Iowa’s Consumer Data Protection Act
Iowa’s Consumer Data Protection Act (ICDPA) was signed into law on May 28, 2023. It will take effect on January 1, 2025, three months after the Montana Consumer Data Privacy Act (MCDPA) and six months before the Tennessee Information Protection Act (TIPA).
The ICDPA has many similarities to the Utah Consumer Privacy Act (UCPA), although ICDPA is considered more business-friendly due to its less stringent requirements and its lenient “cure” periods to resolve violations.
But regardless of how “business-friendly” the law may appear, companies will still have to take steps to ensure compliance.
What You Need to Know About Iowa’s Privacy Law
Does your business:
- conduct business or target consumers in Iowa, and
- process or control:
(a.) personal data about at least 100,000 Iowa consumers, or
(b.) personal data about at least 25,000 Iowa consumers and derives more than 50% of gross revenue from the sale of personal data,
- Not fall under the classification of a governmental agency, non-profit, institution of higher education, or an entity covered by HIPAA/HITECH or the Gramm-Leach-Bliley Act.
If you answered YES to these questions, then the ICDPA applies to you!
- Review whether you process sensitive personal data, including citizenship or immigration status, and precise geolocation data.
- Implement or update your process for receiving and responding to Individual Rights Requests (including appeals!)
- Give the option of opting out of targeted advertising, the sale of personal data, and processing sensitive personal data.
- Ensure that your vendor contracts include appropriate privacy protections.
- Work with a privacy expert to prepare your business for ICDPA compliance.
- Exempt entities: ICDPA does not apply to governmental agencies, non-profits, institutions of higher education, and others, including entities covered by the Gramm-Leach-Bliley Act or HIPAA.
- Context: Like most of the other state privacy laws (with California being the notable exception), ICDPA does not apply to individuals acting in a commercial or employment context.
- Exempt data: Data covered by HIPAA, the Common Rule, the Driver’s Privacy Protection Act, FERPA, the Fair Credit Reporting Act, the Farm Credit Act, COPPA, and certain other laws are exempt.
Key Components of the ICDPA
Like many of the recently enacted state privacy laws, Iowa expands the definition of sensitive data to include the usual elements, such as:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Genetic and biometric data
Iowa also includes:
- Mental or physical health diagnosis
- Citizenship and immigration status (other than when used to avoid discrimination)
- Precise geolocation data
- Personal data collected from a known child (anyone under the age of 13)
Concerning sensitive data, Iowa takes a narrower approach to the rights individuals have.
ICDPA requires only that businesses provide an opt-out opportunity in the context of processing of sensitive data.
Like the most recent state laws, including Colorado, Connecticut, and Montana, the ICDPA specifies that it should not be construed to restrict a business’s collection, use, or retention of personal data for:
- Conducting internal research for development, improvement, and repair of products, services, and technology (R&D)
- Product recalls
- Identifying and repairing technical errors that impair existing or intended functionality
- Performing internal operations.
Like almost all state privacy laws, including Utah, Virginia, Colorado, Connecticut, and Montana, the Attorney General in Iowa has the sole enforcement authority.
- Enforcement actions may be brought after 90 days’ notice and cure period.
- Iowa provides the most generous possible period for cure, with no sunset date for the cure period.
- When bringing an action, the Iowa Attorney General can request injunctive relief (an order that the company has to immediately stop certain behaviors) and/or civil penalties of up to $7,500 per violation.
Individual Rights Under the ICDPA
The individual rights created under ICDPA align with those provided under other state laws.
If ICDPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing the consumer’s personal data and, if so, access it
- Delete personal data provided by them
- Get a copy of certain personal data they provided (data portability)
- Opt-out of the sale of personal data
Iowa provides the most generous timeframe we have seen among the states thus far for responding to Individual Rights Requests; responses must be provided within 90 days of receipt of request unless the business has been unable to authenticate a request, with a permissible 45-day extension in limited circumstances.
Responses must be provided free of charge at least twice a year. If the business declines to take a requested action, the consumer must be notified in writing, along with instructions for appeal.
As we have seen with other recent state privacy laws, including Montana, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide an online mechanism, if available, or another method for contacting the Iowa State Attorney General to submit a complaint.
Pseudonymous Data
Like Virginia, Montana, and other recent state laws, a business does not need to include pseudonymous data in its response to Individual Rights Requests.
Under the ICDPA, ‘pseudonymous data’ is defined as “personal data that cannot be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.”
One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a unique, random ID.
Only the physician and other medical staff know the actual identity of the participants; other entities participating in the research (including the sponsor/manufacturing company, labs, and other supporting entities) have only the participant ID connected to the study data.
This approach can be adopted by other types of organizations, especially those that already assign identifiers through, for example:
- Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
- Membership IDs (like insurance companies, libraries, and fitness centers)
- Player ID (for online and mobile games).
Data Protection Assessments aka Privacy Impact Assessments
Unlike many of the recent state privacy laws, Iowa does not include a requirement to conduct Data Protection or Privacy Impact Assessments.
Vendor Contracts
ICDPA requires that a contract be in place that dictates what vendors must do with respect to processing personal data. Contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” In addition, the contract must require that the processor:
- Ensure it binds each person that processes personal data to a duty of confidentiality
- Delete or return all personal data when it has completed the services unless retention of the personal data is required by law
- Make available all information necessary to demonstrate the processor’s compliance with its obligations
- Pass along the same obligations to any subcontractor in a written contract
The ICDPA does not require that vendors provide or make themselves available for audits.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.