Iowa Is the Sixth State to Enact Data Privacy Law
Friday, April 21, 2023
Data Privacy Law Enacted in Iowa

Iowa is now the sixth state in the U.S. to adopt a comprehensive privacy law that aims to give consumers more control over protecting their personal data.

Signed by Gov. Kim Reynolds (R) on Tuesday, Senate File 262 was unanimously passed by the Iowa Senate and House. The law will go into effect on January 1, 2025. The law joins data protections in California, Colorado, Connecticut, Utah, and Virginia adopted. 

Iowa’s data privacy law applies to companies that (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data. 

Notably, Iowa joins the other five states (i.e., California, Colorado, Connecticut, Utah, and Virginia) by exempting data regulated by the Fair Credit Reporting Act (FCRA). There are also exemptions for state and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA), and healthcare organizations as specified in the statute subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), non-profits, higher education institutions including Family Educational Rights and Privacy Act (FERPA) data, data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA) and certain information related to employment.

Under the Iowa law, consumers are provided with four main rights: the right to access, the right to delete, the right to portability and the right to opt out of the sale of their personal data. Like the state privacy laws enacted by Colorado, Connecticut, Virginia and Utah, the Iowa privacy law does not offer a private right of action. It does, however, provide the attorney general with the exclusive right to enforce the act through civil investigative demands. The attorney general must provide the violating party with a written notice listing the violations and, with 90 days to cure the violations, notify the attorney general of the cure and provide a statement that no further violations will occur. The Attorney General may seek monetary damages of up to $7,500 per violation of the law and injunctive relief. 

More from Katten