Iowa Consumer Data Protection Act

What you need to know about the ICDPA:

To Whom Does ICDPA Apply?

The ICDPA applies to for-profit entities that:

  1. Conduct business in or provide commercial products or services that are targeted to residents of Iowa (Consumers), and 
  2. Annually controls or processes the personal information of either:
    1. 100,000 unique residents; or
    2. 25,000 unique residents and derives over 50% of gross revenue from sale of personal information.
Where Does Iowa’s Law NOT Apply?

Exempt Entities: Exempt entities include:

  • Non-profits;
  • State government entities;
  • Higher education Institutions;
  • HIPAA-covered entities and business associates; and
  • GLBA-covered entities.

Exempt Data: ICDPA exempts a long list of personal information, including but not limited to:

  • Protected Health Information (PHI) under HIPAA;
  • Data covered by the Gramm-Leach-Bliley Act;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: The ICDPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;

In addition, the ICDPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of the ICDPA

What Constitutes PI under the ICDPA?

The ICDPA covers “personal data,” also called personal information or PI, which Iowa defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.” The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI?

Iowa’s definition of sensitive PI includes the following, except to the extent such data is used in order to avoid discrimination on the bases of a protected class that would violate a federal or state anti-discrimination law:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical health diagnosis;
  • Sexual orientation;
  • Citizenship or immigration status.

It then also includes:

  • Genetic or biometric data processed for identification purposes;
  • PI collected from a known child; and
  • Precise geolocation data.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, Iowa requires it to take reasonable measures to ensure the data cannot be associated with an individual. Notably, Iowa does not require what most other state’s do for de-identified data, that controllers publicly commit to maintaining such data without an attempt to re-identify it. The obligations on sharing it with processors are also somewhat watered down, requiring controllers to monitor processors’ contractual obligations related to pseudonymous data but not explicitly requiring the controller to include prohibitions on re-identifying the information in such contracts.

Iowa also exempts pseudonymous data from all privacy rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is Consent Needed to Process Sensitive PI?

In a word: NO!

However, controllers must present consumers with clear notice and opportunity to opt-out of the processing of their sensitive PI prior to processing it.

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13). COPPA verifiable parental consent is sufficient, but not required.

What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • The categories of PI processed;
  • The purpose for processing PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request; and
  • Description of targeted advertising and selling activities including a procedure for opting out of the processing for these purposes.
What Constitutes “Sale” of PI?

Iowa uses the more limited definition of ‘sale’ as the exchange for monetary consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will Iowa’s Law Be Enforced?

The Iowa attorney general (AG) has sole enforcement authority. Under the Iowa law the AG may bring an enforcement action after providing a 90-day notice (the longest on record) and an opportunity for the business to cure the alleged violation(s). This cure period does not sunset. Actions can be brought that seek injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $7,500 plus attorney’s fees, investigative costs, and any other relief the court determines appropriate.

Data Privacy is Just Good Business