LOGIN Request a call


March 2023: Iowa to Be Sixth State to Pass a Consumer Privacy Statute

28 Mar


Update Applicable to:
All businesses that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers in the state of Iowa.

What happened?
On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act related to consumer data and privacy protection.

What are the details?
Covered Businesses
Covered businesses that must comply with the requirements of this new consumer privacy law are those entities that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers.

Consumer Defined
Under the statute, a consumer is defined as a natural person who resides in Iowa and acts only in an individual or household context. The definition of consumer excludes individuals acting in a commercial or an employment context.

Personal Data
The Act applies to Personal Data, which means information linked or reasonably linkable to an identified individual or an identifiable individual.

Consumer Data Rights
The statute provides consumers with the following rights:

  • To confirm that covered businesses are processing the consumer’s data and accessing that personal data.
  • To delete personal data provided by the consumer.
  • To port the personal data.
  • To obtain a copy of the consumer’s data with certain limitations.
  • To opt out of processing for the sale of personal data or targeted advertising.

Covered Business Obligations
Covered businesses under the statute must comply with requests by consumers to exercise their rights as follows:

  • Respond to consumer requests without undue delay, but in all cases, within 90 days of receipt. The response period may be extended by 45 days when reasonably necessary, based on the complexity of the request and the number of consumer requests.
  • If the covered business declines to act, it must inform the consumer.
  • Information provided in response to a consumer request must be provided to the consumer free of charge twice annually per consumer.

In addition to complying with consumer requests, covered businesses must:

  • Adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Protect sensitive data, a broad category under the statute that includes racial information, biometric data, and even geolocation, but not processing such data without the consumer having been presented with clear notice and an opportunity to opt out of such processing.
  • Avoid processing data to violate the state or federal laws that prohibit unlawful discrimination against a consumer. Moreover, a covered business may not discriminate against a consumer for exercising rights under the statute, including denying goods or services or changing the prices or rates.
  • Contractually obligate processors to adhere to the business’s instructions, where the business is a controller, and implement appropriate technical and organizational measures to assist the controller in meeting its obligations under the Act.  
  • Develop a privacy notice and a secure and reliable means for consumers to submit requests to exercise their rights.

The statute does not include a private right of action, and the attorney general of the state has exclusive authority to enforce the provisions of this chapter.

Once the governor signs, the statute will become operative on January 1, 2025.

For more information, please see the links below:

Senate File 262

Article 1Article 2

What do employers need to do?
Employers should review the links provided above and should be on the lookout for any more news regarding this possible new law. Once the governor of Iowa signs it, Vensure will provide more communication and updates.

Need help understanding how changes to employment laws will affect your business?

Learn more about how Vensure's Iowa PEO services can help you navigate complex employment laws and keep your business compliant.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.


You're all set.

Thanks for subscribing. Be on the look out for the Legal HR updates in your email.

Tracking Convertion image