A more business-friendly law
Similar to Utah’s privacy law taking effect Dec. 31, 2023, Iowa’s provisions are considered to be more business-friendly than those of California, Virginia, Connecticut and Colorado.
Iowa’s privacy law—SF 262—gives its residents the right to access, delete and opt out of having their personal data sold. This includes sensitive information such as race or ethnic origin, religious affiliation, health diagnoses, sexual orientation, immigration status, biometric data, children’s personal data and precise geolocation. Businesses have 90 days to respond to consumer privacy requests.
The law applies to any company that conducts business within the state or targets its products or services to its residents. These include companies that process or control the personal data of at least 100,000 Iowa residents per year or derive at least 50% of their annual revenue from the sale of personal data of at least 25,000 Iowa residents.
However, the state’s law does not place a minimum annual revenue threshold on organizations, as California and Utah do.
A unique feature of SF 262 is that consumer privacy rights are exempt from pseudonymous data, or “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person,” per the law.
However, the right to opt out of targeted advertising doesn’t apply to pseudonymous data, according to Lamont.
Although businesses are exempt from conducting regular data protection or privacy risk assessments, Iowa’s attorney general can issue a civil investigative demand to any company suspected of violating the law, after which the company has a 90-day window to remedy those violations or face a fine of up to $7,500 per violation.
However, Iowa residents cannot exercise the private right of action that allows them to sue companies that violate the law.