On March 28, 2023, Iowa Governor Kim Reynolds signed into law Senate File 262, making Iowa the sixth state to enact comprehensive consumer data privacy legislation.  The other states are California, Virginia, Colorado, Utah, and Connecticut.  The law will take effect January 1, 2025.

The law is considered favorable since it exempts financial institutions and data subject to the Gramm-Leach Bliley Act (GLBA). Businesses that are not exempt will be pleased that the law does not include a private right of action and that it has good compliance interoperability with the other states’ data privacy laws.

Applicability

The bill applies to any person conducting business in Iowa or producing products or services that are targeted to Iowans and that during a calendar year does either of the following:

a. Controls or processes personal data of at least 100,000 consumers; or

b. Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Exemptions

Importantly, the law exempts financial institutions, their affiliates, and data subject to the Gramm-Leach Bliley Act.  Also exempt, among other things, are persons and certain data subject to the Health Insurance Portability and Accountability Act, and personal information to the extent its use is regulated and authorized by the Fair Credit Reporting Act.

Consumer Rights

Consumers are provided with the right to:

a. confirm whether a controller is processing the consumer’s personal data and to access such personal data;

b. delete personal data provided by the consumer;

c. obtain a copy of the consumer’s personal data; and

d. opt out of the sale of personal data.

Contract Requirements

A contract between a controller and a processor must include certain provisions to ensure:

1. that each person processing personal data is subject to a duty of confidentiality;

2. that a processor will delete or return all personal data to the controller upon request;

3. that a processor will provide a controller with all information necessary to demonstrate the processor’s compliance; and

4. that any subcontractor or agent of the processor will meet the duties of the processor pursuant to a written contract.

Enforcement

The Attorney General has the exclusive authority to enforce the law.  Prior to taking any action, the Attorney General must provide a controller or processor ninety days to cure the violation.  In the absence of a cure, civil penalties of up to $7,500 may be sought for each violation.

Preemption 

The law preempts “all rules, regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or local agency regarding the processing of personal data by controllers or processors.”

RMAI encourages its members to forward this Member Alert to those within their organization who are responsible for operations, compliance, and legal matters.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.