Scope, applicability, and key definitions

Who does the ICDPA apply to?

The ICDPA applies to persons conducting business in Iowa or producing products or services that are targeted to consumers who are Iowa residents and that, during a calendar year, does either of the following:

• controls or processes the personal data of at least 100,000 consumers; or

• controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

However, the ICDPA clarifies that political subdivisions of the state, financial institutions, affiliates of financial institutions, or data subject to the Gramm-Leach Bliley Act (GLBA), and persons subject to the Health Insurance Portability and Accountability Act (HIPAA) are not subject to the ICDPA. In addition, non-profit organizations and/or institutions of higher education are not subject to the ICDPA.

Are certain data exempted from the application of the ICDPA?

Certain types of information are exempt under the ICDPA including:

• protected health information under HIPAA;

• health records;
• information used only for public health activities and purposes as authorized by HIPAA;
• personal data used or shared in research conducted with accordance with the requirements of the ICDPA or other research conducted in accordance with applicable law;
• the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and under the Fair Credit Reporting Act (FCRA);
• data processed or maintained:
  • in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
  • as the emergency contact information of an individual under this chapter used for emergency contact purposes; and/or
  • that is necessary to retain to administer benefits for another individual relating to the individual under point one and used for the purposes of administering the same; and/or
• personal data used in accordance with the Children's Online Privacy Protection Act (COPPA).

How does the ICDPA define 'consumers'?

A 'consumer' under the ICDPA is defined as a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.

How does the ICDPA define a 'controller'?

A 'controller' means a person that, alone or jointly with others, determines the purpose and means of processing personal data.

How does the ICDPA define 'personal data'?

Under the ICDPA, 'personal data' means any information that is linked or reasonably linkable to an identified or identifiable natural person.

How does the ICDPA define 'consent'?

Under the ICDPA, 'consent' may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

How does the ICDPA define 'sensitive data'?

'Sensitive data' under the ICDPA is defined as information related to:

• racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship and immigration status except where such data is used to avoid discrimination on the basis of protected classes that would violate a federal or state anti-discrimination law;

• genetic or biometric data processed for the purpose of uniquely identifying a natural person;
• the personal data collected from a child; and
• precise geolocation data.

How does the ICDPA define 'processing'?

Under the ICDPA 'processing' is defined as any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data (§715D.1(20) of the ICDPA).

How does the ICDPA define a 'processor'?

A 'processor' means a person that processes personal data on behalf of a controller.

Determining whether a person is acting as a controller or processor is a fact-based determination that depends on the context in which personal data is to be processed. A processor which continues to adhere to a controller's instructions with respect to specific processing of personal data remains a processor.

How does the ICDPA define 'sale' of personal data?

The ICDPA defines the 'sale of personal data' as 'the exchange of personal data for monetary consideration by the controller to a third party.'

Notably, 'sale of personal data' does not include:

• 'the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer or a parent of a child;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
• the disclosure or transfer of personal data when a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties; and
• the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.'

Key provisions and requirements

Does the ICDPA provide for consumer rights?

The ICDPA establishes consumer data rights that may be invoked at any time by submitting a request to the controller. In addition, these rights can also be invoked by a known child's parent or legal guardian on behalf of the known child regarding the processing of data belonging to the child. To this end, a controller must comply with an authenticated consumer request.

Further to the above, the consumer data rights provided under the ICDPA include the right to:

• be informed: confirm whether a controller is processing the consumer's personal data and accessing such personal data;
• deletion: delete the personal data provided by the consumer;
• portability: obtain a copy of the consumer's personal data, except personal data defined as 'personal information' that is subject to a security breach protection, that the consumer previously provided to the controller in a portable, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
• opt-out: opt-out of the sale of personal data.

Under the ICDPA, information provided to consumers must be provided free of charge, up to twice annually per consumer. However, controllers may charge a fee where the consumer request is manifestly unfounded, excessive, repetitive, technically unfeasible, or the controller believes that the primary purpose of the request is not to exercise a consumer right. Importantly, the controller bears the burden of demonstrating the manifestly unfounded, excessive, repetitive, or technically unfeasible nature of the request. Furthermore, the ICDPA stipulates that the controller is responsible for establishing a process for a consumer to appeal refusals within a reasonable period of time.

Importantly, the above consumer rights will not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person. Furthermore, a controller or processor is not required to comply with an authenticated consumer rights request, where:

• the controller is not reasonably capable of associating the request with personal data or it would be unreasonably burdensome for the controller to associate the request with personal data;
• the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
• the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by the ICDPA.

Are there obligations in relation to sensitive data?

