Yesterday, Governor Kim Reynolds signed SF 262 into law, making Iowa the sixth U.S. state to pass a comprehensive consumer privacy law. The law will go into effect January 1, 2025.

Although Iowa took a similar approach to comprehensive privacy legislation as the states that preceded it — California, Colorado, Connecticut, Utah, and Virginia — Iowa also put its own spin on things. This will make the patchwork of privacy legislation more difficult for businesses to navigate. Here are the basics:

Applicability: The law applies to companies doing business in Iowa that, during a calendar year, either: (i) control or process personal data of at least 100,000 Iowa consumers, or (ii) control or process personal data of at least 25,000 consumers and derive at least 50 percent of gross revenue from the sale of personal data. Iowa's statute does not have a revenue threshold for applicability like California and Utah.

Exemptions: The law provides both entity exemptions and data exemptions, including exemptions for:

• financial institutions, affiliates of financial institutions, and data subject to Gramm-Leach-Bliley Act (GLBA);
• organizations required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH); and
• Iowa and its political subdivisions, nonprofit organizations, and higher education institutions.

Iowa’s law also exempts data collected and, where permitted, sold under the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA). Like all but one other state privacy law (California), Iowa's privacy law also exempts business-to-business and employment-related data.

Privacy Rights: Iowa's privacy law establishes several consumer data rights, such as:

• the right to confirm processing of the consumer's personal data and access personal data;
• the right to delete personal data provided by the consumer;
• the right to data portability;
• the right to opt out of the sale of personal data;
• the right to opt out of targeted advertising;
• the right to opt out of the processing of sensitive data for certain purposes; and 
• the right to appeal a controller's decision not to take action on a privacy request.

Iowa's law notably does not grant consumers the right to appoint a representative to exercise privacy rights on their behalf. Only the consumer, or a guardian in the case of a child, can make such a request. Iowa also does not permit consumers to request correction of their personal data.

Enforcement: The Iowa Attorney General has exclusive enforcement authority – the law expressly precludes a private right of action. Prior to taking any enforcement action, the Attorney General must provide the entity notice of the specific provisions that the Attorney General believes have been violated, along with 90 days to cure any alleged violations. The Attorney General may seek injunctive relief and monetary civil penalties of $7,500 for each violation. Fines collected will go to the Iowa Consumer Education and Litigation Fund.

Akerman is tracking proposed privacy legislation across the U.S. We will continue to monitor developments in Iowa and elsewhere to help clients navigate these evolving data privacy laws.