Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Iowa - Data Protection Overview
Back

Iowa - Data Protection Overview

August 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

On March 28, 2023, the Iowa State Governor signed An act relating to consumer data protection (ICDPA).

The ICDPA will enter into effect on January 1, 2025.

1.2. Guidelines

No further information.

1.3. Case law

No further information.

2. Scope of Application

2.1. Personal scope

The ICDPA applies to a person conducting business in Iowa or producing products or services that are targeted to consumers who are residents of Iowa and that during a calendar year, does either of the following (§715D.2(1) of the ICDPA):

  • controls or processes the personal data of at least 100,000 consumers; or
  • controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

The ICDPA does not apply to (§715D.2(2) of the ICDPA):

2.2. Territorial scope

The ICDPA applies to a person conducting business in Iowa or producing products or services that are targeted to consumers who are residents of Iowa (§715D.2(1) of the ICDPA).

2.3. Material scope

The ICDPA applies to the personal data of individuals, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified or aggregate data or publicly available information (§715D.1(18) of the ICDPA).

However, the ICDPA outlines that certain data is exempt from its scope, including (§715D.2(3) of the ICDPA):

  • protected health information under HIPAA;
  • health records;
  • patient identifying information for purposes of §§290dd-2 of Title 42 of the U.S. Code, as part of the Public Health Service Act;
  • personal data used or shared in research conducted in accordance with the requirements of the ICDPA, or other research conducted in accordance with other laws;
  • the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act of 1970 (FCRA);
  • personal data regulated by the Family Educational Rights and Privacy Act 1974 (FERPA);
  • data processed or maintained:
    • in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
    • as the emergency contact information of an individual under the ICDPA used for emergency contact purposes; and/or
    • that is necessary to retain to administer benefits for another individual relating to the individual under point one and used for the purposes of administering the same; and/or
  • personal data used in accordance with the Children's Online Privacy Protection Act of 1998 (COPPA).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Iowa Attorney General (AG) is the regulator within Iowa.

3.2. Main powers, duties and responsibilities

In accordance with §715D.8(1) of the ICDPA, the AG will have the exclusive authority to enforce the ICDPA and may, whenever they have reasonable cause to believe that any person has engaged in, or is engaging in, or is about to engage in any violation of the ICDPA, issue a civil investigative demand.

4. Key Definitions

Data controller: Is defined as a person that, alone or jointly with others, determines the purpose and means of processing personal data (§715D.1(8) of the ICDPA).

Data processor: Is defined as a person that processes personal data on behalf of a controller (§715D.1(21) of the ICDPA).

Personal data: Is defined as any information that is linked or is reasonably linkable to an identified or identifiable natural person. Personal data is provided to not include de-identified or aggregate data or publicly available information (§715D.1(18) of the ICDPA).

Sensitive data: Is defined as a category of personal data that includes (§715D.1(26) of the ICDPA):

  • racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship and immigration status except where such data is used to avoid discrimination on the basis of protected classes that would violate a federal or state anti-discrimination law;
  • genetic or biometric data processed for the purpose of uniquely identifying a natural person;
  • the personal data collected from a child; and
  • precise geolocation data.

Health data: Is not specifically defined under the ICDPA, but 'health record' is defined as any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health services to an individual concerning the individual and the services provided, including health information provided in confidence to a health-care provider (§715D.1(14) of the ICDPA).

Biometric data: Is defined as data generated by automated measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. Biometric data does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA (§715D.1(4) of the ICDPA).

Pseudonymization: 'Pseudonymous data' is defined under the ICDPA as personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (§715D.1(23) of the ICDPA).

5. Legal Bases

Personal data processed by a controller with regard to limitations under §715D.7 of the ICDPA may be processed to the extent that such processing is (§715D.7(6) of the ICDPA):

  • reasonably necessary and proportionate to the purposes listed;
  • adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in §715D.7 of the ICDPA;
  • personal data collected, used, or retained is pursuant to §715D.7 of the ICDPA, where applicable, taking into account the nature and purpose or purposes of such collection, use, or retention; and
  • subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data.

5.1. Consent

The ICDPA does not outline consent as a lawful basis for data processing. However, in cases of processing the sensitive personal data of a known child, the personal data must be processed in accordance with COPPA (§715D.4(2) of the ICDPA).

Nevertheless, 'consent' is defined as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action (§715D.1(6) of the ICDPA).

5.2. Contract with the data subject

The ICDPA provides that nothing provided within its provisions may restrict a controller or a processor's ability to provide products or services specifically requested by a consumer or parent or guardian of a child, performing a contract to which the consumer or parent or guardian of a child is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent or guardian of a child prior to entering into a contract (§715D.7(1)(e) of the ICDPA).

5.3. Legal obligations

The ICDPA also provides that nothing provided within its provisions may restrict the ability of controllers or processors to (§§715D.7(1)(a),(b), and (c) of the ICDPA):

  • comply with federal, state, or local laws, rules, or regulations;
  • investigate, establish, exercise, prepare, or defend legal claims;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; or
  • cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.

