Both chambers of the Iowa Legislature unanimously approved Senate File 262 on March 15. With a structure in the realm of Utah and Virginia, Iowa will become the sixth state to pass an omnibus consumer data privacy law that’s business-friendly and omnibus, barring any last-minute procedural obstacles. A privacy contact told Truyo that Iowa Governor Kim Reynolds will put pen to paper and sign the bill, with the law going into effect on January 1, 2025.

Key elements of Iowa’s impending privacy law:

• Scope: Companies that control or process personal data on 100,000 Iowan consumers or gain 50% of revenue from selling the data of more than 25,000 consumers
• Consumer Rights: 90-day DSAR response data subject request responses and a non-sunsetting right to cure, and enforcement via attorney general.

Private right of action, risk assessments, and the option to refuse targeted advertising are noticeably absent. Contrary to other states’ typical 45-day response term, Iowa’s data subject response clause allows for a potential 45-day extension of the 90-day response period. Iowa’s law is likely to be preempted by the American Data Privacy and Protection Act, should it pass, and doesn’t provide innovative or different regulations for organizations; therefore, compliance shouldn’t be a burden for larger organizations that are already in scope of privacy laws from other states.

Iowa can become law via signature by Governor Reynolds or without signature after 72 hours during this legislative session that will conclude on April 28. This definitely adds to the pressure on Congress to continue bipartisan work on the ADPPA or the FTC to pursue Mag-Moss rulemaking.