Definitions

The Act outlines definitions for new terms including 'biometric data', 'covered entity', 'identified or identifiable natural person', 'personal data', 'pseudonymous data', 'sale of personal data', 'targeted advertising', and 'third party', among other things. Among the notable are the definitions of 'controller', which means a person that, alone or jointly with others, determines the purpose and means of processing personal data, and 'processor', which means a person that processes personal data on behalf of a controller.

In addition, under the Act, 'consumer' is defined as a natural person who is a resident of the State of Iowa acting only in an individual or household context and excluding a natural person acting in a commercial or employment context; while 'consent' is considered a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. Furthermore, under the Act, 'personal data' refers to any information that is linked or reasonably linkable to an identified or identifiable natural person, and does not include de-identified or aggregate data or publicly available information, and 'process' or 'processing' is also defined as any operation or set of operations performed, whether by manual or automated means on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

In regard to sensitive data, the Act highlights that such information will include information related to:

• racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship and immigration status except where such data is used to avoid discrimination on the basis of a protected classes that would violate a federal or state anti-discrimination law;
• genetic or biometric data processed for the purpose of uniquely identifying a natural person;
• the personal data collected from a child; and
• precise geolocation data.

Furthermore, 'covered entity' has the same definition as provided under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA').

Scope

The Act applies to a person conducting business in Iowa or producing products or services that are targeted to consumers who are Iowa residents and, that during a calendar year, does either of the following:

• controls or processes personal data of at least 100,000 consumers; or
• controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

However, the Act clarifies that political subdivisions of the state, financial institutions, affiliates of financial institutions, or data subject to the Gramm-Leach Bliley Act of 1999 ('GLBA'), and persons subject to HIPAA are not subject to the Act. In addition, non-profit organisations and/or institutions of higher education are not subject to the Act.

In addition, certain types of information are exempt under the Act including:

• protected health information under HIPAA;
• health records;
• data processed or maintained:
  • in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
  • as the emergency contact information of an individual under this chapter used for emergency contact purposes; and/or
  • that is necessary to retain to administer benefits for another individual relating to the individual under point one and used for the purposes of administering the same; and/or
• personal data used in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA')

Furthermore, the Act clarifies that nothing within should be construed as an obligation imposed on a controller or processor that adversely affects the privacy or other rights or freedoms of any persons, such as exercising the right of free speech pursuant to the first amendment to the U.S. Constitution, or applies to personal data by a person in the course of a purely personal or household activity.

Finally, the Act clarifies that nothing within should be construed to require a controller or processor to re-identify de-identified data or pseudonymous data; maintain data in an identifiable form; or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

Data subject rights

The Act establishes consumer data rights that may be invoked at any time by submitting a request to the controller. In addition, these rights can also be invoked by a known child's parent or legal guardian on behalf of the known child regarding processing of data belonging to the child. To this end, a controller must comply with an authenticated consumer request.

Further to the above, the consumer data rights provided under the Act include the right to:

• confirm whether a controller is processing the consumer's personal data and to access such personal data;
• delete the personal data provided by the consumer;
• obtain a copy of the consumer's personal data, except as to personal data defined as 'personal information' that is subject to a security breach protection, that the consumer previously provided to the controller in a portable, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hinderance, where the processing is carried out by automated means; and
• opt-out of the sale of personal data.

In line with the above, the Act establishes provisions for complying with consumer data requests, providing that controllers must respond to consumers without undue delay, but in all cases within 90 days of receipt of a request. The timeframe for a response may be extended once by an additional 45 days when reasonably necessary when considering the complexity and number of consumer's requests. The consumer must be informed of the extension within the original 90-day timeframe, together with the reason for extension. Equally, the Act stipulates that controllers must inform data subjects without undue delay when declining to take action, except in case of suspected fraudulent requests where the controller may state they were unable to authenticate the request.

Under the Act, information provided to consumers must be provided free of charge, up to twice annually per consumer. However, controller's may charge a fee where the consumer request is manifestly unfounded, excessive, repetitive, technically unfeasible, or the controller believes that the primary purpose of the request is not to exercise a consumer right. Importantly, the controller bears the burden of demonstrating the manifestly unfounded, excessive, repetitive, or technically unfeasible nature of the request. Furthermore, the Act stipulates that the controller is responsible for establishing a process for a consumer to appeal refusals within a reasonable period of time.

Importantly, the above consumer rights will not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. Furthermore, a controller or processor is not required to comply with an authenticated consumer rights request, where:

• the controller is not reasonably capable of associating the request with personal data or it would be unreasonably burdensome for the controller to associate the request with personal data;
• the controller does not use the personal data to recognise or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
• the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by the Act.

