Governor Kim Reynolds signed Senate File 262 on March 28, a data privacy bill that applies to companies that control or process large amounts of data from Iowa consumers.
Taking effect in January 2025, the bill was unanimously passed by the Iowa Senate and House, and is just the sixth state in the U.S. to adopt a comprenhensive consumer data privacy law.
The bill’s passage was supported by the Technology Association of Iowa (TAI), a member-based organization focused on advancing the state’s tech industry.
“The passage of this consumer data privacy bill is a significant step forward for Iowa,” said Brian Waller, president of TAI, in a statement. “We are pleased with the Iowa legislature for passing this bill and applaud the work of our public policy committee who were instrumental in guiding this important legislation forward.”
New privacy regulations apply to companies that “control or process data of at least 100,000 Iowa consumers or control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data,” according to the release.
“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Ms. Reynolds. “That’s exactly what this bill does.”
Complete bill details are available here.
California, Colardo, Connecticut, Utah and Virginia have passed similar laws, generally requiring websites to let consumers opt out of personal information from being captured on websites and then sold elsewhere, reported Radio Iowa.
The International Association of Privacy Professionals (IAPP) said the bill offers 90-day periods for data subject request responses but does not include the ability to opt of targeted advertising. The association doesn’t expect Iowa’s bill will overly burden businesses.
“If a company has already drafted a privacy policy that is compliant with (the California Consumer Privacy Act) or (the Virginia Consumer Data Privacy Act), the company will not have to amend its privacy policy to include additional items specified by the Iowa legislation,” privacy attorney Maureen Fulton with Koley Jessen told the IAPP.
“While everyone involved acknowledges that a federal law would be preferable, it is generally understood that it is unlikely Congress will act anytime soon and so we are taking the first step ourselves,” Rep. Ray Sorenson, chair of the House Economic Growth and Technology Committee, told Radio Iowa.
According to Forbes, the law allows individuals to report violations of the bill to the Iowa Attorney General.