Iowa Consumer Data Privacy Act, Latest in Wave of US Privacy Laws

Click here to listen to this article via the BreachRx Blogcast

On March 28, 2023, Iowa joined the ranks of California, Colorado, Connecticut, Utah, and Virginia by signing into law comprehensive privacy legislation. The new law, An Act Relating to Consumer Data Protection, Providing Civilian Penalties, and Including Effective Date Provisions (also known as the Iowa Consumer Data Privacy Act, or ICDPA), will add to the existing Iowa data breach notification requirements on July 1, 2025. The law is seemingly modeled after Utah’s privacy law, the Utah Consumer Privacy Act (UCPA), with one major exception that makes Iowa’s law far more expansive.

This law gives Iowa consumers four rights: the rights to access, deletion, limited to the data obtained from the consumer, opt out, and requiring that controllers get opt-ins for minors. Although the ICDPA grants these rights, it takes a “business-friendly” stance that’s similar to the Virginia and especially the Utah UCPA – notably, the law does not include the right to correct, making it the second state to take that approach. Iowa’s stance expands the set of laws across the United States that stand in contrast to the many other global privacy laws leaning more toward prioritizing consumer protection.

No matter how business-friendly the ICPDA may seem, there are a number of significant ramifications for organizations that operate in Iowa and provide services to its citizens, so it’s critical to understand what needs to be done to comply with the new law.

Which Businesses Must Comply with the ICDPA

Any company that targets Iowa consumers with its goods and services, conducts business there, or both, and satisfies the following criteria must adhere to the ICDPA:

• Controls or processes personal data of 100,000 or more consumers annually, except for personal data used solely to complete a payment
• Derives over 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers

Note that unlike other privacy laws, notably including Utah’s, there are no revenue thresholds for application of the ICDPA – organizations will need to comply with the Iowa privacy law, regardless of their size.

Organizations are exempt from the Iowa Consumer Data Privacy Act if they are financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), HIPAA, the Health Information Technology for Economic and Clinical Health Act (also known as the HITECH Act), nonprofits, and higher education institutions.

The ICDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Personal data as defined by the law excludes de-identified data, aggregated data, or publicly available information.

The law also excludes some information from its implementation. It does not apply to certain protected health information, such as data under HIPAA, health records, patient identifying information, private information related to being human subjects, personal data used or shared in health research, health care, and other related areas. The ICDPA also does not apply to data subject to the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, or the Farm Credit Act. The law also does not apply to employment related data including job application data, emergency contact information, or data used to administer benefits

How Iowa Enforces the ICDPA

Iowa’s attorney general is exclusively responsible for enforcing the ICDPA, as the law offers no private right to action. Starting January 1, 2025, the law directs the attorney general to give companies a written notice of noncompliance along with a ninety-day cure period to address its deficiencies. If the company does not further violate the law, cures the deficiencies, and provides a written response to the attorney general, the law directs no action can be initiated against the controller or processor. If further violations continue, the attorney general has the discretion over whether or not to initiate further action against the violating organization.

Under the law, any violations that are not cured (if given the opportunity) are subject to penalties including fines of up to $7,500 for each violation. Other collected funds from the company, including civil penalties, costs, attorney fees, and other amounts directed are paid into a fund established in Iowa for consumer education and litigation.

Protection Measures Required for Iowa Consumer Data

The Iowa CDPA largely takes a familiar approach to data protection measures companies must enact. To comply, personal data processed must be limited to the expressly listed purposes unless permitted by the law. The processing of personal data must be reasonably necessary and proportionate to these purposes and limited to what is adequate and relevant. Any collected data must consider the nature and purpose of the collection, must be subject to reasonable administrative, technical, and physical measures to ensure confidentiality, integrity, and accessibility.

The statute mandates that consent must be an explicit and obvious action that demonstrates a consumer’s voluntary, informed, and unequivocal agreement to the handling of their personal data. Controllers are forbidden from processing sensitive data collected from a consumer for any non-exempt purpose unless they provide the consumer with transparent notice and a chance to opt-out of such processing. 

In terms of minors, all processing of their data must adhere to Children’s Online Privacy Protection Act (COPPA). Continuing the trend of opt-in requirements from Colorado, Connecticut, and Virginia, ICDPA also requires opt-in consent before gathering personal data from minors under 13.

Under Iowa’s privacy law, controllers are required to have a contract with their processors that outlines the processing of personal data, including data subject to processing, duration, and both parties’ rights and duties, and covering retention, deletion, access, and subcontractor accountability. Like Virginia’s law, the ICDPA does not mention universal opt-out mechanisms. The Iowa law makes void and unenforceable any contract provisions that waive or limit consumer rights.

The ICDPA and Incident Response Requirements for Iowa

Serious security incidents require a response under Iowa law, however these requirements are governed by existing Iowa code rather than the Iowa Consumer Data Privacy Act itself.

According to Iowa law, serious security incidents require notification and response; however, rather than being governed by the ICDPA, these requirements are instead governed by current Iowa statute – Chapter 715C Personal Information Security Breach Protection of Iowa Code.

