Senate File 2351 S-5075 Amend Senate File 2351 as follows: 1 1. By striking everything after the enacting clause and 2 inserting: 3 < Section 1. NEW SECTION . 715D.1 Definitions. 4 As used in this chapter, unless the context otherwise 5 requires: 6 1. “Breach of security” means the same as provided in 7 section 715C.1. 8 2. “Controller” means a person who, separately or in 9 combination with another person, determines the purpose and 10 methodology of the processing of personal data. 11 3. “Custodian” means a partnership, corporation, limited 12 liability company, unincorporated association, or other 13 business or nonprofit entity that possesses personal data. 14 “Custodian” does not include any of the following: 15 a. The state or a political subdivision of the state. 16 b. A partnership, corporation, limited liability company, 17 unincorporated association, or other business entity which is 18 located in the state, which is operated for profit and under 19 a single management, and which has either fewer than twenty 20 employees or an annual gross income of less than four million 21 dollars computed as the average of the three preceding fiscal 22 years. 23 4. “Deidentified data” means data that cannot reasonably be 24 used to infer information about, or otherwise be linked to, an 25 identified or identifiable individual or a device associated 26 with an individual, provided that the controller or processor 27 who possesses the data does all of the following: 28 a. Takes reasonable measures to ensure that the data cannot 29 be associated with an individual. 30 b. Commits to maintain and use the data only in a 31 deidentified fashion and does not attempt to reidentify the 32 data. 33 c. Contractually obligates recipients of the data to comply 34 with all provisions of this chapter. 35 -1- SF2351.3490 (1) 88 ja/rn 1/ 6 #1.

5. “Geolocation data” means information that can be used to 1 identify the physical location of an electronic device. 2 6. “Minor” means an individual who is less than eighteen 3 years of age. 4 7. “Personal data” means any information that is linked or 5 reasonably able to be linked to an identified or identifiable 6 individual. “Personal data” does not include deidentified 7 data, data that is lawfully obtained from publicly available 8 sources, or data that is obtained from federal, state, or local 9 government records lawfully made available to the general 10 public. 11 8. “Processor” means a person who processes personal data on 12 behalf of a controller. 13 9. “Sensitive data” means any of the following types of 14 personal data: 15 a. Data revealing an individual’s racial or ethnic origin, 16 religious beliefs, mental condition, physical condition, or 17 sexual orientation. 18 b. A minor’s personal data. 19 c. An individual’s geolocation data. 20 d. An individual’s first name or first initial and last 21 name in combination with any one or more of the following data 22 elements that relate to the individual if any of the data 23 elements are not encrypted, redacted, or otherwise altered by 24 any method or technology in such a manner that the name or 25 data elements are unreadable, or are encrypted, redacted, or 26 otherwise altered by any method or technology but the keys to 27 unencrypt, unredact, or otherwise read the data elements have 28 been obtained through a breach of security: 29 (1) Social security number. 30 (2) Driver’s license number or other unique identification 31 number created or collected by a government body. 32 (3) Financial account number, credit card number, or debit 33 card number in combination with any required expiration date, 34 security code, access code, or password that would permit 35 -2- SF2351.3490 (1) 88 ja/rn 2/ 6

access to an individual’s financial account. 1 (4) Unique electronic identifier or routing code, in 2 combination with any required security code, access code, or 3 password that would permit access to an individual’s financial 4 account. 5 (5) Unique genetic or biometric data, such as a fingerprint, 6 retina or iris image, or other unique physical representation 7 or digital representation of genetic or biometric data. 8 (6) Data pertaining to the ownership or acquisition of a 9 firearm. 10 Sec. 2. NEW SECTION . 715D.2 Personal data rights. 11 1. An individual may request any of the following from a 12 controller or a processor: 13 a. A determination regarding whether the controller or 14 processor possesses the individual’s personal data. 15 b. Copies of the individual’s personal data that is in the 16 possession of the controller or processor. 17 c. Correction of the individual’s personal data that is 18 in the possession of the controller or processor and that the 19 individual indicates in the request is incorrect. 20 d. Cessation of the controller or processor’s sale of the 21 individual’s personal data. 22 e. Cessation of the controller or processor’s use of the 23 individual’s personal data for purposes of targeted advertising 24 or profiling in furtherance of decisions that may result in 25 the denial of consequential services or support, such as 26 financial or lending services, housing, insurance, education 27 enrollment, criminal justice, employment opportunities, health 28 care services, and access to basic necessities, such as food 29 and water. 30 2. Within forty-five days after the receipt of a request 31 made pursuant to subsection 1, the controller or processor 32 shall provide the information or take the action requested by 33 an individual. 34 3. Notwithstanding subsection 1 or 2, a controller or 35 -3- SF2351.3490 (1) 88 ja/rn 3/ 6

