In this compliance guide, we will discuss the following important aspects of Iowa SF262:
- Who needs to comply with Iowa SF262;
- How the law defines personal data;
- The privacy rights provided to Iowa residents;
- The penalties for failure to comply; and
Table of Contents
Who needs to comply with Iowa SF262?
Iowa SF262 applies to any person conducting business in Iowa or producing products or services that are targeted to residents of Iowa and that meet one of the following requirements:
- Controls or processes the personal data of at least 100,000 Iowa residents per year; or
- Controls or processes the personal data of at least 25,000 Iowa residents and derives over 50% of gross revenue from the sale of personal data per year.
The law does not apply to employee data and specifically exempts nonprofit organizations.
How does Iowa SF262 define personal data?
Since Iowa SF262 applies only to persons that meet the criteria above and collect and process personal data, it is important to determine whether your website collects such data.
The law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” While the law does not include examples, when it comes to websites, “personal data” would mean data such as names, emails, and phone numbers, as well as IP addresses, which are commonly collected through contact forms or analytics services on websites.
What privacy rights are provided to residents of Iowa by Iowa SF262?
The purpose of Iowa SF262 is to provide privacy protections to residents of Iowa by providing them with certain privacy rights and by requiring businesses to meet compliance requirements. This new law provides the following privacy rights to residents of Iowa:
- To confirm whether a business is processing the individual’s personal data and to access such personal data;
- To delete personal data;
- To obtain a copy of the individual’s personal data in a portable and readily usable format that allows the individual to transmit the data to another business where processing is carried out by automated means;
- To opt out of the sale of personal data;
- To opt out of personal data being used for the purpose of targeted advertising;
- To not be discriminated against based on an individual’s request to exercise their privacy rights.
Businesses will have 90 days to respond to a consumer privacy rights request and may extend this period by an additional 45 days for complex requests. Consumers will also have the right to appeal a decision that is made by the business with regard to the privacy rights request.
- The categories of personal data processed by the business;
- The purpose for processing the data;
- How an individual may exercise their privacy rights and how they may appeal a decision made with regard to their privacy rights request;
- The categories of personal data that are shared with third parties;
- The categories of third parties with whom the personal data is shared;
- Whether personal data is sold or used for targeted advertising and how an individual may exercise the right to opt out of sales of personal data and targeted advertising.
Penalties for failure to comply with Iowa FS262
While Iowa SF262 does not include a private right of action, this law will be enforced by the Iowa Attorney General. Currently, the law includes a 90-day period of a right to cure a violation. However, if the violation is not cured, the Attorney General may seek an injunction to stop the violation and may impose penalties of up to $7,500 per violation. In this case, “per violation” may mean per website visitor whose privacy rights were infringed upon or per violation, regardless of how many times that website visitor’s privacy rights were infringed upon.
Termageddon’s plan for Iowa SF262