What’s Considered a Security Breach

A security breach is any instance of unauthorized acquisition of personal information in computerized form, which includes a first name or initial and last name along with at least one of the following:

• Social security number
• Driver’s license number or other unique identification number created or collected by a government body
• Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account
• Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
• Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data

Exceptions here would be for data that is encrypted, redacted, or made unreadable, and that the means and/or keys have not been compromised as part of the incident.

Who to Notify Following a Security Breach

Organizations that experience a security breach must notify affected consumers and the Iowa Attorney General’s Consumer Protection Division.

Issuing Security Breach Notifications: When and How

Organizations must issue a written or electronic notification in the most expeditious manner possible and without unreasonable delay to consumers. The attorney general must be notified within five business days after consumers are provided notices. And if the data is maintained on the behalf of a third party, they must be notified immediately following the discovery of the incident. 

Organizations can issue a substitute notice if using the first three methods would cost more than $250,000, the breach affected over 350,000 people, or there is insufficient contact information to provide notice. Options for a substitute notice include email, a conspicuous notice online on the organization’s site, and notification to major statewide media.

A written notification must be issued to the attorney general if more than 500 residents are notified. 

The Minimum for Inclusion in Breach Notifications

Notifications must include the following information to be in compliance with Iowa law:

• A description of the breach
• The approximate date of the breach
• The types of personal information exposed
• Contact information for consumer reporting agencies
• Advice to the consumer to report suspected incidents of identity theft to local Iowa law enforcement or the Iowa Attorney General

Exceptions to Issuing a Notification

Iowa’s data breach requirements contain a number of exceptions common to many US state data breach laws, including some that overlap with ICDPA. Organizations are exempt if they are subject to the GLBA, HIPAA, the HITECH Act, as well as organizations that comply with either federal or state laws or regulations that offer greater protection for personal information and require thorough disclosure in case of a security breach.

Preparing to Comply with the Iowa Consumer Data Privacy Act

With Iowa’s existing requirement for companies to notify the state attorney general’s Consumer Protection Division if just 500 or more residents are impacted by an incident, companies must be prepared to comply already in the event of an incident and need to get ahead of further requirements from the ICDPA now.

Companies can address these and similar requirements from other laws by prioritizing a proactive and automated approach to security and incident response, developing response plans, confirming stakeholder responsibilities, and coordinating workflows. This approach involves three critical aspects of incident response: readiness, response, and ongoing management.

Readiness

To achieve readiness, companies must ensure that response plans are in place before any incidents occur. They need to review relevant regulations and customer contracts, document response plans for each regulation, assign responsibilities, and conduct tabletop exercises to prepare stakeholders. By being prepared, companies can quickly respond to incidents, reducing the impact of the breach and associated costs.

Response

A great response focuses on what happens when an incident does occur, including investigating the breach, fixing vulnerabilities, and issuing notifications to appropriate customers, partners, regulators, government agencies, and other stakeholders relevant to the incident. To stay in compliance with regulations like the ICDPA and maintain customer trust, companies must ensure a complete response. This requires investigating the incident, fixing vulnerabilities, issuing notifications, and creating a safe haven for team communications to protect legal privilege in the event the incident ends up in court from customer, stakeholder, and/or shareholder lawsuits.

Ongoing Management

Managing incidents in an ongoing, repeatable way ensures that incident response preparation is an ongoing effort. Companies must regularly revisit response plans and procedures, keep them up-to-date as regulations, contracts, and threats change, and look for opportunities to improve security measures, readiness posture, and response efficiency. To do this, companies should introduce a centralized program for incident response that includes metrics and reporting on incident responses, updates to plans and procedures, and changes to regulations and contracts. Leaders should keep stakeholders aligned on their responsibilities and changes to plans, and identify ways to strengthen response efforts by addressing areas of weakness.

By taking a proactive approach to incident response and prioritizing readiness, response, and ongoing management, companies can effectively manage incidents, comply with regulations, reduce costs, maintain customer trust, and recover quickly.

Prioritize Proactive Incident Response and Readiness

As the frequency and severity of cyber attacks continue to rise, it’s more important than ever for businesses to make proactive incident response a top priority. In addition to safeguarding their operations against potential threats, they must also comply with laws such as the Iowa Consumer Data Privacy Act and the over 180 applicable regulations emerging globally.

The reality is that cyber incidents are now almost inevitable, no matter how robust a company’s cybersecurity measures may be. By prioritizing proactive incident response, businesses can ensure that they are prepared to respond quickly and completely when incidents occur. This approach requires staying up-to-date with changing regulations and emerging threats, developing detailed response plans, assigning responsibilities to team members, conducting regular exercises and simulations to test the broader organization’s readiness, and continuously reviewing and updating incident response procedures specific to the threats and scenarios the business faces in the real world.

Implementing a proactive incident response strategy can provide businesses with a number of important benefits. It can help companies stay in compliance with regulations, reduce costs associated with incidents, avoid penalties, better maintain customer trust, and recover more quickly from any incidents that do occur. By staying ahead of the game with a proactive approach to incident response, businesses can be better prepared to tackle the challenges posed by the onslaught of cyber threats from around the world.