Controller obligations

The Act stipulates that controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:

• the categories of personal data processed by the controller;
• the purpose for processing personal data;
• how consumers may exercise their consumer rights including how a consumer may appeal a controller's decision with regard to the consumer's request;
• the categories of personal data that the controller shares with third parties, if any; and
• the categories of third parties, if any, with whom the controller shares personal data.

Further, in regard to privacy notices, the Act states that controllers must describe secure and reliable means for exercising consumer rights, considering the ways in which consumers normally interact with the controller, and the ability of the controller to authenticate the identity of the consumer making the request. Likewise, the Act clarifies that if a controller sells a consumer's personal data to third parties or engages in targeted advertising, the controller must clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt-out.

Additionally, controllers must not process sensitive consumer data for a non-exempt purpose, without the consumer having been presented with a clear notice and the opportunity to opt-out of such processing. In the case of processing children's data, such processing must occur in accordance with COPPA.

More generally, the Act establishes that controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and availability of personal data. On this point, the Act stipulates that such practices should be appropriate to the volume and nature of the personal data at issue.

Processor obligations

Under the Act, processors must assist a controller in their duties, taking into account the nature of processing and the information available to the processor by appropriate technical and organisational measures, in order to:

• fulfil the controller's obligation to respond to consumer rights requests; and
• meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a security breach of the processor.

In determining whether a person is acting as a controller or processor with respect to specific processing of data, the Act explains that it is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to specific processing of personal data remains a processor.

More specifically, the Act requires a contract between controllers and processors which sets forth the instructions for processing personal data, the duration of processing, the type of data subject to processors, and the rights and duties of both parties. Controller processor contracts under the Act must:

• ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in this chapter; and
• engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to the personal data.

Limitations

The Act outlines a list of items that the obligations imposed on controllers or processors under the Act must not restrict, including, among other things:

• complying with federal, state, or local laws, rules, or regulations;
• complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• cooperating with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
• investigating, establishing, exercising, preparing, or defending legal claims;
• providing a product or service specifically requested by a consumer or parent or guardian of a child, performing a contract to which the consumer or parent or guardian of a child is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent or guardian of a child prior to entering into a contract;
• preserving the integrity or security of systems; and
• investigating, reporting, or prosecuting those responsible for any such action.

In addition, the Act clarifies that the obligations imposed on a controller or processor will not restrict their ability to collect, use, or retain data to:

• conduct of internal research to develop, improve, or repair products, services, or technology;
• effectuate a product recall;
• identify and repair technical errors that impair existing or intended functionality; and
• performing internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or parent or guardian of a child or the performance of a contract to which the consumer or parent or guardian of a child is a party.

In line with the above, the Act states that where a controller or processor discloses personal data to a third-party controller or processor, in compliance with the requirements of limitation provided within the Act, it is not in violation if the third-party controller or processor that receives and processes the personal data is in violation of the Act, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of the Act is likewise not liable for the offences of the controller or processor from which it receives such personal data.

Further to the above, the Act provides that personal data processed by a controller pursuant to §7 of the Act (i.e. the limitations section) can be processed to the extent that such processing is as follows:

• reasonably necessary and proportionate to the purposes listed;
• adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section;
• collected, used, or retained taking into account the nature and purpose(s) of such collection, use, or retention; and
• subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data.

Pre-emptions

The Act establishes that it will supersede and pre-empt all rules, regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or local agency regarding the processing of personal data by controllers or processors. Importantly, the Act highlights that any reference to federal, state, or local law or statute will be deemed to include any accompanying rules or regulations or exemptions thereto, or in the case of a federal agency, guidance issued by such agency thereto.

Enforcement

The Act outlines the Attorney General ('AG') has exclusive authority on enforcing the Act's provisions and has the authority to issue a civil investigation where there is a reasonable cause to believe any person is engaging in, or is about to engage in, any violation of the Act. Importantly, the AG must provide controllers or processor's 90 days written notice identifying the provisions of the Act alleged to or that have been violated, before initiating any action. If within the 90-days, the controller or processor rectifies the aforementioned violation and provides the AG an express written statement that the alleged violations have been resolved and that no further such violations shall occur, no action can be initiated against the controller or processor.

Notably, the Act clarifies that nothing within should be construed as providing the basis for, or be subject to, a private right of action for violations under the Act or under any other law.

Harry Chambers Senior Privacy Analyst
[email protected]