Iowa: And then there were six - what you need to do to comply with the new Iowa Privacy Law
On 29 March 2023, Iowa became the sixth state to pass a comprehensive data privacy law (in line behind Connecticut, Utah, Virginia, Colorado, and California). The Iowa Consumer Data Protection Act ('ICDPA') will go into effect on 1 January 2025. While there are some familiar elements to other state laws that came before it (the law is most similar to that enacted recently in Utah) - there is still a lot that you need to do!
What are the key things for business to focus on if they are already CCPA compliant or compliant with another state privacy program? What about for businesses who are not yet compliant with any state-specific privacy regulations?
Odia Kagan and Melanie Notari, from Fox Rothschild LLP, provide an overview of some of the ICDPA's provisions and take a look at what needs to considered in order to comply with the law.
Applicability and risks
- Does the ICDPA apply to me? Yes, if you:
- control or process personal data of at least 100,000 Iowa consumers; or
- derive more than 50% of gross revenue from the sale of personal and control or process personal data of at least 25,000 Iowa consumers
Notably, unlike California and Utah, there is no revenue threshold in Iowa.
- What are the risks for non-compliance? Iowa's law does not contain a private right of action. Compliance with the law will be enforced by the Iowa Attorney General ('AG'), who must provide a written notice of violations and an opportunity to cure within 90 days. If a controller or processor fails to cure, the AG can initiate civil proceedings and the controller or processor could be subject to a fine of $7,500 fine per violation, paid into Iowa's consumer education and litigation fund.
Things to do for the ICDPA for 'unregulated entities'
If ICDPA is the first comprehensive privacy law that applies to your business – what should you start doing now:
Establish a process to address consumer requests.
- map your information and know where it is held and by whom. This should include information held by your processors as well as third parties;
- assess whether you engage in targeted advertising as defined by the ICDPA;
- establish methods for submitting consumer requests. (This should be reliable and secure and should include a process for opting out of targeted advertising and a process for opting into the processing of the information of a 'known child');
- establish a process for authenticating/verifying the identity of the requester;
- establish a process for ensuring that the requests are handled and responded to on time; and
- establish a process to ensure that you are not discriminating/retaliating against a consumer for having exercised their rights.
What does the ICDPA say?
Similar to the California Privacy Rights Act of 2020 ('CPRA'), Virginia's Consumer Data Protection Act ('VCDPA'), the Colorado Privacy Act ('CPA'), and Utah's Consumer Privacy Act ('UCPA'), the IDCPA grants individuals rights in the personal information collected about them. This includes the right to know what information it is, get a copy of it in a portable format, and have this information deleted.
Unlike the CPRA (but in line with the UCPA and proposed amendments to VCPDA – the IDCPA gives consumers the right to delete personal data the consumer provided to the controller, but not all personal data the controller has obtained about the consumer.
The IDCPA also includes the right to opt out of the sale of personal information (which is more narrowly defined than the CPRA as described below). Unlike Colorado, Connecticut, Virginia, and Utah, Iowa's consumer opt-out rights do not apply to pseudonymous data.
The IDCPA notably does not provide the rights to correct personal data, to not be subject to fully automated decisions, or to opt out of certain processing (such as for targeted advertising). While there is no explicit right to opt out of targeted advertising in the law's consumer rights section, there is a requirement for controllers that engage in targeted advertising to provide clear and conspicuous disclosure as a means to opt out. Whilst it is unclear how this will shake out, in the meantime, it is a good idea to address the issue, if for no other reason than the Federal Trade Commission's ('FTC') view on sharing for targeted advertising.
Like the UCPA, the IDCPA defines 'sale' more narrowly as 'the exchange of personal data for monetary consideration by the controller to a third party', and includes exceptions such as 'the disclosure or transfer of personal data to an affiliate of the controller' or 'disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience'.
The ICDPA has carved out that a controller or processor is not required to respond to requests when the controller is not reasonably capable of associating the request with personal data or it would be unreasonably burdensome to do so. Unlike the CPRA, but similar to the UCPA, the IDCPA allows the controller to specify the means by which the consumer may submit a rights request.
Establish and maintain reasonable administrative, technical, and physical data security policies
You need to implement reasonable administrative, technical, and physical data security practice. This means:
- implementing information security measures which are in line with industry standards for the type information that you process. This is doubly important in view of the recent FTC activity in this area;
- depending on the size, scope, and complexity of your data, you may want to align your practices with a data security framework such as the National Institute of Standards and Technology's Cybersecurity Framework, ISO/IEC 27001, or the Center of Internet Security's Top 20 Critical Security Controls etc;
- ensure you follow the recent enforcement actions and caselaw regarding information security, as well as recent FTC enforcement actions; and
- document your security measures and assess them regularly.
