On March 29th, Iowa joined California, Colorado, Connecticut, Utah, and Virginia in enacting a comprehensive privacy law. Over the last 3 years, legislators have struggled to get meaningful movement on their proposed bills, but this year resulted in success with a law that goes into effect on January 1, 2025.
Data minimization is important as the law outlines that information should only be stored if reasonably necessary and proportional to the purposes listed. Controllers are called upon to make reasonable efforts to protect the confidentiality and integrity of consumer data. In contrast to Colorado, Connecticut, and Virginia, Iowa’s new law mandates that covered companies give notice and an option to opt-out rather than requiring an opt-in choice for the processing of sensitive data, aligning with Utah and California. For opt-ins and consent it must be in clear, unambiguous terms and require affirmative action to approve the processing of their data.
Iowa seeks to further protect consumers through nondiscrimination verbiage to keep controllers from punishing consumers for “exercising their rights, but may offer different prices to consumers based on certain factors like a consumer’s voluntary participation in a bona fide loyalty program.” Additionally, contracts must be in place with any processors with whom the controller shares data that outline the instructions for and reasons for the processing, which data can be processed, how long data can be stored, and duties required of both the controller and processor.
The Iowa privacy law lacks a private right of action, just like the privacy laws passed by Colorado, Connecticut, Virginia, and Utah. Nonetheless, it does provide the attorney general the sole authority to use investigative demands to enforce the law. Written notices by the AG will include a 90-day cure period. If compliance is not achieved during the cure period, a fine of $7,500 can be assessed per violation.
With some overlap between Iowa and the five other comprehensive privacy laws, compliance shouldn’t be excessively challenging for organizations. Iowa’s law outlines straightforward compliance that errs on the side of controllers and may pave the way for other states to follow suit in the hopes of passing a law that doesn’t harm businesses and make compliance feel unachievable.