Passed in late March, companies doing business in Iowa or targeting products/services to Iowa consumers are subject to the Iowa Act Relating to Consumer Data Protection ("ICDPA"). The ICDPA will require that consumers are supplied with a privacy notice that includes:
- categories of personal data processed and shared with third parties;
- the third parties with which personal data is shared;
- purposes for which personal data is processed; and
- how subjects can exercise their consumer data rights.
The law applies if a business controls or processes personal data of at least 100,000 Iowa consumers or 25,000 Iowa consumers from which the business derives over 50 percent of gross revenue from the sale of personal data.
It is important to note that the law includes both entity- and data-level exemptions for certain entities and scenarios including:
- Consumer reporting agencies, furnishers or users of a consumer report to the extent such activity is regulated by the Fair Credit Reporting Act ("FCRA")
- Financial institutions, affiliates of financial institutions and data subject to the Gramm-Leach-Bliley Act ("GLBA")
- Organizations subject to Health Insurance Portability and Accountability Act ("HIPAA") and personal health information (PHI) covered by HIPAA
- Specifically defined nonprofit organizations and higher education institutions
- Data handled in compliance with the Driver's Privacy Protection Act ("DPPA")
- Data regulated by Family Educational Rights and Privacy Act ("FERPA")
Employers are encouraged to consult with legal counsel to determine if their use of data will be subject to ICDPA in preparation for January, 2025.
Posted: April 17, 2023