On March 28, 2023, the Governor of Iowa signed Iowa SF262, having the state join other states such as California, Colorado, Utah, Virginia, and Connecticut with a comprehensive state privacy law. This new law will go into effect on January 1, 2025 and will provide residents of Iowa with new privacy rights, and require businesses to have a Privacy Policy that makes the disclosures required by this law.
In this compliance guide, we will discuss the following important aspects of Iowa SF262:
- Who needs to comply with Iowa SF262;
- How the law defines personal data;
- The privacy rights provided to Iowa residents;
- The Privacy Policy requirements of Iowa SF262;
- The penalties for failure to comply; and
- How Termageddon will handle Privacy Policy updates for this new law.
Table of Contents
Who needs to comply with Iowa SF262?
Iowa SF262 applies to any person conducting business in Iowa or producing products or services that are targeted to residents of Iowa and that meet one of the following requirements:
- Controls or processes the personal data of at least 100,000 Iowa residents per year; or
- Controls or processes the personal data of at least 25,000 Iowa residents and derives over 50% of gross revenue from the sale of personal data per year.
The law does not apply to employee data and specifically exempts nonprofit organizations.
How does Iowa SF262 define personal data?
Since Iowa SF262 applies only to persons that meet the criteria above and collect and process personal data, it is important to determine whether your website collects such data.
The law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” While the law does not include examples, when it comes to websites, “personal data” would mean data such as names, emails, and phone numbers, as well as IP addresses, which are commonly collected through contact forms or analytics services on websites.
What privacy rights are provided to residents of Iowa by Iowa SF262?
The purpose of Iowa SF262 is to provide privacy protections to residents of Iowa by providing them with certain privacy rights and by requiring businesses to meet compliance requirements. This new law provides the following privacy rights to residents of Iowa:
- To confirm whether a business is processing the individual’s personal data and to access such personal data;
- To delete personal data;
- To obtain a copy of the individual’s personal data in a portable and readily usable format that allows the individual to transmit the data to another business where processing is carried out by automated means;
- To opt out of the sale of personal data;
- To opt out of personal data being used for the purpose of targeted advertising;
- To not be discriminated against based on an individual’s request to exercise their privacy rights.
Businesses will have 90 days to respond to a consumer privacy rights request and may extend this period by an additional 45 days for complex requests. Consumers will also have the right to appeal a decision that is made by the business with regard to the privacy rights request.
Iowa SF262 Privacy Policy requirements
Iowa SF262 requires businesses that need to comply with this law to display a Privacy Policy that includes the following information:
- The categories of personal data processed by the business;
- The purpose for processing the data;
- How an individual may exercise their privacy rights and how they may appeal a decision made with regard to their privacy rights request;
- The categories of personal data that are shared with third parties;
- The categories of third parties with whom the personal data is shared;
- Whether personal data is sold or used for targeted advertising and how an individual may exercise the right to opt out of sales of personal data and targeted advertising.
Companies will need to provide a clear and conspicuous link to the Privacy Policy on their websites and ensure that their Privacy Policy includes the above disclosures.
Penalties for failure to comply with Iowa FS262
While Iowa SF262 does not include a private right of action, this law will be enforced by the Iowa Attorney General. Currently, the law includes a 90-day period of a right to cure a violation. However, if the violation is not cured, the Attorney General may seek an injunction to stop the violation and may impose penalties of up to $7,500 per violation. In this case, “per violation” may mean per website visitor whose privacy rights were infringed upon or per violation, regardless of how many times that website visitor’s privacy rights were infringed upon.
Termageddon’s plan for Iowa SF262
We will keep track of this new law, any amendments to it, and any accompanying regulations. If you are already a Termageddon customer, your Privacy Policy will be updated to reflect the disclosures above if this law applies to you, prior to its effective date. If you do not currently have a Privacy Policy or do not have a strategy to keep your policy up to date with changes such as this one, check out the Termageddon Privacy Policy generator.
