On Mar. 15, IOW LEG passed bill re consumer data protection.
IOW LEG passed bill SF 262 (formerly SSB 1071) relating to consumer data protection.
Bill creates new Chapter 715D, sections 1-9, under IOW LEG XVI (criminal law).
Scope
Covers in-State business or producers of products/services targeted to Iowans that annually control/process personal data of over 99,999 consumers or control/process personal data of 25K consumers with 50% gross revenue from sale of personal data.
Exempts certain entities, including financial institutions and certain organizations governed by rules by the department of health and human services.
Also, certain protected information, personal data collected under State/ federal laws.
Definitions
Creates new section IOW LEG 715D.1 providing for definitions of key data terms.
Terms include related parties and various classes of data to be protected under bill.
New section IOW LEG 715D.2 defines parties and transactions to which bill applies.
Also, new Section IOW LEG 715D.3 sets consumer rights in their own data, defining those who may request data, request deletion of data, or implement opt out.
Party Duties under Bill
New Section IOW LEG 715D.4 outlines duties of data controllers, including adopting and implementing procedures, providing notices, complying with applicable law.
Also, new section 715D.5 sets out duties of processor, essentially assisting controllers.
Exemptions
New section 715D-6 provides exemptions from the bill's requirements, including data handling and requests, and the use of pseudonymous data in certain cases.
Also, new section 715D.7 provides that nothing in the bill interferes with compliance with applicable federal, state, or local law or regulation by controller or processor.
Other Provisions
Section 715D.8 gives IOW AG exclusive authority to enforce the statute via civil investigative demand and provide 90 days' notice of potential violation.
If violation is cured within 90 days, no action will be taken against controller/processor.
Where no cure, IOW AG may initiate action for injunction, civil penalties up to $7,500.
Section 71D.9 expressly preempts all local laws, regulations relating to data privacy.
Legislative History
On Feb. 13, 2023, bill was introduced in Senate; on Mar. 6, 2023 bill passed Senate.
On Mar. 7, 2023, bill was introduced in House; on Mar. 15, 2023, bill passed House.
Effectiveness
Upon approval by the governor, the act takes effect on Jan. 1, 2025.
Mar. 28, 2023 IOW LEG Governor Approval
On Mar. 28, 2023, IOW LEG governor signed bill SF 262, effective Jan. 1, 2025.
Regulators
IOW AG; IOW LEG
Entity Types
CNSM; Corp
Reference
Bill 3/28/2023; Bill, SF262, 3/16/2023; Citation: IOW LEG XVI;
