Iowa Becomes The Latest: Comprehensive Privacy Bill Signed Into Law
On March 28, 2023, Iowa Governor Kim Reynolds signed the sixth state comprehensive privacy statute into law. Iowa now joins California, Connecticut, Virginia, Utah and Colorado in the group of ever-expanding states that have enacted such laws. Iowa’s law is similar to both the California Privacy Rights Act (“CPRA”) and the Utah Consumer Privacy Act (“UCPA”), although CPRA continues to have a broader reach than that of Iowa’s new law.
Iowa’s law will apply to covered entities. To be a covered entity, a business must control or process personal data on 100,000 Iowan consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. Meeting either of these criteria will bring a business under the scope of the law.
Similar to the five preceding state comprehensive privacy laws, Iowa’s law grants residents of their state certain individual rights. These rights include the right to access and delete personal information, but the Iowa law notably does not provide other common rights such as the right to sue violators privately nor the right to opt out of targeted advertising. California continues to be the only comprehensive state privacy law that includes a private right of action.
Following several other states’ footsteps, Iowa’s law has exemptions for individuals acting in an employment or commercial (business to business) context, and exemptions for entities subject to the Health Insurance Portability and Accountability Act of 1996 and financial institutions subject to the Gramm-Leach-Bliley Act.
Iowa’s law will become effective on January 1, 2025.
McGrath North’s team provides practical guidance for businesses in these uncertain times. Contact McGrath North’s privacy and cybersecurity practice group today to understand the current state of privacy law in a particular state, nationally and/or internationally to confirm your organization’s obligations and work to implement an effective compliance strategy.
Related Attorneys
