Iowa’s Privacy Law Is ‘Weakest’ So Far, Doesn’t Give People the Right to Opt Out of Targeted Ads


.article-native-ad { border-bottom: 1px solid #ddd; margin: 0 45px; padding-bottom: 20px; margin-bottom: 20px; } .article-native-ad svg { color: #ddd; font-size: 34px; margin-top: 10px; } .article-native-ad p { line-height:1.5; padding:0!important; padding-left: 10px!important; } .article-native-ad strong { font-weight:500; color:rgb(46,179,178); }

In the absence of a federal privacy law, Iowa Gov. Kim Reynolds signed into law a consumer privacy bill last week, making the state the sixth in the U.S. to pass legislation that regulates how people’s data is collected and shared online.

The law will take effect Jan. 1, 2025, giving companies nearly 21 months to comply with its requirements in the state with more than 3 million residents.

“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” Reynolds said in a statement. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.” 

While other states like California and Utah provide provisions that expand consumers’ right to opt out of targeted ads, Iowa’s law doesn’t expressly indicate this. Companies will be required to provide notices that clearly disclose how people can opt out of targeted advertising.

image

In theory, this would reduce the concerns from the ad industry around mass numbers of people opting out of data sharing, leading to signal loss and a knock-on to ad revenue.

“Iowa’s privacy law is the weakest amongst the six states,” said Keir Lamont, director of the Future of Privacy Forum’s U.S. legislation team.

Although the law doesn’t take effect until 2025, advertisers should look out for any amendments or guidance put out by the attorney general that may provide clarity on targeted advertising practices.

The existing patchwork of state-level laws brings massive compliance challenges for marketers. Last year, Sephora was hit with a $1.2 million fine for allegedly violating California’s privacy laws. Meanwhile, four other states—Massachusetts, Illinois, Indiana and New York—are looking to emulate a federal bill pending in Congress called the American Data Privacy and Protection Act, furthering marketers’ compliance woes.

Further, people are increasingly requesting companies modify or delete the data held on them.

A more business-friendly law

Similar to Utah’s privacy law taking effect Dec. 31, 2023, Iowa’s provisions are considered to be more business-friendly than those of California, Virginia, Connecticut and Colorado.

Iowa’s privacy law—SF 262—gives its residents the right to access, delete and opt out of having their personal data sold. This includes sensitive information such as race or ethnic origin, religious affiliation, health diagnoses, sexual orientation, immigration status, biometric data, children’s personal data and precise geolocation. Businesses have 90 days to respond to consumer privacy requests.

The law applies to any company that conducts business within the state or targets its products or services to its residents. These include companies that process or control the personal data of at least 100,000 Iowa residents per year or derive at least 50% of their annual revenue from the sale of personal data of at least 25,000 Iowa residents.

However, the state’s law does not place a minimum annual revenue threshold on organizations, as California and Utah do.

A unique feature of SF 262 is that consumer privacy rights are exempt from pseudonymous data, or “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person,” per the law.

However, the right to opt out of targeted advertising doesn’t apply to pseudonymous data, according to Lamont.

image

Although businesses are exempt from conducting regular data protection or privacy risk assessments, Iowa’s attorney general can issue a civil investigative demand to any company suspected of violating the law, after which the company has a 90-day window to remedy those violations or face a fine of up to $7,500 per violation.

However, Iowa residents cannot exercise the private right of action that allows them to sue companies that violate the law.

.font-primary { } .font-secondary { } #meter-count { position: fixed; z-index: 9999999; bottom: 0; width:96%; margin: 2%; -webkit-border-radius: 4px; -moz-border-radius: 4px; border-radius: 4px; -webkit-box-shadow: 0 0px 15px 4px rgba(0,0,0,.2); box-shadow:0 0px 15px 4px rgba(0,0,0,.2); padding: 15px 0; color:#fff; background-color:#343a40; } #meter-count .icon { width: auto; opacity:.8; } #meter-count .icon svg { height: 36px; width: auto; } #meter-count .btn-subscribe { font-size:14px; font-weight:bold; padding:7px 18px; color: #fff; background-color: #2eb3b2; border:none; text-transform: capitalize; margin-right:10px; } #meter-count .btn-subscribe:hover { color: #fff; opacity:.8; } #meter-count .btn-signin { font-size:14px; font-weight:bold; padding:7px 14px; color: #fff; background-color: #121212; border:none; text-transform: capitalize; } #meter-count .btn-signin:hover { color: #fff; opacity:.8; } #meter-count h3 { color:#fff!important; letter-spacing:0px!important; margin:0; padding:0; font-size:16px; line-height:1.5; font-weight:700; margin: 0!important; padding: 0!important; } #meter-count h3 span { color:#E50000!important; font-weight:900; } #meter-count p { font-size:14px; font-weight:500; line-height:1.4; color:#eee!important; margin: 0!important; padding: 0!important; } #meter-count .close { color:#fff; display:block; position:absolute; top: 4px; right:4px; z-index: 999999; } #meter-count .close svg { display:block; color:#fff; height:16px; width:auto; cursor:pointer; } #meter-count .close:hover svg { color:#E50000; } #meter-count .fw-600 { font-weight:600; } @media (max-width: 1079px) { #meter-count .icon { margin:0; padding:0; display:none; } } @media (max-width: 768px) { #meter-count { margin: 0; -webkit-border-radius: 0px; -moz-border-radius: 0px; border-radius: 0px; width:100%; -webkit-box-shadow: 0 -8px 10px -4px rgba(0,0,0,0.3); box-shadow: 0 -8px 10px -4px rgba(0,0,0,0.3); } #meter-count .icon { margin:0; padding:0; display:none; } #meter-count h3 { color:#fff!important; font-size:14px; } #meter-count p { color:#fff!important; font-size: 12px; font-weight: 500; } #meter-count .btn-subscribe, #meter-count .btn-signin { font-size:12px; padding:7px 12px; } #meter-count .btn-signin { display:none; } #meter-count .close svg { height:14px; } }

Enjoying Adweek’s Content? Register for More Access!

Recommended articles

https://www.adweek.com/programmatic/iowa-privacy-law-weakest-so-far-doesnt-give-people-the-right-to-opt-out-of-targeted-ads/