On March 15, 2023, the Iowa House of Representatives unanimously voted to approve Senate File 262 (“SF 262”), which would make Iowa the sixth State to adopt a comprehensive state privacy law. SF 262 will now be given to the Iowa governor for approval. Assuming the governor signs the bill, SF 262 will take effect January 1, 2025.
At a high level, SF 262 shares many similarities with other comprehensive state privacy laws, such as Virginia, Utah, Colorado and Connecticut. SF 262 governs the processing of personal data and applies to controllers and processors who “conduct business in” Iowa or those which “produce products or services that are targeted to residents.” Businesses are covered by the law if they meet one of the following thresholds: (i) control or process personal data of at least 100,000 Iowa residents, or (ii) derive more than 50% of its revenue from the sale of personal data of at least 25,000 Iowa residents.
However, SF 262 is far less protective than other comprehensive state privacy laws. Although SF 262 provides consumers with the right to access, delete, and obtain a portable version of their personal data collected, there is no right of correction. Opt-out rights are also more limited. Covered entities have 90 days to respond to data subject access requests, which is longer than the typical 45-day response period required under other state privacy laws. Further, SF 262 has an opt-out standard for processing of sensitive personal data, rather than the affirmative consent standard required under other state privacy laws.
Also absent from the bill are any requirements to conduct risk assessments or maintain data minimization practices.