State Privacy Patch #6 for Iowa: What Digital Advertising Companies Need to Know
By Meaghan Donahue (email@example.com) and Ryan Smith (firstname.lastname@example.org)
On March 29, 2023, Iowa Governor Kim Reynolds signed Senate File 262 (SF 262) into law, making Iowa the sixth state to enact comprehensive privacy legislation, joining California, Colorado, Connecticut, Utah, and Virginia. The law will take effect on January 1, 2025.
SF 262 most closely tracks the Utah Consumer Privacy Act, but it also diverges in several areas. In general, it does not present any new or novel requirements as compared to other existing state laws, and it provides greater flexibility to businesses in a few areas. This new Iowa law will therefore likely not pose major compliance challenges for companies already subject to other state-level comprehensive privacy laws. Below is a summary of key provisions in SF 262 that digital advertising companies should be aware of. For a comparison of all of the state privacy laws and their implications for the digital advertising industry, please consult our State Law Ad Tech Comparison Chart (Also found below).
SF 262 applies to any person conducting business in Iowa, or producing products or services that are targeted to residents of Iowa that either 1) controls or processes the data of at least 100,000 consumers, or 2) controls or processes the personal data of at least 25,000 consumers and derives more than 50% of its gross revenue from the sale of personal data. Iowa’s threshold is nearly identical to those in Connecticut and Virginia and notably does not include an annual revenue floor such as those found in California and Utah, making it more broadly applicable to smaller companies.
Similar to other state privacy regimes, financial institutions or data subject to the Gramm-Leach-Bliley Act of 1999 (“GLBA”), businesses or data subject to the Health Insurance Portability Act (“HIPAA”), as well as non-profits or institutions of higher education are not subject to compliance requirements. Similarly, personal information related to credit worthiness and subject to the Fair Credit Reporting Act (“FCRA”) and data used in accordance with the Children’s Online Privacy Protection Act (“COPPA”) are also outside the scope of SF 262.
For consumers who are residents of Iowa acting in their individual capacity, SF 262 establishes new rights that they may exercise with respect to their personal data: 1) the right to confirm whether a controller is processing their personal data, 2) the right to delete their personal data, 3) the right to obtain a copy of their personal data, and 4) the right to opt-out of the sale of their personal data. The scope of SF 262’s definition of sale is limited to the exchange of personal information for “monetary consideration.” This is in line with the definitions of sale in Virginia and Utah, which do not include the exchange of “other valuable consideration” in the definition of sale. Similarly to California and Utah, SF 262 does not provide consumers with the right to correct data held by the controller. Further, SF 262 does not explicitly provide a separate right to opt-out of “targeted advertising.” However, as noted below, there is a controller requirement that diverges on this topic.
SF 262 provides controllers with more flexibility in responding to consumer requests. Specifically, controllers are permitted to specify the means of submitting such requests, with no restrictions on the methods of submission specified in statute. Controllers also have a substantially longer period of time to comply with these requests – 90 days, with a 45-day extension possible based on the complexity of the consumer’s request. Controllers may decline the request, but must allow the consumer to appeal that decision. SF 262 permits controllers to establish the appeal process, provided that it is similar to the process for submitting consumer requests.
Exception for Pseudonymous Data
Importantly for many companies engaging in digital advertising, SF 262 exempts all consumer rights with respect to pseudonymous data – even the right to opt-out – provided that the controller is able to demonstrate any information necessary to identify an individual consumer is kept separately from the pseudonymous data and is subject to appropriate technical and organizational measures to ensure the personal data is not attributed to an identifiable individual. While other states have more limited exceptions for pseudonymous data, this exemption is unique and the broadest as compared to the other regimes.
