Unveiling Iowa's Privacy Law: What Businesses Need to Know

At a glance

• Iowa’s new privacy law, the Iowa Privacy Act (IPA), was passed on March 29, 2023 and will go into force on January 1, 2025.
• Though the IPA follows the model set by other state privacy laws, certain provisions—not requiring data protection assessments or giving consumers the right to opt-out of targeteed advertising—make it one of the most business friendly US privacy laws to date.
• To prepare for IPA compliance, businesses need to implement a way to manage consumer consent, fulfill privacy requests, field appeals, and more. 

Table of contents

What is the Iowa Privacy Act?

• Who’s subject to Iowa's privacy law?
• IPA vs. other state privacy laws
• Consumer rights provided by the IPA
• Enforcement
• Exemptions

Preparing for Iowa Privacy Act compliance

• Determine whether the IPA applies to your business
• Create a data map
• Implement consent management
• Offer a privacy request mechanism
• Create a mechanism for appeals

What is the Iowa Privacy Act?

Passed on March 29, 2023, the Iowa Privacy Act (IPA) is the sixth state privacy law in the US. Though the IPA doesn’t go into force until January 1, 2025, Iowa businesses under the bill’s scope should start working towards compliance now.

Iowa’s new privacy law closely models the five other states (California, Virginia, Colorado, Utah, and Connecticut) that have passed privacy laws in recent years. Though the IPA's overall framework is largely the same—consumer rights, new obligations for businesses, etc—key differences make it one of the most business-friendly privacy laws to date.

Because the IPA doesn’t require that businesses conduct data protection assessments or give consumers a way to opt-out of targeted advertising, some experts argue the law doesn’t adequately protect consumers’ data.

This rest of this guide outlines who falls under the IPA’s scope, consumer rights granted by the law, differences between the IPA and other states laws, and steps businesses should take to prepare for compliance.

Who’s subject to Iowa's privacy law?

Like most privacy laws in the US, doing business in Iowa or marketing goods or services to Iowa residents is the baseline threshold for who falls under the law’s scope. In addition, a business must also:

• Collect, store, or sell personal data for 100,000 or more IA consumers OR
• Process personal data for 25,000+ consumers AND receive over 50% of annual gross revenue from selling personal data

Similar to Colorado, Connecticut, and Virginia, Iowa’s privacy law doesn’t establish a revenue threshold. Businesses that meet the criteria above, regardless of their revenue, are beholden to IPA requirements. 

This stands in contrast to the California Privacy Rights Act (CPRA) and Utah Consumer Privacy Act (UCPA), both of which sport a $25 million annual revenue threshold. 

Differences between the IPA and other state privacy laws

Ensuring effective compliance is crucial in today's regulatory environment, but state privacy laws are not uniform and what works in one state may not apply in others. As data privacy regulations become more stringent, it’s important that businesses get it right from the start.

Revenue thresholds

As noted earlier, the IPA doesn’t apply a revenue threshold. By contrast, the CPRA and UCPA both have a $25 million threshold, though each applies it differently.

Additionally, all US state privacy laws have criteria around revenue gained from selling personal data. Iowa’s privacy law falls in line with the majority here, mirroring the revenue percentages outlined in Utah, Virginia, and California. 

In all four of these states, any business that receives 50% of its revenue from the sale of personal data and controls personal data for over 25,000 consumers falls under the law’s purview. 

Cure period

Under the Iowa Privacy Act, businesses have 90 days to cure compliance issues. For reference, a cure period refers to a set length of time in which businesses can correct compliance issues following notice from the state’s attorney general. 

Compared to other state laws, a 90 day cure period is the longest by far. Connecticut and Colorado offer 60 days, while Virginia and Utah only offer 30. 

Under the California Consumer Privacy Act (CCPA), businesses had a guaranteed 30 day cure period, but when the CPRA came into force—that cure period became discretionary. The California Privacy Protection Agency (CPPA) can choose to apply it, or not.

Similar to California, the cure periods allowed under Colorado and Connecticut’s privacy laws will eventually also become discretionary. Though for both states, this won’t occur until January 1, 2025, so businesses do have a bit of breathing room. 

Appeals

Similar to Utah, Colorado, and Virginia, Iowa residents may file an appeal if a business refuses to fulfill the consumer rights outlined by the IPA.

Data protection assessments

Barring Utah, and now Iowa, most state privacy laws do require businesses to conduct data protection assessments (DPA) for risky data processing activities. Examples of risky data processing includes selling, or in California sharing, personal data, certain profiling activities, processing sensitive personal information (SPI), or using personal data for targeted advertising. 

This omission is one reason why the IPA has been dubbed a more business friendly privacy law. 

In laws that do require DPAs, the language usually states that the intent is not necessarily to throttle certain types of data processing. Rather, it’s to encourage businesses to actively consider why they’re engaging in risky data processing, as well as weigh risks to the consumer against any potential benefits.

