Keypoint: Pending the governor’s signature, Iowa will become the sixth state to pass consumer data privacy legislation.
On March 15, 2023, the Iowa House voted 97-0 to pass SF 262. The bill previously passed the Senate by a vote of 47-0. The bill was procedurally messaged back to the Senate. Pending any remaining procedural hurdles and the governor’s signature, Iowa will become the sixth state to pass consumer data privacy legislation with a bill that rivals Utah as the most business-friendly legislation passed to date.
In the below post, we provide a comparison of the Iowa bill to the five existing state privacy laws. You also can access a PDF of the comparison charts here. In addition, Keir Lamont and Mercedes Subhani from the Future of Privacy Forum prepared a very useful chart comparing the Iowa bill to the Connecticut Data Privacy Act.
Applicability Thresholds
Law | Monetary Threshold | # of Consumers Threshold | Sell/Share Threshold |
California | $25,000,000 | 100,000 consumers or households 0.26% of state’s 39.2 million population | Derives 50% or more of annual revenues from selling or sharingconsumers’ personal information |
Colorado | N/A | 100,000 consumers 1.72% of state’s 5.8 million population | Derives revenue or receives a discount on the price of goods or services from the sale of personal data + processes or controls the personal data of 25,000 or more consumers |
Connecticut | N/A | 100,000 consumers 2.78% of state’s 3.6 million population | Derives more than 25% of gross revenue from sale of personal data + control or process personal data of not less than 25,000 consumers |
Iowa | N/A | 100,000 consumers 3.125% of state’s 3.2 million population | Derives over 50% of gross revenue from sale of personal data + controls or processes personal data of 25,000 or more consumers |
Utah | $25,000,000 (+ another category) | 100,000 consumers 3.03% of state’s 3.3 million population | Derives over 50% of gross revenue from sale of personal data + controls or processes personal data of 25,000 or more consumers |
Virginia | N/A | 100,000 consumers 1.16% of state’s 8.6 million population | Derives over 50% of gross revenue from sale of personal data + control or process personal data of at least 25,000 consumers |
Rights
Right | Cal. | Colo. | Conn. | Iowa | Utah | Virginia |
Know / Confirm | Yes | Yes | Yes | Yes | Yes | Yes |
Access | Yes | Yes | Yes | Yes | Yes | Yes |
Data portability | Yes | Yes | Yes | Partial | Partial | Yes |
Deletion | Partial | Yes | Yes | Partial | Partial | Yes |
Correct inaccuracies | Yes | Yes | Yes | No. | No | Yes |
Not be discrim. against | Yes | Yes | Yes | Partial | Partial | Yes |
Opt-out of sale | Yes | Yes | Yes | Yes | Partial | Yes |
Opt-out of targeted advertising / sharing | Yes | Yes | Yes | Unclear (right is not listed in consumer rights provision of bill but controllers must provide means to opt out) | Yes | Yes |
Opt-out of certain types of profiling | Yes | Yes | Yes | No. | No | Yes |
Recognize opt out signals | Yes (through rulemaking) | Yes | Yes | No | No | No |
Other Provisions
Provision | Cal. | Colo. | Conn. | Iowa | Utah | Virginia |
Data Protection Assess. | TBD (rulemaking) | Yes | Yes | No | No | Yes |
Definition of sale | Monetary or other valuable consid. | Monetary or other valuable consid. | Monetary or other valuable consid. | Monetary consid. | Monetary consid. | Monetary consid. |
Opt out Request Must be Verified | No | Yes | No | Yes | Yes | Yes |
Treatment of Sensitive Data | Right to Limit Use | Opt-in | Opt-in | Notice and opt-out | Notice and opt-out | Opt-in |
GLBA exemption | Data level | Entity and data level | Entity and data level | Entity and data level | Entity and data level | Entity and data level |
Additional Children’s Rights | Opt-in for selling or sharing of PI of children ages 13-15 | No | Opt-in for targeted advertising or sale of PI of children ages 13-15 | No | No | No |
Data Processing Agreements | Yes | Yes | Yes | Yes | Yes | Yes |
Privacy Policy | Yes | Yes | Yes | Yes | Yes | Yes |
Implement Reasonable Data Security Measures | Yes | Yes | Yes | Yes | Yes | Yes |
Duty to Avoid Secondary Use | Yes | Yes | Yes | No | No | Yes |
Data Minim. | Yes | Yes | Yes | No | No | Yes |
Enforcement | Attorney General / Agency (limited PRA for data breaches) | Attorney General | Attorney General | Attorney General | Attorney General | Attorney General |
Right to Cure | Expired | 60 days (sunsets Jan. 1, 2025) | 60 days (sunsets Dec. 31, 2024) | 90 days (does not sunset) | 30 days (does not sunset) | 30 days (does not sunset) |
Rulemaking | Yes | Yes | No | No | No | No |
Effective Date | Jan. 1, 2023 | July 1, 2023 | July 1, 2023 | Jan. 1, 2025 | Dec. 31, 2023 | Jan. 1, 2023 |