On March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive state privacy law bill. If enacted, SF 262 would be the sixth state level privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut, and it would go into effect on January 1, 2025.
Iowa’s new law is closest to the Utah Consumer Privacy Act (UCPA), having broad exemptions and more limited obligations for controllers. Notably, SF 262 provides exemptions for consumer rights where “pseudonymous data” and “de-identified data” (as defined by the bill) are involved, including certain opt-out rights.
For the most part, Iowa’s bill treads familiar territory. Its scope extends to entities that conduct business in Iowa or produce products or services targeted to Iowa residents, and that meet the following requirements, in a calendar year: (1) control or process personal data of at least 100,000 consumers; or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from sale of personal data.
Iowa’s bill does not create new obligations for businesses compared to what is already required under other states’ privacy laws. For example, the Iowa bill’s privacy notice requirements are not unique to SF 262 – companies with privacy policies drafted to comply with the CCPA (California Consumer Privacy Act) and VCDPA (Virginia Consumer Data Protection Act) are not likely to have to amend their policies in order to comply with Iowa’s requirements. In addition, like Utah and Virginia, Iowa’s bill includes a narrow definition of “sale” of personal data (the exchange of personal data for monetary consideration by the controller to a third party), as well as numerous exceptions.
Iowa’s bill notably diverges from consumer protections found in most existing state privacy laws. For example, it only requires clear notice and opt-out for sensitive data, while other states like Colorado, Connecticut, and Virginia adopted opt-in requirements. The Iowa bill also lacks a consumer right to correct data. There are no requirements for covered entities to conduct privacy impact assessments or establish data minimization principles. Furthermore, responses to consumer requests not only have a 90-day response period (compared to 45-days in other states) but also are subject to a potential 45-day extension.
This bill does not contain a private right of action; enforcement rights belong exclusively with the Iowa State Attorney General. The AG may seek injunctive relief and civil penalties of up to $7,500 per violation. However, this first requires providing a 90-day cure period before bringing any enforcement, and such cure period does not sunset.