5.4. Interests of the data subject

The ICDPA also provides that nothing within its provisions may restrict the ability of controllers or processors to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another natural person, and where the processing cannot be manifestly based on another legal basis (§715D.7(1)(f) of the ICDPA).

5.5. Public interest

The ICDPA also provides that nothing within its provisions may restrict the ability of controllers or processors to engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine the following (§715D.7(1)(j) of the ICDPA):

  • if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
  • the expected benefits of the research outweigh the privacy risks; or
  • if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

5.6. Legitimate interests of the data controller

The ICDPA does not explicitly address the legitimate interest of the controller.

However, the ICDPA provides that nothing within its provisions may restrict the ability of controllers or processors to (§715D.7(1)(b) of the ICDPA):

  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
  • preserve the integrity or security of systems; and
  • investigate, report, or prosecute those responsible for any such action.

Likewise, the obligations imposed on a controller or processor under the ICDPA will not restrict the controller's or processor's ability to collect, use, or retain data to (§715D.7(2) of the ICDPA):

  • conduct internal research to develop, improve, or repair products, services, or technology;
  • effectuate a product recall;
  • identify and repair technical errors that impair existing or intended functionality; and
  • perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or parent or guardian of a child or the performance of a contract to which the consumer or parent or guardian of a child is a party.

5.7. Legal bases in other instances

The obligations imposed on controllers or processors under the ICDPA will not apply where compliance by the controller or processor would violate an evidentiary privilege under the laws of Iowa. In addition, nothing with the ICDPA should be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of Iowa as part of a privileged communication (§715D.7(3) of the ICDPA).

6. Principles

Data controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and availability of personal data. On this point, the ICDPA stipulates that such practices should be appropriate to the volume and nature of the personal data at issue (§715D.4(1) of the ICDPA).

    7. Controller and Processor Obligations

    De-identified data

    The ICDPA clarifies that none of its provisions may be construed to require (§715D.6(1) of the ICDPA):

    • reidentify de-identified data or pseudonymous data;
    • maintain data in identifiable form; or
    • collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

    The ICDPA discloses that controllers that disclose pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments (§715D.6(4) of the ICDPA).

    7.1. Data processing notification

    Not applicable.

    7.2. Data transfers

    The ICDPA does not specifically address data transfers but defines the 'sale of personal data' as the exchange of personal data for monetary consideration by the controller to a third party, noting that the 'sale of personal data' does not include (§715D.1(25) of the ICDPA):

    • the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
    • the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer or a parent of a child;
    • the disclosure or transfer of personal data to an affiliate of the controller;
    • the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
    • the disclosure or transfer of personal data when a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties; or
    • the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

    Furthermore, the ICDPA stipulates that a controller or processor that discloses personal data to a processor or third-party controller in accordance with the ICDPA must not be deemed to have violated the same if the processor or third-party controller that receives and processes such personal data violates the provisions of the ICDPA, provided, at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate the ICDPA (§715D.7(4) of the ICDPA). In addition, a third-party controller or processor receiving personal data from a controller or processor in compliance with ICDPA is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data (§715D.7(4) of the ICDPA).

    7.3. Data processing records

    The ICDPA does not address data processing records.

    7.4. Data protection impact assessment

    The ICDPA does not address Data Protection Impact Assessments (DPIAs).

    7.5. Data protection officer appointment

    The ICDPA does not address the appointment of data protection officers (DPOs).

    7.6. Data breach notification

    Not applicable.

    However, there are data breach requirements outlined in the §715C.1 et seq. of Title XVI of the Iowa Code (the Iowa Code).

    For further information see Iowa - Data Breach.

    7.7. Data retention

    The ICDPA does not address data retention requirements.

    7.8. Children's data

    Notably, the ICDPA provides that a known child's parent or legal guardian may invoke consumer rights on behalf of the known child regarding processing personal data belonging to a child (§715D.3(1) of the ICDPA). In cases of processing the sensitive personal data of a known child, the personal data must be processed in accordance with COPPA (§715D.4(2) of the ICDPA).

    7.9. Special categories of personal data

    Controllers must not process sensitive data collected from a consumer for a non-exempt purpose under the ICDPA, without the consumer's having been presented with a clear notice and an opportunity to opt out of such processing (§715D.4(2) of the ICDPA).

    7.10. Controller and processor contracts

    The ICDPA requires a contract between controllers and processors that sets forth the instructions for processing personal data, the duration of the processing, the type of data subject to processors, and the rights and duties of both parties. Controller processor contracts under the ICDPA must (§715D.5(2) of the ICDPA):

    • ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
    • at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
    • upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in the ICDPA; and
    • engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to personal data.

    Notably, the ICDPA provides that determining whether a person is acting as a controller or processor with respect to the specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to the specific processing of personal data remains a processor (§715D.5(4) of the ICDPA).

    The ICDPA also stipulates that processors must assist a controller in their duties, taking into account the nature of processing and the information available to the processor by appropriate technical and organizational measures, in order to (§715D.5(1) of the ICDPA):

    • fulfill the controller's obligation to respond to consumer rights requests; and
    • meet the controller's obligations in relation to the security of processing personal data and in relation to the notification of a security breach of the processor.

