Aw, Shucks! Iowa Becomes 6th State to Enact Consumer Privacy Law

Iowa became the sixth state to enact a comprehensive consumer privacy law after Gov. Kim Reynolds signed SF 262 into law on March 28, 2023. The Act Relating to Consumer Data Protection uses similar language as the Virginia Consumer Data Protection Law (VCDPA) but removes certain consumer rights and data governance obligations, resulting in a law that is substantively more like the Utah Consumer Privacy Act. The new Iowa law takes effect on Jan. 1, 2025.

The following tables compare the Iowa law to the laws of the five other states that have passed comprehensive consumer privacy legislations. A State Consumer Privacy Laws "cheat sheet" is also available for downloading and printing.

Overview

The Iowa law is heavily modeled after existing state laws, meaning that organizations already complying with other state laws will likely face little, if any, additional compliance burdens. California continues to remain an outlier in extending rights to workforce members and business-to-business contacts and in containing any sort of private right of action.

View larger image

Consumer Rights

Similar to Utah's privacy law, the Iowa law does not have a "right to correct," and a consumer's right to delete is limited to the data the organization obtained from the consumer. Iowa also follows Utah in its approach to children's data – a controller cannot process such data unless it complies with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. Section 6501 et seq. – which creates a significant gray area since COPPA applies only to personal information collected directly from the child via an online service. The Iowa law does not offer consumers a right to opt out of profiling or other automated decision-making.

View larger image

Request Submission and Handling

Unlike California's and Colorado's laws, the Iowa law does not contain a lot of specificity as to the process for submitting consumer requests. Iowa's new law closely parallels Virginia's and Utah's, although Iowa's expands the timeline to respond to consumer requests from 45 days to 90 days.

View larger image

Information Governance

Similar to Utah's legislation, the Iowa law is light on internal requirements for the management of data, including that there is explicit purpose of processing limitation or requirement for data minimization. The Iowa law also does not require organizations to conduct data protection assessments.

View larger image

Enforcement

Iowa follows the trend in providing that violations of its new privacy law will be enforced only by its state attorney general and not civil litigants. Iowa offers time to cure violations, and the 90-day period offered is longer than those of other states. Violations of the law are punishable by civil penalties of up to $7,500 for each violation. California continues to be the only state to allow a private right of action – limited to certain types of data breaches only.

View larger image

For more information, contact the authors or another member of Holland & Knight's Data Strategy, Security & Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.