Controller and Processor Duties
SF 262 mirrors the other five state privacy laws with respect to privacy notices and requires controllers to adopt and implement reasonable administrative, technical, and physical data security practices to protect personal data. SF 262 requires controllers and processors to maintain contracts that clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties. The contract must also include requirements that the processor ensures that each person processing personal data is subject to a duty of confidentiality, and that the processor delete or return all personal data to the controller at the controller’s request. Processors must also assist controllers in their duties. Whether or not a business is a processor or a controller for a specified transaction is a fact-based determination that depends on the context in which the personal data is processed, similar to the five other state privacy laws.
In summary, the contracting requirements in SF 262 are largely in line with the contracting requirements in Virginia, Colorado, Connecticut, and Utah. California goes substantially further in its contracting requirements. The NAI has developed a model contract addendum designed to meet the requirements of state laws, which can be found here.
Like others, SF 262 requires controllers that sell personal data to a third party or engage in targeted advertising to disclose such activity and how a consumer can opt-out. This is where there is a lack of alignment, as noted above the Iowa statute does not explicitly provide a “right” to opt-out of targeted advertising. Regardless, this is a common industry practice, so the requirements established in Iowa do not pose any new obligations.
Like Utah, SF 262 adopts an opt-out approach to sensitive data, provided that the controller offers the consumer a clear notice and opportunity to opt-out of processing (715D.4(2)). Conversely, Colorado, Connecticut and Virginia require a consumer opt-in for the use of sensitive data, and California requires a “right to limit.” The NAI also currently requires members to obtain opt-in consent before using sensitive personal information for Tailored Advertising or Ad Delivery and Reporting.
Similarly to the other state laws, SF 262’s definition of sensitive data includes personal information such as racial/ethnic origin, religious belief, mental/physical health diagnosis, sexual orientation, and citizenship or immigration status except when used to prevent discrimination, biometric information used to uniquely identify an individual, the personal data of a known child younger than thirteen years old, and precise geolocation (<1,750 feet).
Notably for members of the digital advertising industry, and unlike the other state law approaches, SF 262’s definition of sensitive data does not include reference to “revealing” or “inferences.” SF 262’s definition also refers to personal information about an individual’s “mental or physical health diagnosis” – a significantly more narrow approach to health-related information as compared to other states, such as California’s reference to “personal information collected and analyzed concerning a consumer’s health,” or Colorado’s reference to “personal data revealing … a mental or physical health condition or diagnosis.” Iowa’s narrower definition should ease compliance in comparison to other states with broader, more ambiguous definitions. Overall, this is a notable addition to the state law patchwork, further demonstrating that the definition of “sensitive data” is not uniform across the country.
Enforcement authority of SF 262 is provided to the Iowa Attorney General exclusively, and the law provides neither for rulemaking, nor a private right of action. Importantly, the law also has the longest cure period of all state privacy laws. Prior to initiating any action, the Attorney General must provide a controller or processor 90 days’ written notice identifying the specific provisions of the law the Attorney General alleges have been violated. Controllers and processors who cure noticed violations within the provided time will not have action taken against them. Parties that do not cure and continue to violate SF 262 will be subject to $7,500 civil penalties for each violation. Unlike the approach taken in other states, this cure period does not sunset.
Other Key Areas of Alignment or Divergence: Consent, Dark Patterns, Anti-retaliation
While SF 262 maintains a largely consistent standard for obtaining consent – that it be a clear affirmative act that indicates a consumer’s freely given, specific, informed and unambiguous agreement to the processing of their personal data – it does not make reference to dark patterns. It also further establishes unanimity of the “non-retaliation” principle. Specifically, the law prohibits controllers from discriminating against a consumer for exercising any of the consumer rights contained in the bill, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality to the consumer, and also makes similar reference to bona fide loyalty programs.
Implications for Digital Advertising Businesses
With each new law, businesses need to assess what is new or significantly different. Fortunately, SF 262 contains a number of novel approaches, designed to provide greater flexibility to businesses, rather than complicating compliance with the growing patchwork of varying state laws. Therefore, companies subject to compliance with one or more of the other state-level privacy laws should be able to easily incorporate Iowa’s requirements into their compliance programs.