Iowa’s newly passed comprehensive data privacy law 

INTRODUCTION  

The importance of data privacy has led many countries to pass privacy laws. As new technology develops, it gives rise to new privacy concerns. Therefore, legislators are enacting privacy laws, passing regulations, and making amendments to address the evolving challenges in data privacy law. The substantial penalties imposed on organizations that fail to comply with privacy laws underscore the value of data.

IOWA’S NEW PRIVACY LAW 

On March 29, 2023, Iowa passed its new comprehensive data privacy law. It became the sixth state to join with Colorado, California, Connecticut, and Utah. Iowa’s Consumer Data Protection Act (ICDPA) will become effective on January 1, 2025. 

On comparing the other state laws, it is comparable to the Utah Consumer Privacy Act. There are not many changes that are introduced compared to the above-mentioned state laws. So, the companies that comply with the other state laws need some minimal number of updates when it comes to ICDPA.  

ICDPA is considered to be more business-friendly compared to the other states. This law includes a 90-day cure period to correct the violations and there’s no requirement to conduct data protection or privacy risk assessments, practice purpose limitation, or data limitation. 

SCOPE AND APPLICABILITY  

The applicability of this act is to the business that 

1. controls or processes the data of at least 1,00,000 consumers of Iowa, or  

2. controls or processes the data of at least 25,000 consumers of Iowa 

and derives 50% of gross revenue from the sale of personal data. ICDPA does not contain the revenue threshold, unlike states like California and Utah.

RIGHTS OFFERED TO CONSUMERS  

1. Right to access – The consumers are provided with the right to confirm whether the controller is processing their personal data and access to that data. 

2. Right to delete – The personal data provided to the controllers can be requested by the consumers to delete, which is a right provided by the law.   

3. Right to portability – The copy of the personal data can be obtained by the consumers, except when the data is subject to security breach protection or if it was previously provided to the controller in a portable and readily usable format that allows a consumer to transmit the data to another controller without hindrance where the processing is carried out by automated means.  

4. Right to opt out of sales – The consumers are provided with the right to opt out of the sale of their personal data. Where this Act defines the Sale of personal data for monetary consideration by the controller to a third party. The sale does not include disclosure of data to a processor, disclosure to a controller to fulfill a consumer request, disclosure made by public channels, or internal transfers. For the pseudonymized data, the opt-out rules do not apply.  

OBLIGATIONS OF DATA CONTROLLERS 

The ICDPA classifies the businesses that handle personal data as controllers or processors, which is like GDPR and other data protection and privacy laws.  

The ICDPA defines a controller as a person who determines the purpose and means of processing personal data and a processor as a person who processes that data on behalf of a controller. The following are the obligations of the data controllers. 

1. Data security – Controllers must implement reasonable administrative, technical, and physical data security practices to protect the integrity, confidentiality, and availability of personal data.The laws also specify that the practices must be appropriate to the volume and nature of the personal data. 

2. Nondiscrimination – The controllers must prohibit the processing of personal data if it violates state and federal laws that prohibit unlawful discrimination against consumers. There must also be no discrimination against consumers for exercising their rights within the Act. 

3. Sensitive data – The controllers should not process the data unless they produce a clear notice and allow for opting out of data processing. Processing must comply with the Children’s Online Privacy Protection Act (COPPA) when processing a child’s sensitive data.he sensitive data includes the categories such as racial or ethnic origin, religious beliefs, genetic or biometric data, immigration status, geolocation data, and data collected from a child. 

4. Transparency – Controllers must follow the principle of transparency by providing consumers with a notice that includes

• The categories of the personal data produced. 

• The purpose of processing the personal data 
• How consumers may exercise their consumer rights according to the Act. 
• The categories of personal data that the controller shares with the third parties if any, 
• The categories of third parties to whom the controller shares the data, if any. 

The above-mentioned are the obligations of the data controllers specified in the law.  

OBLIGATIONS OF PROCESSORS 

The ICDPA defines a processor as a person who processes personal data on behalf of a controller. Determining who qualifies as a processor depends on the context in which they will process the personal data and is a fact-based determination.

The ICDA requires the processors to adhere to the instructions of the controllers, assistance to controllers in fulfilling their obligations to respond to consumer rights requests, and to fulfill their data security and breach notification obligations.  

EXEMPTIONS  

Iowa exempts the personal data covered by the existing federal laws, including (Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) , the Driver’s Privacy Protection Act, and the Farm Credit Act. 

It also exempts the health records, human subjects research data covered by federal law or other standards, and the data processed or maintained for employment purposes. This law does not apply to the government or state entities, and financial institutions.  

CONCLUSION 

The violation of ICDPA is subject to a $7,500 fine on each violation. And, complying with ICDPA is necessary to protect the data of Iowa consumers. It is significant for an organization that uses the data of Iowa consumers to build trust and to avoid penalties. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today

Tsaaro helps in compliance with the privacy laws, with the skilled privacy professionals in the market.