Iowa Enacts Business-Friendly Privacy Law

“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Reynolds on signing SF-262.

Iowa’s opt-out privacy law will take effect Jan. 1, 2025, and applies to businesses that have data on at least 100,000 Iowa residents or get more than 50% of revenue from selling data of 25,000 or more Iowans. The law will be enforced solely by the state attorney general, with no private right of action. Upon notification of a possible violation, businesses will get 90 days to cure the issue. Otherwise, the AG could assess $7,500 per violation.

Iowa’s privacy law fails to raise “the baseline of protections for consumers,” said Schwartz. Rights to access, know and opt out from “limited types of data sharing” are “undercut by really weak definitions of sales [and] targeted advertising,” he said. It doesn’t require companies to honor global opt-out mechanisms including browser-based do-not-track options, meaning users will have to opt out from each business one by one, Schwartz said. It’s most like Utah’s law but may be weaker since it doesn’t give users a clear right to opt out of targeted advertising, the CR official said. The 90-day right to cure is the longest of any state. Connecticut and Colorado gave 60 days, but at least they sunset, he said.

“There’s nothing unique in there,” Husch Blackwell David Stauss told us: What’s most significant is that six states now have privacy laws. Iowa's joining Utah’s “very business-friendly” approach could encourage some other states to go in that direction, the privacy lawyer said. But Stauss doesn’t think it will sway Congress to switch from the approach in the American Data Privacy and Protection Act.

Excluding an explicit consumer right to opt out of targeted ads might be a drafting error in the Iowa bill, said Stauss, pointing out it defines targeted advertising and directs businesses to give consumers a way to opt out. He said he wouldn’t be surprised if the legislature tries to fix it next year: “These are long complex bills and sometimes mistakes happen.”

Iowa’s privacy law is most like Utah’s, which is considered one of the most business-friendly state laws, privacy experts said in recent blogs. "Because this law is modeled after existing state laws, it will result in very little, if any, new compliance burdens on organizations already complying with other laws,” CompliancePoint Director-Privacy Services Matt Dumiak blogged this week.

That another state has a privacy law is significant, but the Iowa law “doesn’t provide any novel rights for consumers or requirements on companies,” blogged Kelley Drye privacy attorneys Aaron Burstein and Rod Ghaemmaghami last week. "It stays within the boundaries established by other state privacy laws and closely resembles" Utah's law, "with a few additional business-friendly terms." It provides exemptions for all consumer rights for pseudonymous data, "including the opt-out rights, which are not exempt in other states,” the lawyers noted. "Also omitted from SF 262 are an opt-in consent requirement for sensitive data, a right to correct, a duty to conduct privacy or security risk assessments, and a private right of action.”

The new state law received kudos from the Computer & Communications Industry Association. “Iowa’s commitment to setting baseline privacy rules for consumers has successfully come to fruition," said CCIA State Policy Director Khara Boender.

Many other states are angling to pass the seventh state privacy law. CR is closely watching bills that passed one chamber in Indiana, Hawaii, Kentucky and New Hampshire, said Schwartz: Earlier-stage bills in Oregon, Tennessee and Texas also show movement. It’s too late to pass Vermont’s bill this session, but it can still be advanced by committee this year and taken up again in 2024, he said. Stauss has eyes on Indiana, Tennessee, New Hampshire, Montana and Oregon, the privacy lawyer said.

‘Frankenstein’ in Vermont?

"There is no federal privacy standard currently, and so it falls to the states to fill in those gaps,” Vermont Assistant Attorney General Sarah Aceves said Wednesday. She presented the AG office’s latest draft of privacy bill H-121 at a House Commerce Committee webcast hearing. More than 17 states have privacy bills this year, said Aceves: Don’t expect Congress to pass a federal measure soon.

Vermont’s bill "is much more incremental in nature, much less comprehensive than what a lot of other states are doing,” said Aceves. The state previously enacted a data broker bill. H-121's latest draft "draws pretty heavily on what California and Connecticut have done,” the assistant AG said. Businesses don’t want the bill’s private right of action for biometric data, she noted. But Vermont’s bill is based on the Illinois Biometric Information Privacy Act, which was passed over a decade ago and has been working, she said. "This is the hill our office is willing to die on," said Aceves. "We want the private right of action in.”

The Vermont House panel plans to take more testimony next week on H-121, and aims to move the bill out of committee before session ends, said Chair Michael Marcotte (R). Making compliance possible is important and the chair wants to avoid crafting a “Frankenstein” of many different states’ approaches, he said. “I don’t want to be a one-off.”

The new draft "brings us a lot closer to not being a one-off," said Aceves, but it's currently a "Frankenstein, mainly with respect to all the different definitions of personal information that we have.” The AG office is open to simplifying the bill, she said.

An Oregon Senate Judiciary Committee work session was scheduled for Wednesday afternoon on SB-619. The panel delayed taking up the bill until Thursday. The bill as introduced included a private right of action, but CR expects it to be removed, said Schwartz.

Tennessee privacy legislation (SB-73/HB-1181) will be on Thursday’s Senate regular calendar. The House Commerce Committee delayed action Tuesday on the House version until April 4.