Iowa’s House and Senate have unanimously voted to approve a new and comprehensive privacy act (“the Bill“). In the absence of a comprehensive federal data protection framework, Iowa will be the sixth state to enact a state privacy law, following California, Virginia and Colorado, Connecticut and Utah.

The Bill is materially similar to the abovementioned laws, and to Utah‘s recently enacted data protection law in particular.

The Bill would apply to all entities that conduct business in Iowa, or produce a product or service that is targeted at Iowa’s residents, and meet the following thresholds during a calendar year:

1. the entity controls or processes personal data of over 100,000 Iowa residents; or
2. the entity controls or processes personal data of over 55,000 Iowa residents and derives over 50% of its gross revenue from the “sale” of personal data.

Certain financial and health institutions as well as non-profit organizations and institutions of higher education are exempted from the Bill. In addition, the Bill excludes employment data and publicly available personal data, such as data made widely public by the data subject, from its ambit.

Below are some of the key highlights of the Bill:

• Consumer rights: the Bill provides consumers with the rights of access, deletion, portability and the right to opt-out of sale. The Bill requires controllers to respond to consumer requests within 90 days (unlike the standard 45 days period in other states), with an option to extend such period by additional 45 days when reasonably necessary, taking into consideration the complexity and number of requests handled. Controllers are also required to put in place a procedure to allow consumers to appeal in case of rejection of their requests and to notify consumers of their right to further appeal to the Attorney General.

• Discrimination: the Bill prohibits controllers from processing personal data in violation of state and federal laws prohibiting unlawful discrimination. Moreover, consumers shall not be discriminated against for exercising any of their rights under the Bill. Discrimination includes denial of service and differences in pricing or quality of services or products. Having said that, Data controllers may offer a different price, rate, level or quality of goods or services if the consumer exercises their right to opt out of sale or where the offer is related to the consumer’s voluntary participation in loyalty, rewards, discounts, club card or similar programs.

• Permitted use: the provisions of the Bill shall not prevent controllers and processors from processing personal data for certain purposes such as conducting internal research, product improvement and development, establishing legal claims, performing internal operations, security and integrity etc.

• Sensitive data: prior to the processing of sensitive data, controllers are required to provide consumers with a notice and an opportunity to opt out of the use of sensitive data (which includes, inter alia, health, biometric and precise geolocation data).

• Enforcement: The Bill does not create a private right of action and can only be enforced by Iowa’s Attorney General. The Bill includes a non-sunsetting 90 days’ cure period, requiring the Attorney General to issue a written prior notice of any alleged violation and allowing the controller or processor to cure such violation before taking any action. Each violation of the Bill could lead to fines of up to $7,500 per violation.

The Bill is expected to be approved shortly by the governor. Once signed into law, the Bill is expected to enter into force on 1 January 2025.