businesses that collect a threshold amount of personal data to comply with certain transparency requirements and provide consumers with certain data rights. Here is a quick overview of SF 262.
What Does SF 262 Protect?
Iowa’s SF 262 protects Iowa residents in an individual or household context, defining them as “Consumers.” However, unlike the California Consumer Privacy Act (“CCPA”)/California Privacy Rights Act (“CPRA”), which expired its B2B exemption, SF 262 has a commercial and employment exception.
Similar to other state privacy laws, personal data under SF 262 is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” But personal data does not include de-identified data, aggregate data, or publicly available data.
The “sale of personal data” is simply defined as the exchange of personal data for monetary consideration by the controller to a third party. This definition is narrower than the CCPA/CPRA’s.
Sensitive personal data is defined similarly to the CCPA/CPRA, covering racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation data, and personal data of a child. However, there is an exception where the data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law.
The Applicability of SF 262 to Businesses
SF 262 applies to:
- Any person conducting business in the state of Iowa; or
- Services targeted to consumers who are residents of Iowa that do either of the following during a calendar year:
- Control or process personal data of at least one hundred thousand (100,000) consumers.
- Control or process personal data of at least twenty-five thousand (25,000) customers and derive over fifty percent (50%) of gross revenue from the sale of personal data.
The threshold here is similar to other state privacy laws.
Exceptions to the Scope
SF 262’s applicability exceptions are similar to other state privacy laws. SFS 262 exempts financial institutions subject to Gramm-Leach-Bliley Act (GLBA), persons subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), nonprofits, and institutions of higher education.
Consumer Data Rights
Under SF 262, consumers have rights tantamount to those in states that have already implemented comprehensive privacy laws. These include:
- Right to know whether the controller is processing personal data and access to the personal data;
- Right to delete personal data;
- Right to data portability (with the exception of personal information subject to security breach protection); and
- Right to opt out.
Controller’s Duties
Likewise, SF 262’s obligations to the controller are on par with other comprehensive state privacy laws. For example, SF 262 requires a controller to implement reasonable, administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. It also prohibits controllers from processing sensitive data unless the consumer is given clear notice and a chance to opt out and prohibits controllers from discriminating against consumers who exercise their consumer data rights.
Privacy Notice Requirements
SF 262 sets forth what is required in the privacy notice to comply with the law. Again, these requirements are very similar to those of other comprehensive state privacy laws. Specifically, SF 262 requires the privacy notice to disclose the following:
- Categories of personal data processed by the controller;
- Purpose of processing personal data;
- How consumers can exercise their data rights;
- Categories of personal data controller shares with third parties;
- Categories of third parties with whom the controller shares personal data; and
- Disclosure and the right to opt out if a controller sells personal data or engages in targeted advertising; and
Contractual Requirements Between Controller and Processor
SF 262 requires the controller and the processor to enter into a contract to govern the processor’s data processing procedures. The contract must include processor obligations very similar to those in the other state privacy laws. These include:
- Setting for the instructions for processing personal data, including the nature and purpose of processing, the type of data subject to processing, duration of processing, and the rights and duties of both parties;
- Ensuring that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- Obligating the processor to delete or return all personal data to the controller as requested by the controller at the end of the service;
- Making available information to demonstrate the processor’s compliance with its obligations under SF 262; and
- Requiring the processor to enter into a written contract with a subprocessor and obligating the subprocessor to meet the same duties placed on the processor with respect to processing personal data.
No Private Right of Action
Like other state privacy laws, SF 262 does not allow for a private right of action. This means enforcement is in the exclusive authority of the state attorney general. In terms of enforcement, SF 262 requires the attorney general to give ninety (90) days’ written notice identifying the provisions violated. If the controller or processor cures the violation, an enforcement action will not be initiated. However, if the violation is not cured, the attorney general may initiate an enforcement action. The civil penalties for such action may be up to seven thousand five hundred dollars ($7,500) for each violation.
Impact of the Bill
Due to SF 262’s similarity to other state privacy laws, companies in compliance with the other five state privacy laws will likely be in compliance with Iowa’s new privacy law.
For more information, please contact the authors of this article or any other member of Frost Brown Todd’s Data, Digital Assets & Technology practice group.