Iowa to Introduce the Sixth Comprehensive State Privacy Law in United States
Client Alert | 2 min read | 03.24.23
On March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive state privacy law bill. If enacted, SF 262 would be the sixth state level privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut, and it would go into effect on January 1, 2025.
Iowa’s new law is closest to the Utah Consumer Privacy Act (UCPA), having broad exemptions and more limited obligations for controllers. Notably, SF 262 provides exemptions for consumer rights where “pseudonymous data” and “de-identified data” (as defined by the bill) are involved, including certain opt-out rights.
For the most part, Iowa’s bill treads familiar territory. Its scope extends to entities that conduct business in Iowa or produce products or services targeted to Iowa residents, and that meet the following requirements, in a calendar year: (1) control or process personal data of at least 100,000 consumers; or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from sale of personal data.
Iowa’s bill does not create new obligations for businesses compared to what is already required under other states’ privacy laws. For example, the Iowa bill’s privacy notice requirements are not unique to SF 262 – companies with privacy policies drafted to comply with the CCPA (California Consumer Privacy Act) and VCDPA (Virginia Consumer Data Protection Act) are not likely to have to amend their policies in order to comply with Iowa’s requirements. In addition, like Utah and Virginia, Iowa’s bill includes a narrow definition of “sale” of personal data (the exchange of personal data for monetary consideration by the controller to a third party), as well as numerous exceptions.
Iowa’s bill notably diverges from consumer protections found in most existing state privacy laws. For example, it only requires clear notice and opt-out for sensitive data, while other states like Colorado, Connecticut, and Virginia adopted opt-in requirements. The Iowa bill also lacks a consumer right to correct data. There are no requirements for covered entities to conduct privacy impact assessments or establish data minimization principles. Furthermore, responses to consumer requests not only have a 90-day response period (compared to 45-days in other states) but also are subject to a potential 45-day extension.
This bill does not contain a private right of action; enforcement rights belong exclusively with the Iowa State Attorney General. The AG may seek injunctive relief and civil penalties of up to $7,500 per violation. However, this first requires providing a 90-day cure period before bringing any enforcement, and such cure period does not sunset.
We will continue to monitor the developments and keep you informed of any further updates.
Contacts
Insights
Client Alert | 5 min read | 09.03.25
If You’re Not First, You’re Last: Federal Circuit’s First Review of an AIA Derivation Proceeding
Nearly a decade and a half after the passage of the Leahy-Smith America Invents Act (“AIA”), the Federal Circuit finally had its first occasion to review an appeal of a derivation proceeding that was litigated before the Patent Trial and Appeal Board (“Board”) in Global Health Solutions LLC v. Selner. This case provides helpful guidance for patent litigators regarding the proper legal framework in a derivation proceeding and serves as a reminder that patent applications should be filed as soon as possible. As the facts of this case show, it is important that inventors retain documents and other evidence of the conception of their invention, as well as its communication to others, should there be any challenge to their invention.
Client Alert | 2 min read | 09.03.25
Client Alert | 6 min read | 09.02.25
Landmark Proposed Rule May Open American Skies to Expanded Commercial Drone Deployments
Client Alert | 6 min read | 09.01.25
Facing the Fraud Challenge: How UK Charities Must Adapt to the New Failure to Prevent Fraud Offence