Update Applicable to:
All businesses that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers in the state of Iowa.
On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act related to consumer data and privacy protection.
Download Our Free Benefits Guide
Download our Benefits Brochure to see how we can provide Fortune 500-level benefits at a fraction of the cost.Download Guide
What are the details?
Covered businesses that must comply with the requirements of this new consumer privacy law are those entities that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers.
Under the statute, a consumer is defined as a natural person who resides in Iowa and acts only in an individual or household context. The definition of consumer excludes individuals acting in a commercial or an employment context.
The Act applies to Personal Data, which means information linked or reasonably linkable to an identified individual or an identifiable individual.
Consumer Data Rights
The statute provides consumers with the following rights:
- To confirm that covered businesses are processing the consumer’s data and accessing that personal data.
- To delete personal data provided by the consumer.
- To port the personal data.
- To obtain a copy of the consumer’s data with certain limitations.
- To opt out of processing for the sale of personal data or targeted advertising.
Covered Business Obligations
Covered businesses under the statute must comply with requests by consumers to exercise their rights as follows:
- Respond to consumer requests without undue delay, but in all cases, within 90 days of receipt. The response period may be extended by 45 days when reasonably necessary, based on the complexity of the request and the number of consumer requests.
- If the covered business declines to act, it must inform the consumer.
- Information provided in response to a consumer request must be provided to the consumer free of charge twice annually per consumer.
In addition to complying with consumer requests, covered businesses must:
- Adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Protect sensitive data, a broad category under the statute that includes racial information, biometric data, and even geolocation, but not processing such data without the consumer having been presented with clear notice and an opportunity to opt out of such processing.
- Avoid processing data to violate the state or federal laws that prohibit unlawful discrimination against a consumer. Moreover, a covered business may not discriminate against a consumer for exercising rights under the statute, including denying goods or services or changing the prices or rates.
- Contractually obligate processors to adhere to the business’s instructions, where the business is a controller, and implement appropriate technical and organizational measures to assist the controller in meeting its obligations under the Act.
- Develop a privacy notice and a secure and reliable means for consumers to submit requests to exercise their rights.
The statute does not include a private right of action, and the attorney general of the state has exclusive authority to enforce the provisions of this chapter.
Once the governor signs, the statute will become operative on January 1, 2025.
Schedule a Call
Learn more about VensureHR and how we can make an impact on your business.Contact VensureHR
For more information, please see the links below:
What do employers need to do?
Employers should review the links provided above and should be on the lookout for any more news regarding this possible new law. Once the governor of Iowa signs it, Vensure will provide more communication and updates.