Iowa is About to Have a Data Privacy Law

Iowa is About to Have a Data Privacy Law

Posted on 03/16/2023 at 12:45 PM by John Lande

UPDATE: On March 28, 2023, Governor Kim Reynolds signed Senate File 262 into law. Iowa is the sixth state in the nation to adopt this type of comprehensive consumer data protection. 

Three years after this blog first covered Iowa’s efforts to pass a data privacy bill, Iowa is poised to be the sixth state in the country to adopt a data privacy statute. Iowa will join California, Utah, Colorado, Connecticut, and Virginia with a law governing collection and retention of consumer data from individual Iowans. The new Iowa law, Senate File 262, passed the Iowa Senate and Iowa House without opposition. The bill is waiting for the governor’s signature.

Most Iowa businesses will not be affected by the new law. The law only applies to companies that (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data. The law also has carve outs for the state, municipalities and political subdivisions, banks, certain financial companies, certain healthcare organizations, and other entities subject to a federal standard. Thus, the law’s focus is primarily on large, out of state organizations. Any company doing business in Iowa that might meet the thresholds for compliance should closely examine the various exemptions to determine whether they must comply.

Compliance with Iowa’s law will be familiar to any company that is already operating in California, or other states with similar statutes. Generally, companies will be required to provide notices when the company collects certain sensitive data. Consumers must have an opportunity to obtain copies of their data, and request that the company delete the data. There are exemptions depending on the nature of the request and type of business the company is engaged in that companies should review as part of building their compliance program.

The Iowa law does not create a private right of action, so consumers cannot sue the companies that fail to comply. Consumers can make reports to the Iowa Attorney General, which can then open an investigation into the company’s practices. The Iowa Attorney General can assess a civil penalty of up to $7,500 for each violation of the statute.

While the new law will not affect many Iowa businesses, it is an example of increasing regulation of the collection and retention of consumer data. Even if a company does not need to comply with the new Iowa law, it is still a good idea to review collection and retention policies. Organizations are often surprised to learn that they collect a substantial amount of data, and that it is stored all over the organization. Companies will find compliance with future data privacy laws much easier if they already have a clear understanding of the data they collect and where it is stored.

After the statute is signed by the governor, it will take effect on January 1, 2025.

Shareholder Attorney John Lande is chair of Dickinson Law's Cybersecurity, Data Breach, & Privacy practice group. For more information on his practice, click here



Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.

There are no comments yet.
Add Comment

* Indicates a required field