Controllers must not process sensitive consumer data for a non-exempt purpose, without the consumer having been presented with a clear notice and the opportunity to opt-out of such processing. In the case of processing children's data, such processing must occur in accordance with Children's Online Privacy Protection Act (COPPA).

What are the main obligations for data controller?

The ICDPA provides that controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and availability of personal data. On this point, the ICDPA stipulates that such practices should be appropriate to the volume and nature of the personal data at issue.

The ICDPA also stipulates that controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:

• the categories of personal data processed by the controller;
• the purpose for processing personal data;
• how consumers may exercise their consumer rights including how a consumer may appeal a controller's decision with regard to the consumer's request;
• the categories of personal data that the controller shares with third parties, if any; and
• the categories of third parties, if any, with whom the controller shares personal data.

Controllers must also describe secure and reliable means for exercising consumer rights, considering the ways in which consumers normally interact with the controller, and the ability of the controller to authenticate the identity of the consumer making the request.

If a controller sells a consumer's personal data to third parties or engages in targeted advertising, the controller must clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out.

The ICDPA also provides that personal data processed by a controller pursuant to §7 of the ICDPA can be processed to the extent that such processing is as follows:

• reasonably necessary and proportionate to the purposes listed;
• adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section;
• collected, used, or retained taking into account the nature and purpose(s) of such collection, use, or retention; and
• subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data.

The ICDPA provides a list of items that the obligations imposed on controllers or processors must not restrict, including, among other things:

• complying with federal, state, or local laws, rules, or regulations;
• complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• cooperating with law enforcement agencies concerning conduct or activity that the controller or processor, reasonably and in good faith, believes may violate federal, state, or local laws, rules, or regulations;
• investigating, establishing, exercising, preparing, or defending legal claims;
• providing a product or service specifically requested by a consumer or parent or guardian of a child, performing a contract to which the consumer or parent or guardian of a child is a party, including fulfilling the terms of a written warranty, or taking steps at the request of the consumer or parent or guardian of a child prior to entering into a contract;
• preserving the integrity or security of systems; and
• investigating, reporting, or prosecuting those responsible for any such action.

The ICDPA also clarifies that the obligations imposed on a controller or processor will not restrict their ability to collect, use, or retain data to:

• conduct internal research to develop, improve, or repair products, services, or technology;
• effectuate a product recall;
• identify and repair technical errors that impair existing or intended functionality; and
• perform internal operations that are reasonably aligned with the expectations of the consumer or are reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or parent or guardian of a child or the performance of a contract to which the consumer or parent or guardian of a child is a party.

What are the main obligations for data processors?

Processors must assist a controller in their duties, taking into account the nature of processing and the information available to the processor by appropriate technical and organizational measures, in order to:

• fulfill the controller's obligation to respond to consumer rights requests; and

• meet the controller's obligations in relation to the security of processing personal data and in relation to the notification of a security breach of the processor.

Are vendor privacy relationships regulated under the ICDPA?

In determining whether a person is acting as a controller or processor with respect to specific processing of data, the ICDPA explains that it is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to the specific processing of personal data remains a processor.

The ICDPA requires a contract between controllers and processors that sets forth the instructions for processing personal data, the duration of the processing, the type of data subject to processors, and the rights and duties of both parties. Controller-processor contracts under the ICDPA must:

• ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in this chapter; and
• engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to personal data.

Are Data Protection Impact Assessments regulated under the ICDPA?

The ICDPA does not address Data Protection Impact Assessments.

Who is empowered to enforce violations of the ICDPA?

The Iowa Attorney General (AG) has exclusive authority on enforcing the ICDPA's provisions and has the authority to issue a civil investigation where there is a reasonable cause to believe any person is engaging in, or is about to engage in, any violation of the ICDPA.

What penalties are controllers and processors facing under the ICDPA?

The AG must provide controllers or processor's 90 days written notice identifying the provisions of the ICDPA that alleged to have been, or that have been, violated, before initiating any action. If within the 90-days, the controller or processor rectifies the aforementioned violation and provides the AG an express written statement that the alleged violations have been resolved and that no further such violations shall occur, no action can be initiated against the controller or processor.

The AG may bring an action in the name of the state, and seek an injunction to restrain any violations of the ICDPA and/or a civil penalty that does not exceed $7,500 for each violation.

Next stages

What is the legislative status of the ICDPA?

The ICDPA was signed by the Governor of Iowa on March 28, 2023.

When will the ICDPA come into force?

The ICDPA will go into effect on January 1, 2025.

Harry Chambers Senior Privacy Analyst
[email protected]