processor is not required to provide the information or take 1 the action requested by an individual if the controller or 2 processor is unable to authenticate the individual’s request 3 using commercially reasonable efforts. The controller or 4 processor may request additional information that is reasonably 5 necessary to authenticate such a request. 6 Sec. 3. NEW SECTION . 715D.3 Prohibitions on certain 7 practices of custodians. 8 A custodian shall not do any of the following: 9 1. Collect or use an individual’s sensitive data unless the 10 custodian first obtains the individual’s consent to collect or 11 use the sensitive data. An individual may withdraw the consent 12 to collect or use the individual’s sensitive data at any time 13 by providing notice to the custodian. 14 2. Process personal data in violation of state or federal 15 law that prohibits discrimination against consumers. 16 Sec. 4. NEW SECTION . 715D.4 Obligations of certain 17 custodians. 18 A custodian possessing the personal data of one hundred 19 thousand or more individuals shall comply with all of the 20 following: 21 1. The custodian shall provide an accessible, clear, and 22 meaningful privacy notice that informs consumers and potential 23 consumers of all of the following: 24 a. The personal data the custodian collects. 25 b. How the custodian uses personal data in its possession. 26 c. Persons the custodian allows to access or view personal 27 data in the custodian’s possession, and why the custodian 28 allows such persons to access or view the personal data. 29 d. The individual’s rights under sections 715D.2 and 715D.3. 30 2. The custodian’s collection and processing of personal 31 data shall be limited to the types and amounts of personal data 32 that are reasonably necessary in relation to the purpose for 33 which the personal data is collected or processed. 34 3. The custodian shall establish, implement, and maintain 35 -4- SF2351.3490 (1) 88 ja/rn 4/ 6

reasonable administrative, technical, and physical data 1 security practices to protect the confidentiality, integrity, 2 and accessibility of personal data. The custodian’s data 3 security practices shall be appropriate for the volume and 4 nature of the personal data the custodian possesses. 5 4. The custodian shall conduct and document a data 6 protection assessment addressing each of the following 7 activities involving personal data: 8 a. The custodian’s processing of personal data for purposes 9 of targeted advertising. 10 b. The custodian’s sale of personal data. 11 c. The custodian’s processing of personal data for purposes 12 of profiling where such profiling presents a reasonably 13 foreseeable risk of unfair or deceptive treatment of consumers, 14 financial injury to consumers, reputational injury to 15 consumers, an intrusion upon the private affairs of consumers 16 that would be offensive to a reasonable person, or other 17 substantial injury. 18 d. The custodian’s processing of sensitive data. 19 e. The custodian’s processing activities involving personal 20 data that present a heightened risk of harm to consumers. 21 5. The custodian shall provide to the attorney general upon 22 request the data protection assessment prepared pursuant to 23 subsection 4. 24 Sec. 5. NEW SECTION . 715D.5 Limitations. 25 This chapter shall not be construed to restrict or prevent 26 a controller, custodian, or processor from doing any of the 27 following: 28 1. Complying with any federal, state, or local law or 29 regulation. 30 2. Complying with a civil, criminal, or regulatory inquiry, 31 investigation, subpoena, or summons by a federal, state, or 32 local governmental authority. 33 3. Cooperating with law enforcement concerning conduct 34 or activity that the controller, custodian, or processor 35 -5- SF2351.3490 (1) 88 ja/rn 5/ 6

reasonably believes may violate federal, state, or local laws 1 or regulations. 2 4. Investigating, preparing for, or defining legal claims. 3 Sec. 6. NEW SECTION . 715D.6 Enforcement. 4 A violation of this chapter is an unlawful practice under 5 section 714.16, and all the remedies pursuant to section 714.16 6 are available for such an action. 7 Sec. 7. NEW SECTION . 715D.7 Remedies cumulative. 8 The rights, remedies, and prohibitions contained in this 9 chapter shall be in addition to and cumulative of any other 10 right, remedy, or prohibition accorded by common law or state 11 or federal law. This chapter shall not be construed to deny, 12 abrogate, or impair any such common law or statutory right, 13 remedy, or prohibition. > 14 2. Title page, by striking lines 1 and 2 and inserting < An 15 Act relating to personal data, including an individual’s rights 16 with respect to personal data, the obligations of certain 17 persons with respect to personal data, and making penalties 18 applicable. > 19 3. By renumbering as necessary. 20 ______________________________ ZACH NUNN -6- SF2351.3490 (1) 88 ja/rn 6/ 6 #2. #3.