Iowa Senate Advances Comparatively Weak Consumer Privacy Bill
By Keir Lamont & Mercedes Subhani
Update: On March 28, Governor Kim Reynolds signed SF 262 into law, making Iowa the 6th state to enact a baseline consumer privacy framework.
Lawmakers in Iowa are considering the adoption of a new consumer privacy framework that would fall far short of comparable state privacy laws in terms of consumer rights, business obligations, and enforcement. On Monday, March 6th, the Iowa Senate passed SF 262, an Act relating to consumer data protection, by a 47-0 vote. Companion legislation, HF 346 is currently eligible for a vote in the Iowa House.
Iowa is one of several states that are currently seriously considering the enactment of privacy legislation, demonstrating a commendable focus on the protection of consumer data. However, the Iowa bill, while modeled after frameworks adopted in other states, nevertheless diverges significantly from the most protective state privacy laws.
In order to help stakeholders and policymakers assess Iowa’s privacy proposal, the Future of Privacy Forum is releasing a chart comparing SF 262 to the Connecticut Data Protection Act, which currently stands as one of the strongest and most interoperable state approaches for establishing privacy rights and protections.
At a high level, Iowa’s privacy proposal contains the following protections and notable omissions as compared to bills with similar models:
- Instead of requiring that controllers obtain affirmative, opt-in consent for the collection and processing of consumers’ sensitive personal data, Iowa businesses would only need to provide notice and an opportunity to opt-out.
- The Iowa bill would establish consumer rights to access, delete, and in certain cases, port their personal information, but does not grant a right to correct inaccurate personal information or to exercise these rights through authorized agents.
- The Iowa bill creates a consumer right to opt-out of the “sale” of personal data (narrowly defined as exchanges for “monetary consideration”). It does not create an opt-out right for significant profiling decisions or clearly establish a right to opt-out of targeted advertising.
- The Iowa bill would require businesses to disclose their data processing practices and to protect the security of consumer data, but it would not require businesses to conduct risk assessments or adhere to data minimization and use limitation standards.
- The Iowa bill would provide for exclusive enforcement authority by the State Attorney General; businesses would have a 90-day right to “cure” any and all alleged violations of the Act.