At a high level, Iowa’s privacy law contains the following protections and notable omissions as compared to bills with similar models:
- Instead of requiring that controllers obtain affirmative, opt-in consent for the collection and processing of consumers’ sensitive personal data, Iowa businesses will only need to provide notice and an opportunity to opt-out.
- The Iowa bill would establish consumer rights to access, delete, and in certain cases, port their personal information, but does not grant a right to correct inaccurate personal information or to exercise these rights through authorized agents.
- The Iowa bill creates a consumer right to opt-out of the “sale” of personal data (narrowly defined as exchanges for “monetary consideration”). It does not create an opt-out right for significant profiling decisions or clearly establish a right to opt-out of targeted advertising.
- The Iowa bill would require businesses to disclose their data processing practices and to protect the security of consumer data, but it would not require businesses to conduct risk assessments or adhere to data minimization and use limitation standards.
- The Iowa bill would provide for exclusive enforcement authority by the State Attorney General; businesses would have a 90-day right to “cure” any and all alleged violations of the Act.
RILA and other industry stakeholders continue to advocate for a federal privacy framework establishing a single set of rules that provide strong protections for consumers and accountability for all businesses within the digital ecosystem.
For more information, please contact RILA Director of Government Affairs Austin Gold.
Ensuring a Safe, Sustainable Future
Supporting Free Markets and Fostering Innovation