Keypoint: Iowa moves one step closer to enacting consumer data privacy legislation with a bill generally modeled off the Utah Consumer Privacy Act.
On March 14, 2022, the Utah House voted 91-2 to pass House File 2506. Prior to passing the bill, the House adopted Amendment H-8157, which generally aligns the Iowa bill with the recently passed Utah Consumer Privacy Act (UCPA), with a few exceptions.
As we discussed with the UCPA, the Iowa bill would use the same general terminology and framework as the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA) but is far more business friendly.
Below is a brief summary.
The bill would apply to persons conducting business in Iowa or producing products or services that are targeted to state residents and that, during a calendar year, either (1) control or process the personal data of 100,000 consumers or (2) control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data. Of note, the bill does not include an additional monetary threshold as does the UCPA.
The bill defines “sale” as the exchange of personal data for monetary consideration by the controller to a third party. It does not include the phrase “or other valuable” as do the laws in California and Colorado.
“Consumer” is defined as a natural person who is a state resident acting only in an individual or household context and not a natural person acting in a commercial or employment context.
The bill includes the customary exemptions. For example, GLBA financial institutions and data, HIPAA covered entities and business associates, and nonprofits are excluded.
The bill would allow consumers to (1) confirm whether a controller is processing the consumer’s personal data and to access such personal data; (2) delete personal data provided by the consumer; (3) obtain a copy of the consumer’s personal data, except as to personal data that is defined as “personal information” pursuant to section 715C.1 that is subject to security breach protection, that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and (4) opt out of targeted advertising or the sale of personal data.
The bill does not include a right to correction as is found in laws in California, Colorado and Virginia. It also does not allow consumers the right to opt out of profiling as is found in those laws. The bill does not require controllers to recognize opt out signals.
Controllers would be required to establish an appeal procedure for when they deny requests. That provision is not found in the UCPA.
Similar to the UCPA, the bill only would require controllers to provide consumers with a “clear notice and an opportunity to opt out” of processing sensitive data. Controllers would not be required to obtain consumer consent as is the case in Colorado and Virginia.
Controllers would be required to provide consumers with a privacy notice that provides the typical information regarding the collection, use and sharing or personal data.
Data Processing Agreements
Controllers and processors would be required to enter into data processing agreements. Here, the bill’s requirements are more closely aligned with the VCPDA than the UCPA. For example, the bill would require a processor to delete or return data at the conclusion of services and make information available to controllers to demonstrate compliance. That said, it would not require processors to allow for audits and inspections as does the VCDPA.
The Attorney General is charged with enforcement. Controllers and processors would have a 30-day right to cure that does not sunset. There is no private right of action.
If passed, the bill would go into effect January 1, 2024.