On March 28, Iowa Governor Kim Reynolds signed Senate File 262, effective January 1, 2025, making Iowa the sixth state to offer comprehensive privacy protections. Iowa’s new legislation appears to be the most business-friendly omnibus privacy law yet, with fewer requirements than those of other states. The law will apply to a person who conducts business in Iowa or produces products or services targeted to Iowa residents, and who meets either of the following requirements in a calendar year: (1) processes the personal data of 100,000 consumers or more (consumers defined as residents of Iowa “acting only in an individual or household context”) or (2) controls or processes the personal data of at least 25,000 consumers and derives over 50% of annual gross revenue from the sale of personal data.
Below, we break down some of the key similarities and differences between the new Iowa privacy act and its peers.
A Familiar Face
As with the privacy laws in California, Colorado, Connecticut, Virginia, and Utah, Iowa’s establishes consumer privacy rights, including the rights of access, deletion, portability, and the right to opt out of sales of personal data. The requirements imposed on businesses also generally align with those of the other states. For example, it is unlikely that businesses will need to update their privacy policies if they are already compliant with the other state laws, due to the Iowa law’s conventional disclosure requirements.
The Iowa law provides more flexibility that companies will likely welcome. For example, companies have 90 days to respond to personal data requests (and an additional 45 days with good cause), which is a notable increase from most states’ 45-day timeline. And while penalties under the Iowa law could be steep (up to $7,500 per violation), the Iowa attorney general is required to provide businesses with a 90-day cure period with no sunset (unlike other states that do carry sunset provisions).
Absent from the law are some of the rights found in other states, such as the right to correct data or to opt out of the sale of personal information or targeted advertising via authorized agents or global device settings (e.g., the Global Privacy Control (GPC)). Additionally, the Iowa law does not grant consumers a private right of action, and it does not apply to residents acting in a commercial or employment context. Finally, the new act does not impose some of the privacy by design elements found in other laws, including risk assessment requirements and requirements to practice data minimization.
While additional states may pass omnibus privacy laws that diverge from the status quo, Iowa’s law does not increase the compliance burden for companies that are already compliant.
We will continue to monitor developments and publish updates as the legislative environment evolves.