Adopt, improve, and expand privacy notices.
- develop and implement a reasonably accessible, clear, and meaningful privacy notice which addresses all of your relevant processing of personal information (online and offline)
- the privacy notice should include: the categories of information processed; the purpose; how to exercise consumer rights; categories of personal data shared with third parties; any sale of personal data; and any processing for targeted advertising
Implement a data processing agreement
You need to implement a data processing agreement with each processor that handles personal information for you. The agreement should include:
- clear instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of the processing;
- the rights and obligations of both parties;
- the process for retention, deletion or return, and access, and subcontractor accountability to all these;
- the obligation on processor's personnel and sub-processors to be bound by a duty of confidentiality;
- the obligation binding processor by the same obligations as the controller, including not to re-identify de-identified data (see below);
- the obligation on the processor to make available to the controller all information in its possession necessary to demonstrate compliance with the ICDPA obligations; and
- the obligation requiring processor to contractually bind its sub-processors to all the same terms.
Though not required by the law it is a good idea to still include in your agreements the obligation on the processor to allow, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor; or to arrange for a periodic third-party audit itself and present the results to the controller (required under the CPRA, the CDPA, and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')).
Identify your 'sensitive data'
You must ensure that you:
- provide clear notice and opt out; or
- if this is data of a 'known child' – process it in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA') (i.e. opt in consent of the parent). Note that 'known child' is not defined under IDCPA but is likely an individual under 13 years of age (this is the standard under COPPA).
Adopt a process for de-identified data and pseudonymous data
The ICDPA makes a distinction between the two. With respect to pseudonymised data, additional information to re-associate the data with a natural person must be kept separately and be subject to appropriate technical and organisational measures to prevent re-identification. Notably, consumer rights under the ICDPA do not apply to pseudonymous data in cases where the controller is able to demonstrate that it meets the above criteria. Regarding de-identified data, the controller should take reasonable steps to ensure this cannot reasonably be linked to an identified or identifiable natural person.
Although not explicitly stated in the law, it is a best practice for controllers to require processors and sub-processors to not try to re-link de-identified data.
Regarding both de-identified data and pseudonymous data, controllers that disclose either must:
- exercise reasonable oversight to monitor compliance with any contractual commitments to which the data is subject (including flowing the above requirements down to processors and sub-processors); and
- take appropriate steps to address any breaches of those commitments.
Controllers should further:
- adopt policies and procedures to ensure the above are implemented; and
- have processes to make sure that pseudonymous data is not attributed to an identified individual or an identifiable individual.
If you are a data processor: adopt a process to facilitate the controller's obligations
- Adopt a process to assist the controller with responding to regarding consumer rights. Is information readily available provide to the controller in a format that is easy to handle?
- Adopt information security measures.
Notably, the law does not require controllers to conduct data protection assessments or other risk assessments, so there are no processor obligations around this.
Things to do for the IDCPA for companies who have undergone CCPA/CPRA compliance:
- Ensure that your CPRA rights and processes apply to Iowa residents. You will need to update your privacy notices to reflect rights applicable to Iowa residents. Iowa residents do not have all the same rights as California residents do under the CPRA, but it may be easier for your business operationally to use the same rights and processes across the board. Notably, unlike the CPRA, Iowa does not extend consumer data privacy rights to employees ('consumer' is defined as a natural person who is a resident of the state acting in a non-commercial and nonemployment context).
- Implement clear and conspicuous disclosure of sale and sale for targeted advertising and the manner for exercising an opt out of both.
- Review your service provider agreements to make sure they include all the provisions required (see above).
- If you are a data processor - adopt a process to facilitate the controller's obligations regarding consumer rights (see above).
Things to do for the IDCPA for companies who have undergone GDPR compliance:
- Make sure you are on top of your GDPR obligations and that they apply to Iowa residents.
- Amend your privacy notice for specific requirements.
- Amend your Article 28 data processing assessment to account for specific requirements (e.g. de-identified information).
- Assess and adapt your Article 32 protections (e.g. do they include state and federal data breach reporting?).
- Address the concept and opt out process for 'sale'.
- Tweak your data subject access request process: consider how you will address it, targeted advertising, and those parts of 'sensitive information' that are not subsumed in Article 9's special category data (e.g. children's information and precise geolocation).
- Implement verified parental consent processes for 'known children' in accordance with COPPA. This is likely: age 13; and specific approved methods which are not required in the EU.
- Adopt a process for de-identified information (public undertaking not to re-identify, processes and contractual obligations downstream).