The next shoe is set to drop in the growing network of U.S. comprehensive state privacy laws. Iowa is poised to become the sixth state to pass comprehensive legislation after both chambers of the Iowa Legislature unanimously voted to approve Senate File 262.
Covered entities under SF 262 must control or process personal data on 100,000 Iowan consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. The bill offers some consumer rights, 90-day periods for data subject request responses and a nonsunsetting right to cure violations, and exclusive attorney general enforcement.
Notably missing are the private right of action, required data protection assessments and the ability to opt out of targeted advertising. The bill is set to take force Jan. 1, 2025.
Iowa's bill shares the basic framework in laws Colorado, Connecticut, Utah and Virginia took up and passed in recent years. However, SF 262 runs closest to Utah's existing law.
IAPP Westin Research Fellow Anokhy Desai, CIPP/US, CIPT, constructed an analysis of similarities and differences between existing legislation prior to Iowa's passage.
Potential enactment of the bill is expedited compared to other state legislatures. Upon being sent to Gov. Kim Reynolds, R-Iowa, SF 262 can either be signed into law or become a law without a signature after three days during a given legislative session. The Iowa Legislature closes its 2023 session April 28.
"While I expect this may eventually be preempted by federal legislation, I would also expect that what we pass here will influence what Congress does in the future and used as a potential model," state Sen. Chris Cournoyer, R-Iowa, told The Quad-City Times after SF 262 passed the Senate March 6. Cournoyer, SF 262's sponsor, carried the torch for the bill this year after efforts to pass it during 2022 legislative session stopped short in the Senate following House approval.
Where Iowa falls in the patchwork
The passage of SF 262 marks another milestone in the evolution of state privacy law, but the bill itself doesn't offer much in the way of originality. Given its likeness to established frameworks on the books, Iowa's proposal isn't expected to put heavy compliance burdens on businesses complying with existing comprehensive state privacy laws.
"Putting aside weaknesses in the bill from a consumer protection standpoint, the passage of SF 262 helps continue to provide uniformity for businesses that are trying to put together a one-size-fits-all approach for their privacy compliance programs," Koley Jessen Shareholder Maureen Fulton, CIPP/US, said. "For example, the privacy notice requirements under SF 262 are not unique. If a company has already drafted a privacy policy that is compliant with (the California Consumer Privacy Act) or (the Virginia Consumer Data Privacy Act), the company will not have to amend its privacy policy to include additional items specified by the Iowa legislation."
Fulton said the substance of the bill suggests it was "drafted with tech companies’ priorities front of mind." That line of thought is supported by the Technology Association of Iowa, which welcomed passage of SF 262 while previously detailing its perspective on the bill.
"This is a big step forward in granting (Iowans) some rights for their data," TAI Vice President of Operations Mollie Ross told The Quad-City Times. "And also from an industry perspective, it lays some guidelines, sets up groundwork so that everybody is playing within the same boundaries."
In an follow-up statement to The Privacy Advisor, Ross reiterated TAI's backing for the bill while committing to "continue to advocate for data privacy and protection legislation at the federal level."
Iowa's bill has notable divergence from the interoperability found in most existing state laws. It neither carries sensitive data opt-in consent nor requires a user's right to correct. It also does not require covered entities to conduct risk assessments or practice purpose limitation and/or data minimization. Iowa's data subject response provision also contains a potential 45-day extension to the 90-day response period, contrasting from the standard 45-day response period other states carry.
"This bill represents a wish list of industry-sought provisions, which is to say that it pretty much affirms the status quo by offloading all the responsibility for privacy protection onto the individual with almost no substantive limitations on how companies collect or process data," Consumer Reports Policy Analyst Matt Schwartz said. "We've seen red states in the same region do much better."