In the absence of a federal privacy law, Iowa Gov. Kim Reynolds signed into law a consumer privacy bill last week, making the state the sixth in the U.S. to pass legislation that regulates how people’s data is collected and shared online.
The law will take effect Jan. 1, 2025, giving companies nearly 21 months to comply with its requirements in the state with more than 3 million residents.
“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” Reynolds said in a statement. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”
While other states like California and Utah provide provisions that expand consumers’ right to opt out of targeted ads, Iowa’s law doesn’t expressly indicate this. Companies will be required to provide notices that clearly disclose how people can opt out of targeted advertising.
In theory, this would reduce the concerns from the ad industry around mass numbers of people opting out of data sharing, leading to signal loss and a knock-on to ad revenue.
“Iowa’s privacy law is the weakest amongst the six states,” said Keir Lamont, director of the Future of Privacy Forum’s U.S. legislation team.
Although the law doesn’t take effect until 2025, advertisers should look out for any amendments or guidance put out by the attorney general that may provide clarity on targeted advertising practices.
The existing patchwork of state-level laws brings massive compliance challenges for marketers. Last year, Sephora was hit with a $1.2 million fine for allegedly violating California’s privacy laws. Meanwhile, four other states—Massachusetts, Illinois, Indiana and New York—are looking to emulate a federal bill pending in Congress called the American Data Privacy and Protection Act, furthering marketers’ compliance woes.
Further, people are increasingly requesting companies modify or delete the data held on them.