Following the lead of California, Virginia, Colorado, Connecticut and Utah (as previously discussed here, here, here, here and here respectively), on March 29, 2023, Iowa passed the Iowa Consumer Privacy Act (the “ICPA”), creating compliance obligations for businesses that collect and process personal data of Iowa residents and providing such residents more control over their data. The ICPA will go into effect on January 1st, 2025.
Conveniently, the ICPA largely tracks the laws passed in Virginia (i.e. the Virginia Consumer Data Protection Act or the “VDPA”) and Utah (i.e. the Utah Consumer Privacy Act or the “UCPA”) last year (effective January 1, 2023 and December 31, 2023 respectively), meaning that organizations subject to these laws will be able to leverage their VDPA and/or UCPA compliance efforts for purposes of ICPA compliance. Further, the ICPA, as compared to other states’ laws and even the Europe Union’s General Data Protection Regulation (the “GDPR”), has many business-friendly provisions. For example, the ICPA does not contain a private right of action and controllers and processors have a 90-day cure period to resolve any deficient practices before the state Attorney General may bring an enforcement action, as further discussed below.
While enactment of the ICPA will mean certain businesses not previously covered by state privacy legislation or the GDPR will now face novel data protection compliance obligations, it is arguably the most business-friendly of such laws and should not require particularly onerous changes to business’ existing privacy compliance programs. Below we summarize key elements of the Act while highlighting its similarities and differences with the California Privacy Rights Act of 2020 (the “CPRA”), which amends and expands the California Consumer Privacy Act (the “CCPA”), VDPA, ColoPA and the UCPA[1].
Who must comply?
Similar to the VDPA and ColoPA, the ICPA does not contain a triggering mechanism based on revenue; instead, the ICPA applies to controllers or processors who meet all of the following requirements:
- The entity conducts business in Iowa or produces products or services that are targeted to Iowa consumers and during that calendar year does either of the following:
- controls or processes personal data of at least 100,000 consumers or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.
As expected, the ICPA contains certain broad exemptions similar to other state privacy legislation, narrowing applicability of the law with respect to certain entities, activities or types of data, including: (i) governmental entities; (ii) financial institutions; (iii) higher education institutions; (iv) nonprofit organizations; (v) entities regulated by and data subject to the Health Insurance Portability and Accountability Act; (vi) entities regulated by data subject to the Gramm-Leach-Bliley Act; (vii) data subject to the Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act and the Farm Credit Act; (viii) certain activities under the Fair Credit Reporting Act; and (ix) employee data, to the extent that the data is collected and used within the context of that role.
What data is protected?
- Personal Data. The ICPA applies to “personal data”, defined as information that is linked or reasonably linkable to an identified or identifiable natural person, and does not include de-identified data, aggregated data or publicly available information. This definition generally tracks the UCPA and ColoPA, and therefore gives rise to the same discrepancies contained in the foregoing acts’ drafting. For example, like the UCPA, the ICPA’s definition of “consumer” includes residents of the state acting only in an individual orhousehold context (and excludes a natural person acting in a commercial (i.e. B2B) or employment context), and thus arguably data relating to Iowa’s “consumers” may not constitute “personal data” if it relates to a number of individuals within a household but is incapable of being linked with one specific individual within the household. For a more in depth discussion of the discrepancies described above, see here.
- Sensitive Data. Like the UCPA, the ICPA provides additional protections for sensitive data, defined to include (i) data that reveals an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; (ii) the personal data collected from a known child; (iii) genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual or (iv) precise geolocation data. Specific obligations related to the processing of sensitive data are further discussed below.
What obligations are placed on covered entities?
Like the GDPR, VDPA, UCPA and ColoPA, the ICPA distinguishes between data controllers (i.e., a person doing business in the state who determines the purposes for which and the means by which personal data is processed, regardless of whether the person makes the determination alone or with others) and data processors (i.e., a person that processes personal data on behalf of a controller) providing specific requirements for each with respect to the processing of personal data.
The obligations placed on controllers and processors are largely similar to those contained in VDPA, ColoPA, and the UCPA, including:
(i) obligations on data controllers and processors to enter into data processing agreements akin to those required under Article 28 of the GDPR[2],
(ii) additional requirements on processors to (a) adhere to the controller’s instructions when processing personal data and (b) assist the controller in meeting its obligations under the ICPA, including obligations related to the security of processing personal data and notification of a breach of security system, (c) fulfill the controller’s obligation to respond to consumer rights requests (discussed below) and
(iii) additional requirements on controllers to (a) provide consumers with clear notice about their data collection and processing practices, (b) implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality and integrity of personal data and (c) refrain from discriminating against consumers who exercise their personal data rights.
While these obligations are largely reminiscent of controllers and processors’ obligations under other data protection laws, there are a few noteworthy differences with respect to a controller’s compliance obligations:
- Privacy Notices Require Disclosure of Targeted Advertising Practices. Like the UCPA, the ICPA requires controllers to clearly disclose not only whether the controller engages in “sales” of consumer data but also in targeted advertising (and if so, controllers must also clearly disclose the manner in which a consumer may exercise the right to opt out of such uses).
