Iowa follows the lead of Utah and Virginia in defining ‘sale’ narrowly to include only exchange for money or monetary consideration.
Individual Rights Under the ICDPA
The individual rights created under ICDPA align with those provided under other state laws.
If ICDPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing the consumer’s personal data and, if so, access it
- Delete personal data provided by them
- Get a copy of certain personal data they provided (data portability)
- Opt-out of the sale of personal data
Iowa provides the most generous timeframe we have seen among the states thus far for responding to Individual Rights Requests; responses must be provided within 90 days of receipt of request unless the business has been unable to authenticate a request, with a permissible 45-day extension in limited circumstances.
Responses must be provided free of charge at least twice a year. If the business declines to take a requested action, the consumer must be notified in writing, along with instructions for appeal.
As we have seen with other recent state privacy laws, including Montana, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide an online mechanism, if available, or another method for contacting the Iowa State Attorney General to submit a complaint.
Like Virginia, Montana, and other recent state laws, a business does not need to include pseudonymous data in its response to Individual Rights Requests.
Under the ICDPA, ‘pseudonymous data’ is defined as “personal data that cannot be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.”
One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a unique, random ID.
Only the physician and other medical staff know the actual identity of the participants; other entities participating in the research (including the sponsor/manufacturing company, labs, and other supporting entities) have only the participant ID connected to the study data.
This approach can be adopted by other types of organizations, especially those that already assign identifiers through, for example:
- Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
- Membership IDs (like insurance companies, libraries, and fitness centers)
- Player ID (for online and mobile games).