Iowa Data Privacy Law: analyzing the US's 6th state-level regulation
Iowa, the Hawkeye State, has become the 6th American state and the first in 2023 to pass a comprehensive data privacy law, coined the Iowa Consumer Data Protection Act, or ICDPA, after Governor Kim Reynolds signed the bill into law on March 28.
How Iowa’s Data Privacy Law Came About
The bipartisan bill flew through the Iowa Congress with nearly unanimous support (only 2 state representatives voted against it).
Like Utah’s data privacy law, Iowa kicked things off by examining Virginia's VCDPA as a template, which has again proven a quick and efficient way for a state to enact a comprehensive data privacy law. This proves yet another victory for state-level regulation in the absence of a federal American data protection law.
Any non-exempt business that processes the data of at least 100,000 Iowans OR makes at least 50% of revenue while processing the data of over 25,000 Iowans during a calendar year will need to comply.
The ICDPA will go into effect on January 1, 2025, so there is a nearly two-year implementation window. However, as the bill’s broader strokes are so similar to existing legislation like Virginia’s and Utah’s regulations, in addition to it generally being more business-friendly than consumer-centric, companies should not experience many challenges complying with this if they comply with other data compliance regulations.
ICDPA Similarities to VCDPA
As mentioned above, the Iowa data privacy law borrows a lot from the VCDPA, including a long list of exemptions, no private right of action, and a $7500 fine for violations.
Consumer Rights and definitions:
- User data rights to access, delete, portability, and opt-out of the sale of personal data
- No private right of action
- Definition of 'personal data'
- Transparency on data processing types and purposes, as well as consumer data rights and third party data agreements
*While most definitions are borrowed from the VCDPA (which based much of its own initial language off the GDPR), one notable difference is the full definition of what constitutes sensitive personal data, which includes racial origins, sexual orientation, health diagnoses, religious beliefs, citizenship status, biometric data, precise geolocation data, and all children's data. This more closely aligns with California’s CPRA than other state-level regulations.
- Exemptions for entities (not data) subject to HIPAA or the GLBA, in addition to government organizations, nonprofits, and universities
- Opt-in consent for data on children under 13 as well as in compliance with COPPA
- Data processing contracts
- Enforcement only by the state Attorney General
- Fines of $7500 per violation
Iowa Data Privacy Law Criticisms
The conversation around the new Iowa Data Privacy Law is still in its infancy, and there is time for amendments before the 2025 implementation date, but data privacy advocates including Consumer Report have already spoken out in saying the bill does not properly guarantee consumer privacy rights.
The lack of a private right of action and a long list of exempted entities are pro-business aspects of the bill, but even several unique aspects of the ICDPA lean heavily toward business and away from consumers.
Firstly, impact assessments or any analogue are not required, which alone is a potential worry since businesses might not actually invest in privacy but rather try to cut corners to manage “compliance” without the full responsibilities that actually come with being compliant.
Secondly, Iowa stretched timelines related to data privacy to give businesses much, much longer periods to deal with issues before facing any repercussions.
Regarding data subject access requests (DSARs), Iowa’s new data privacy law grants businesses 90 days to respond rather than the 45 day limit in the CCPA and VCDPA.
Worse? Iowa has set a perpetual 90-day cure period to give businesses ample time to fix violations. With the CPRA amending Californian regulation to completely eliminate the cure period in alignment with GDPR standards, the ICDPA is a major step backwards. Even the VCDPA’s cure period is only 30 days, so with 90, no business should ever end up paying a fine.
Additional problems with the Iowa data privacy bill? It features opt-outs to process sensitive data rather than opt-ins, and does not include the personal right for consumers to correct personal data, the right to opt out of profiling, or the right to opt-out of the use of personal data for targeted advertising.
Without opt-out rights for targeted advertising or profiling, opportunities are rife for unhealthy data usage and biased decision making as the use of AI tools continues to grow.
Despite Iowa’s data privacy law continuing to move the needle towards business-oriented desires of what data privacy should be in the U.S., it is a positive sign to see another state bill passed, and one passed so quickly.
Iowa was not even on the immediate radar of states to watch for data privacy professionals in 2022, so it has helped spur momentum and created the impression that a state that actually wants to pass data compliance legislation can.
In simple terms, it will be much easier in the future for states to amend and further data privacy legislation than to create highly progressive legislation right out of the gate–which is exactly what happened in California with the CCPA followed up by CPRA amendments a few years later.
Considering that, the ICDPA is another step forward for American data protection, even if some parts of the bill leave many scratching their heads.