Consumer rights

Right to access

Consumers in Iowa may ask to see the personal data a business has collected about them.

Right to delete

Iowa residents may ask a business to delete any personal data the business has collected about them.

Right to data portability

Consumers in Iowa may ask for a copy of their data and the business must send the data in an easily transmittable format.

Similar to the Virginia Consumer Data Protection Act (VCDPA), consumers may only request a copy of the data they themselves provided.

Enforcement

In Iowa, only the state's attorney general is authorized to take legal action against businesses that violate the IPA. 

Iowa’s privacy law is similar to those in Virginia, Colorado, Utah, and Connecticut in that it doesn’t offer a private right of action, which would allow consumers to pursue civil litigation on their own behalf. 

Exemptions

Like all state privacy laws, the IPA does exempt certain organizations and data types. Exempted data includes personal information that’s covered by the:

• Health Insurance Portability and Accountability Act (HIPPA)
• Children’s Online Privacy Protection Act
• Family Educational Rights and Privacy Act
• Driver’s Privacy Protection Act 
• Farm Credit Act

Organization exempt from Iowa’s privacy law include: 

• Financial institutions (and other entities under the Gramm-Leach-Bliley Act)
• Entities under the purview of HIPPA 
• Higher education institutions
• Government organizations
• Nonprofits

Iowa's Privacy Law: Preparing for compliance

Determine whether the IPA applies to your business

As with any new privacy law, the first step for compliance is understanding whether the law applies to your organization. As a reminder, the IPA applies to organizations that: 

• Do business in Iowa or market goods or services to Iowa residents
• Collect, store, or sell personal data for 100,000 or more IA consumers OR
• Process personal data for 25,000 or more consumers AND derive over 25% of annual gross revenue from selling personal data

If an organization meets these thresholds, the Iowa Privacy Act likely applies. That said, as listed above, there are several exceptions, so be sure to review those. 

Once you’re sure the IPA applies to your business, you should start working towards compliance. Though the bill doesn’t go into effect until January 1, 2025, building a privacy program from scratch takes time—so it’s best to get started while you still have a little breathing room.

Create a data map

While the Iowa Privacy Act doesn’t explicitly require a data map, creating one is crucial to achieving compliance—offering your organization a clear look into the personal data you’re collecting, where it’s located, and with whom it’s being shared.

To assess your organization’s compliance, whether you’re just starting out or have a mature privacy program, you’ll need to conduct a thorough gap analysis. Through this process, you can compare your current data processing practices to the IPA’s requirements.

But to conduct this analysis, you’ll need to understand your company’s data processing activities. Your data map should, at a high level, include:

• The categories of personal information (PI) you’re processing
• Where and how it’s being processed, and 
• Why you’re processing that PI

If you’re using manual methods to build your data map, make sure you have enough bandwidth to conduct assessments with each data silo owner and make continual updates to your central data map document.  

An automated tool like Transcend Data Mapping will speed this process up significantly. 

Implement consent management

The Iowa Privacy Act requires that organizations give consumers the chance to opt out of the sale of personal data and the processing of sensitive data. Notably, the law doesn’t provide the right to opt out of processing for the purposes of targeted advertising.

In addition, businesses must get consent to process data for minors under 13.  

With this melange of various opt out requirements, you’ll need to implement a process for managing consent across your web properties. 

Implement a privacy request mechanism

The IPA gives consumers the right to request access and deletion of their personal data. This means your business needs to implement a workflow for fulfilling consumer privacy requests at scale. 

Though it’s possible to manually fulfill consumer requests, the process can be complex. Someone will need to identify any data silo that’s storing personal data, find all the personal data on that specific individual, and then send everything back to the consumer in an easily understandable format. 

When you’re only fielding a handful of requests, the manual process is feasible. But as requests increase, it becomes difficult and largely unsustainable. This is where an automated privacy request solution comes into play.

Create a mechanism for appeals

The IPA requires that businesses give consumers a way to appeal in the event their privacy request is rejected. This means you need to establish a workflow that enables your team to field, track, and fulfill appeals as they come in.

This workflow doesn't need to be elaborate, a simple web form should suffice in many cases. However, when creating this mechanism, you should try to consider how it will function at a scale.

Conclusion

Though businesses have some time to prepare for Iowa's privacy law, savvy companies will start working towards compliance now. Building out key components like a data map, mechanisms for privacy request fulfillment, and an appeals process don't happen overnight—better to start now and be prepared well ahead of enforcement.

About Transcend

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

References

• Text of the Iowa Privacy Act
• U.S. Privacy Law Update: Iowa Becomes Sixth State to Enact Comprehensive Privacy Law, Other States’ Laws Continue to Develop
• Iowa becomes sixth US state to enact comprehensive consumer privacy legislation