+44 (0) 121 582 0192 [email protected]

Iowa becomes the sixth US  State to Enact a Comprehensive Data Privacy Act

The Iowa Consumer Data Protection Act (ICDPA), is one of the latest state-level data privacy regulations in the United States. It introduces transparency and disclosure requirements for controllers and processors of personal data who conduct business in Iowa or provide services aimed at Iowa residents. In this article, we will delve deeper into the Iowa Data Privacy Law, exploring its scope, consumer rights, and business obligations.

Scope of the Iowa Data Privacy Law

The Iowa Data Privacy Act has jurisdiction over entities that conduct business or offer services in Iowa, as well as those that handle the personal information of at least 100,000 Iowa residents or 25,000 Iowa residents and generates more than 50% of their revenue through the sale of personal information within a given calendar year.

It’s worth noting that the Iowa Consumer Data Protection Act (ICDPA), does not impose any specific revenue threshold for entities to be held responsible for data privacy obligations. However, there are certain exclusions to the law. For instance, government entities, nonprofits, higher educational institutions (whether public or private), as well as entities regulated by the Gramm-Leach-Bliley Act and HIPAA-covered entities and business associates, are not covered by the Iowa Data Privacy Law. Moreover, the law excludes certain categories of data, such as health records, consumer credit-reporting data, scientific research data, data governed by the Family Educational Rights and Privacy Act, and employment-related information.

Apart from providing access and control rights to consumers, the Iowa Data Privacy Law also mandates controllers and processors of personal data to adhere to certain obligations. For instance, controllers are obligated to establish and implement rational administrative, technical, and physical data security measures to safeguard personal data.

In addition, controllers are mandated to disclose their data processing practices and acquire consent from consumers before collecting, processing, or sharing their personal data. Furthermore, controllers must inform consumers in the event of a data breach that affects their personal data.

Iowa Privacy Compliance Journey Checklist

To help businesses operating in Iowa ensure compliance with the Iowa Data Privacy Law, a compliance checklist is recommended. As the law shares some similarities with the CCPA, CPA, UCPA, and VCDPA, companies can develop privacy framework  approach to data privacy compliance obligations in the U.S. Here are some items that entities should consider when assessing their compliance obligations under the Iowa Data Privacy Law:

  1. Clarify if your business is subject to the Iowa Data Privacy Law. The law applies to entities that conduct business in Iowa or provide services targeted at Iowa residents, and that are controllers or processors  of at least 100,000 Iowa residents or 25,000 Iowa residents and derive over 50% of their revenue from the sale of personal data during a given calendar year.
  2. Adopt reasonable administrative, technical, and physical data security practices to protect personal data.
  3. Implement processes for responding to consumer requests regarding their personal data, including requests to confirm whether their data is being processed, Erasure of  their personal data, obtain a copy of their personal data, and opt-out of the sale of personal data.
  4. Provide notice to consumers before collecting, processing, or sharing their personal data and obtain consent where required.
  5. Develop a full documented policy and procedure in the event of a data breach that impacts an Iowa residents personal data.
  6. Establish a procedure for handling appeals from consumers whose requests to exercise their rights under the law have been denied.
  7. Train employees on the Iowa Data Privacy Law and ensure they understand the company’s compliance obligations.
  8. Ensure you create a regular privacy policies review  to ensure they accurately reflect the company’s data processing practices and comply with the Iowa Data Privacy Law.
  9. Conduct regular audits of data processing practices to ensure ongoing compliance with the Iowa Data Privacy Law.

By following this checklist, businesses operating in Iowa can reduce their risk of non-compliance and potential penalties or legal liability under the Iowa Data Privacy Law.

Conclusion

The Iowa Data Privacy Law is a significant development in the state-level data privacy regulations in the United States. The law provides Iowa residents with important access and control rights over their personal data and mandates that controllers and processors of personal data operate in a reasonable and transparent manner. However, it’s crucial for businesses to assess whether they are subject to the law’s requirements and ensure full compliance with its provisions to avoid potential penalties or legal liability. With the increasing focus on data privacy and security, it’s important for businesses to stay up to date with the evolving landscape of data protection laws and regulations to maintain consumer trust and avoid costly legal consequences. By taking proactive steps to protect personal data and comply with the Iowa Data Privacy Law, businesses can establish themselves as trustworthy partners for consumers and enhance their overall reputation and competitiveness in the marketplace.