    8. Data Subject Rights

    Response time

    The ICDPA establishes consumer data rights that may be invoked at any time by submitting a request to the controller, through means specified by the controller (§715D.3(1)(a) of the ICDPA). Further, the ICDPA stipulates that controllers must respond to consumers without undue delay, but in all cases within 90 days of receipt of a request. The timeframe for a response may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of consumer requests (§715D.3(2)(a) of the ICDPA). The consumer must be informed of the extension within the original 90-day timeframe, together with the reason for the extension.

    Declining requests and appeals

    Equally, the ICDPA stipulates that controllers must inform data subjects without undue delay when declining to take action, except in case of suspected fraudulent requests where the controller may state they were unable to authenticate the request. Importantly, the controller must also provide instructions for appealing the decision pursuant to §715D.3(3) of the ICDPA (§715D.3(2)(b) of the ICDPA).

    Appeals

    More specifically, on appealing decisions, a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action. Within 60 days of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the controller must also provide the consumer with an online mechanism through which the consumer may contact the AG to submit a complaint (§715D.3(3)(b) of the ICDPA).

    A controller must not discriminate against a consumer for exercising their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in the ICDPA should be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer's right to opt out or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program (§715D.4(3) of the ICDPA).

    Fees

    Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per customer. If a request from a consumer is manifestly unfounded, excessive, repetitive, or technically unfeasible, or the controller reasonably believes that the primary purpose of the request is not to exercise a consumer right, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request (§715D.3(2) of the ICDPA).

    Authentication

    If a controller is unable to authenticate a request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under the ICDPA and may request the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request (§715D.3(2) of the ICDPA).

    Exemptions

    The consumer rights contained in §§715D.3 and 715D.4 of the ICDPA shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (§715D.6(4) of the ICDPA).

    8.1. Right to be informed

    The ICDPA provides that controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following (§715D.4(5) of the ICDPA):

    • the categories of personal data processed by the controller;
    • the purpose for processing personal data;
    • how consumers may exercise their consumer rights including how a consumer may appeal a controller's decision with regard to the consumer's request;
    • the categories of personal data that the controller shares with third parties, if any; and
    • the categories of third parties, if any, with whom the controller shares personal data.

    Where controllers sell a consumer's personal data to a third party or engage in targeted advertising, the controller must clearly and conspicuously disclose such activity (§715D.4(6) of the ICDPA).

    A controller must establish, and describe in a privacy notice, secure and reliable means for consumers to submit a request to exercise their consumer rights. This should consider the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. A controller must not require a consumer to create a new account in order to exercise consumer rights pursuant to section §715D.3 of the ICDPA but may require a consumer to use an existing account (§715D.4(7) of the ICDPA).

    8.2. Right to access

    The ICDPA provides consumers with the right to access their personal data (§715D.3(1)(a) of the ICDPA).

    8.3. Right to rectification

    The ICDPA does not provide for the right to rectification.

    8.4. Right to erasure

    The ICDPA provides consumers with the right to delete the personal data provided by the consumer (§715D.3(1)(b) of the ICDPA).

    8.5. Right to object/opt-out

    The ICDPA provides consumers with the right to opt out of the sale of personal data (§715D.3(1)(d) of the ICDPA). Specifically, where a controller sells a consumer's personal data to third parties or engages in targeted advertising, the controller must clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity (§715D.4(6) of the ICDPA).

    8.6. Right to data portability

    The ICDPA provides consumers with the right to obtain a copy of their personal data that the consumer previously provided to the controller in a portable, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means (§715D.3(1)(c) of the ICDPA).

    The above does not apply where the personal data defined as 'personal information' pursuant to the Iowa Code is subject to a security breach protection.

    8.7. Right not to be subject to automated decision-making

    The ICDPA does not provide for the right not to be subject to automated decision-making.

    8.8. Other rights

    No further information.

    9. Penalties

    The AG has the authority to issue a civil investigation where there is reasonable cause to believe any person is engaging in, or is about to engage in, any violation of the ICDPA (§715D.8(1) of the ICDPA). Importantly, the AG must provide controllers or processor's 90 days written notice identifying the provisions alleged to or that have been violated, before initiating any action. If within the 90-days, the controller or processor rectifies the aforementioned violation and provides the AG an express written statement that the alleged violations have been resolved and that no further such violations shall occur, no action can be initiated against the controller or processor (§715D.8(2) of the ICDPA).

    Where controllers or processors continue to violate the ICDPA following the cure period noted above or breach an express written statement provided to the AG, the AG may seek an injunction to restrain violations of the ICDPA and civil penalties up to $7,500 for each violation under the ICDPA (§715D.8(3) of the ICDPA).

    Notably, the ICDPA clarifies that nothing within its provisions should be construed as providing the basis for, or be subject to, a private right of action for violations under the ICDPA or under any other law (§715D.8(4) of the ICDPA).

    9.1 Enforcement decisions

    Not applicable.