- Notice of and Right to Opt-Out of Processing of Sensitive Data/Children’s Personal Data. The ICPA, like the UCPA, notes that a controller may not process sensitive data collected from a consumer without (i) first presenting the consumer with clear notice and an opportunity to opt out of the processing or (ii) in the case of processing the personal data concerning a known child under the age of thirteen (13), processing the data in accordance with the federal Children’s Online Privacy Protection Act. This is in contrast with the GDPR, VDPA and ColoPA, each of which requires affirmative, unambiguous consent prior to the processing of sensitive data.
- Offering Incentives for Selling Personal Data. Despite ICPA’s prohibition on discriminating against consumers who exercise their ICPA rights, the ICPA does not prohibit controllers from offering a different price, rate, level, quality or selection of a good or service to consumers if (a) the consumer has opted out of the sale of personal data or (b) the offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program. Notably, unlike the UCPA, the ICPA is silent on whether controllers can offer a different price, rate, level, quality or selection of goods or services to consumers if the consumer has opted out of targeted advertising.
- No Requirement to Conduct Data Protection Assessments. Unlike the VDPA, ColoPA and CPRA, but similar to the UCPA, the ICPA does not require controllers to conduct data protection assessments for each of its processing activities involving personal data that present a heightened risk of harm to consumers.
What rights do Iowa consumers have and do not have under the Act?
In line with the other recent state privacy laws and the GDPR, the ICPA provides consumers with many of the same now well-known rights, including the right to (i) confirm whether a business is processing their personal data, (ii) request deletion of their personal data, (iii) obtain a copy of their personal data and (iv) opt out of the sale of their personal data. We note that the foregoing rights are not only limited by reasonable business exemptions (e.g., detecting fraud or not being able to authenticate a request using commercially reasonable efforts) as provided under similar state laws, but are also subject to certain nuances that provide consumers with less control over their personal data:
- No Right to Correction. The ICPA, like the UCPA, does not provide consumers with the right to correct their data, a departure from rights provided to consumers under the CPRA, VDPA, ColoPA and GDPR.
- Limited Opt-Out Rights. As discussed, in addition to the right to opt out of a controller’s processing of sensitive data, consumers are permitted under the ICPA to opt out of the processing of their personal data for targeted advertising purposes or sales of their data. However, the opt-out right omits the right to opt out of the processing of personal data for the purposes of automated “profiling”, a right provided to consumers under the CPRA, VDPA, ColoPA and GDPR.
- Narrow Definition of “Sale”. Like the UCPA and VDPA, “sales” under the ICPA is defined narrowly to include only an exchange of information for monetary consideration.
- Lack of Obligation to Comply with Global Privacy Control. Unlike the CPRA, and, as of July 1, 2024, the ColoPA, the ICPA is silent on whether businesses must comply with consumer opt-out requests submitted via a user-selected universal opt-out mechanism such as the Global Privacy Control. In fact, the Act does not provide any direction to businesses as to reasonable opt-out methods (e.g., providing a toll-free phone number or online web form), leaving businesses with broad discretion to determine such methods.
The ICPA explicitly prohibits any provision of a contract that purports to limit or waive any of a consumer’s rights.
No private right of action – what are the penalties for non-compliance?
Like most state privacy laws, the ICPA does not include a private right of action. Instead, the Act grants the Attorney General the exclusive authority to enforce the ICPA. More specifically, the Attorney General can issue a civil investigative demand whenever he or she has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of the ICPA.
Notably, prior to initiating an action, the Attorney General must provide a controller or processor a ninety (90) day cure period by providing written notice, which is the longest cure period amongst all state privacy laws. If a business continues to violate the ICPA following the cure period, the Attorney General may initiate an action and may seek an injunction and civil penalties of up to $7,500 per violation.
Conclusion Iowa’s passing of the ICPA shows that states have and will continue to introduce their own privacy bills across the country. Fortunately, the ICPA largely overlaps with or is less stringent than existing state privacy laws meaning that businesses that are in compliance with such laws will likely not struggle to meet the requirements set out by the ICPA. The ICPA follows the footsteps of Virginia, Colorado and Utah by showing that businesses can meet their commercial needs while still providing consumers with rights and visibility over the collection, processing and retention of their data.
[1] The full text of the Iowa Consumer Privacy Act is available here.
[2] Specifically, the ICPA notes that such contracts must clearly set forth instructions for processing personal data and requires the processor to contractually ensure that (a) each person processing personal data is subject to confidentiality obligations when handling personal data, (b) at the controller’s direction, the processor will delete or return all personal data to the controller as requested at the end of the provision of services (unless retention of the personal data is required by law), (c) upon the reasonable request of the controller, the processor will make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with obligations described in the ICPA, and (d) the processor will only engage subcontractors pursuant to a written contract requiring the subcontractor to meet the same obligations as the processor.