Data Privacy Law

Data Privacy Law Passed by Iowa: Data Privacy Trends

So much to do this week, just now getting to this. Last week, Iowa became the sixth state to pass a data privacy law, doing so unanimously!

According to Forbes (Iowa Unanimously Passes Data Privacy Law, written by Alonzo Martinez and available here), Senate File 262 was unanimously passed by the Iowa Senate and House and awaits the Governor’s signature.

Iowa’s data privacy law applies to companies that (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data. Of note for employers conducting background checks, Iowa joins California, Colorado, Connecticut, Utah, and Virginia by exempting data regulated by the Fair Credit Reporting Act (FCRA). Exceptions also exist for state and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA), and healthcare organizations as specified in the statute subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), non-profits, higher education institutions including Family Educational Rights and Privacy Act (FERPA) data, data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA) and certain information related to employment.

The Iowa Privacy Law grants the following rights to consumers, subject to authentication of the consumer request:

  • Right to confirm processing and access personal data
  • Right to delete personal data provided by the consumer
  • Right to obtain a copy of the personal data
  • Right to opt-out of sale of personal data to a third party
  • Right to opt-out of targeted advertising

Controllers must provide consumers with a privacy notice that identifies the following:

  • The categories of personal data processed,
  • The purposes for processing,
  • How consumers can exercise their data privacy rights,
  • The categories of personal data the controller shares with third parties if any, and
  • The categories of third parties, if any, with whom the controller shares personal data.

Iowa’s data privacy law is expected to be signed by the Governor and will take effect on January 1, 2025. For more on the new law, check out the article here.

So, what do you think? Which state will be next to pass a data privacy law? Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © World Atlas

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


Leave a Reply