Iowa, the Hawkeye State, has become the 6th American state and the first in 2023 to pass a comprehensive data privacy law after Governor Kim Reynolds signed the bill into law yesterday on March 28. The bipartisan bill flew through the Iowa Congress with nearly unanimous support (only 2 state representatives voted against it).
Using Virginia's VCDPA as a template has again proven a quick and efficient way for a state to enact a comprehensive data privacy law, with Iowa's TBD-named bill modeling the vast majority of features after the VCDPA and proving yet another victory for state-level regulation in the absence of a federal American data protection law.
A few of the main similarities to the VCDPA are:
- No private right of action
- Definition of 'personal data'
- A significant number of exemptions, including entities (not data) subject to HIPAA or the GLBA, in addition to government organizations, nonprofits, and universities
- User data rights to access, delete, portability, and opt-out of the sale of personal data
- Opt-in consent for data on children under 13 as well as in compliance with COPPA
- Data processing contracts
- Transparency on data processing types and purposes, as well as consumer data rights and third party data agreements
- Enforcement only by the state Attorney General
- Fines of $7500 per violation
A few unique things to note about the Iowa data privacy law are:
- Impact Assessments are not required
- No personal right to correct personal data
- Opt-out rather than opt-in for the processing of sensitive data (similar to California's CCPA)
- Sensitive data includes racial origins, sexual orientation, health diagnoses, religious beliefs, citizenship status, biometric data, precise geolocation data, and all children's data (a slightly longer list than the VCDPA)
Any non-exempt business that processes at least 100,000 Iowans' data or makes at least 50% of revenue while processing over 25,000 Iowans' data during a calendar year will need to comply.