On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law.

Applicability

Senate File 262 would apply to a person that (1) conducts business in Iowa or produces products or services that are targeted to Iowa residents and (2) during a calendar year, satisfies at least one of the following thresholds: (a) controls or processes the personal data of 100,000 or more Iowa residents, or (b) controls or process personal data of at least 25,000 Iowa residents and derives over 50% of its gross revenue from the sale of personal data.

Senate File 262’s protections would apply only to Iowa residents acting in an individual or household context, with an express exemption for individuals acting in a commercial or employment context. The law contains exemptions for financial institutions, affiliates of financial institutions and personal data subject to the Gramm-Leach-Bliley Act, persons who are subject to and comply with regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, nonprofit organizations, and institutions of higher education.

Controller Obligations

Controllers would be required to implement reasonable security practices, provide a compliant privacy notice to consumers and enter into agreements with processors that handle the controller’s personal data. Unlike some of the other comprehensive state privacy laws, Senate File 262 would not require controllers to undertake data protection assessments.

The law also would require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of their sensitive data.

Consumer Rights

Controllers would be required to provide consumers with the right to: (1) confirm whether a controller is processing the consumer’s personal data and obtain a copy of the data in portable form; (2) delete personal data provided by the consumer; and (3) opt-out of the sale of personal data. These rights notably exclude a right to correct inaccurate personal data.

Controllers would have 90 days to respond to consumer rights requests, with a potential 45-day extension in certain circumstances.

Enforcement

Senate File 262 does not contain a private right of action and would be enforced exclusively by the Iowa Attorney General. The bill provides a non-sunsetting right to cure violations within 90 days of receiving notice of a violation.

Senate File 262 can either be signed into law by Iowa Governor Kim Reynolds, vetoed, or become a law without signature after three days during the legislative session. If Senate File 262 is enacted, it would take effect on January 1, 2025.