IOWA’s New Consumer Data Protection Act

The U.S. state of Iowa is no stranger to privacy bills. The state’s legislature has repeatedly proposed and considered comprehensive consumer data privacy legislation since its first attempt in 2020. After Connecticut, Utah, Virginia, Colorado, and California, Iowa became the sixth state in the country to pass comprehensive privacy legislation. This new law will go into effect on 1 Jan. 2025, giving organizations 21 months to comply with the new requirements.

Iowa’s data subject response provision contains a potential 45-day extension to the 90-day response period, contrasting from the standard 45-day response period other states carry.

The data subject rights under Iowa’s data privacy law are as follows:

Right to Access

A consumer has the right to know whether a controller is processing the consumer’s personal data and access that data.

Right to Deletion

A consumer has the right to ask for the deletion of their personal data that the consumer provided to the controller.

Right to Data Portability

A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that is portable, readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

Right to Opt-Out

A consumer has the right to opt out of the processing of the consumer’s personal data for the purpose of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Purpose Limitation

Controllers can process personal data that is reasonably necessary and proportional to the purposes listed in the Iowa privacy law if it is adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in the law.

Transparency

Under Iowa data protection law, a controller shall provide consumers with reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories and purpose of personal data processed by the controller;
• How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about the consumer’s request;
• The categories of personal data that the controller shares with third parties, if any;
• The categories of third parties, if any, with which the controller shares personal data; and
• An active electronic mail address that the consumer may use to contact the controller.

Security

The controller must establish, implement, maintain, and update reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility relevant to the volume and nature of the personal data at issue.

Consent Requirements

Controllers should not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with Children’s Online Privacy Protection Act. Additionally, under Iowa data protection law, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it.

Nondiscrimination

A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.

Data processing contracts

Controllers must have a contract with their processors that clearly sets forth instructions for processing personal data, the nature and purpose for processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties. The contract must also lay out processes for retention, deletion, access, and subcontractor accountability.