House
File
2506
-
Introduced
HOUSE
FILE
2506
BY
COMMITTEE
ON
INFORMATION
TECHNOLOGY
(SUCCESSOR
TO
HSB
674)
A
BILL
FOR
An
Act
relating
to
consumer
data
protection,
providing
civil
1
penalties,
and
including
effective
date
provisions.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
5349HV
(3)
89
es/rn
H.F.
2506
Section
1.
NEW
SECTION
.
715D.1
Definitions.
1
As
used
in
this
chapter,
unless
the
context
otherwise
2
requires:
3
1.
“Affiliate”
means
a
legal
entity
that
controls,
is
4
controlled
by,
or
is
under
common
control
with
another
legal
5
entity
or
shares
common
branding
with
another
legal
entity.
6
For
the
purposes
of
this
definition,
“control”
or
“controlled”
7
means:
8
a.
Ownership
of,
or
the
power
to
vote,
more
than
fifty
9
percent
of
the
outstanding
shares
of
any
class
of
voting
10
security
of
a
company.
11
b.
Control
in
any
manner
over
the
election
of
a
majority
of
12
the
directors
or
of
individuals
exercising
similar
functions.
13
c.
The
power
to
exercise
controlling
influence
over
the
14
management
of
a
company.
15
2.
“Aggregate
data”
means
information
that
relates
to
a
16
group
or
category
of
consumers,
from
which
individual
consumer
17
identities
have
been
removed,
that
is
not
linked
or
reasonably
18
linkable
to
any
consumer.
19
3.
“Authenticate”
means
verifying
through
reasonable
means
20
that
a
consumer,
entitled
to
exercise
their
consumer
rights
in
21
section
715D.3,
is
the
same
consumer
exercising
such
consumer
22
rights
with
respect
to
the
personal
data
at
issue.
23
4.
“Biometric
data”
means
data
generated
by
automatic
24
measurements
of
an
individual’s
biological
characteristics,
25
such
as
a
fingerprint,
voiceprint,
eye
retinas,
irises,
or
26
other
unique
biological
patterns
or
characteristics
that
is
27
used
to
identify
a
specific
individual.
“Biometric
data”
28
does
not
include
a
physical
or
digital
photograph,
a
video
or
29
audio
recording
or
data
generated
therefrom,
or
information
30
collected,
used,
or
stored
for
health
care
treatment,
payment,
31
or
operations
under
HIPAA.
32
5.
“Child”
means
any
natural
person
younger
than
thirteen
33
years
of
age.
34
6.
“Consent”
means
a
clear
affirmative
act
signifying
a
35
-1-
LSB
5349HV
(3)
89
es/rn
1/
26
H.F.
2506
consumer’s
freely
given,
specific,
informed,
and
unambiguous
1
agreement
to
process
personal
data
relating
to
the
consumer.
2
“Consent”
may
include
a
written
statement,
including
a
3
statement
written
by
electronic
means,
or
any
other
unambiguous
4
affirmative
action.
5
7.
“Consumer”
means
a
natural
person
who
is
a
resident
of
6
the
state
acting
only
in
an
individual
or
household
context
and
7
excluding
a
natural
person
acting
in
a
commercial
or
employment
8
context.
9
8.
“Controller”
means
a
person
that,
alone
or
jointly
with
10
others,
determines
the
purpose
and
means
of
processing
personal
11
data.
12
9.
“Covered
entity”
means
the
same
as
“covered
entity”
13
defined
by
HIPAA.
14
10.
“Decisions
that
produce
legal
or
similarly
significant
15
effects
concerning
a
consumer”
means
a
decision
made
by
a
16
controller
that
results
in
the
provision
or
denial
by
the
17
controller
of
financial
and
lending
services,
housing,
18
insurance,
education
enrollment,
criminal
justice,
employment
19
opportunities,
health
care
services,
or
access
to
basic
20
necessities,
such
as
food
and
water.
21
11.
“De-identified
data”
means
data
that
cannot
reasonably
22
be
linked
to
an
identified
or
identifiable
natural
person.
23
12.
“Health
care
provider”
means
any
of
the
following:
24
a.
A
general
hospital,
ordinary
hospital,
outpatient
25
surgical
hospital,
nursing
home,
or
certified
nursing
facility
26
licensed
or
certified
by
the
state.
27
b.
A
mental
or
psychiatric
hospital
licensed
by
the
state.
28
c.
A
hospital
operated
by
the
state.
29
d.
A
hospital
operated
by
universities
within
the
state.
30
e.
A
person
licensed
to
practice
medicine
or
osteopathy
in
31
the
state.
32
f.
A
person
licensed
to
furnish
health
care
policies
or
33
plans
in
the
state.
34
g.
A
person
licensed
to
practice
dentistry
in
the
state.
35
-2-
LSB
5349HV
(3)
89
es/rn
2/
26
H.F.
2506
h.
“Health
care
provider”
does
not
include
a
continuing
1
care
retirement
community
or
any
nursing
care
facility
of
a
2
religious
body
which
depends
upon
prayer
alone
for
healing.
3
13.
“Health
Insurance
Portability
and
Accountability
4
Act”
or
“HIPAA”
means
the
Health
Insurance
Portability
and
5
Accountability
Act
of
1996,
Pub.
L.
No.
104-191,
including
6
amendments
thereto
and
regulations
promulgated
thereunder.
7
14.
“Health
record”
means
any
written,
printed,
or
8
electronically
recorded
material
maintained
by
a
health
care
9
provider
in
the
course
of
providing
health
services
to
an
10
individual
concerning
the
individual
and
the
services
provided,
11
including
related
health
information
provided
in
confidence
to
12
a
health
care
provider.
13
15.
“Identified
or
identifiable
natural
person”
means
a
14
person
who
can
be
readily
identified,
directly
or
indirectly.
15
16.
“Institution
of
higher
education”
means
nonprofit
16
private
institutions
of
higher
education
and
proprietary
17
private
institutions
of
higher
education
in
the
state,
18
community
colleges,
and
each
associate-degree-granting
and
19
baccalaureate
public
institutions
of
higher
education
in
the
20
state.
21
17.
“Nonprofit
organization”
means
any
corporation
organized
22
under
chapter
504,
any
organization
exempt
from
taxation
under
23
sections
501(c)(3),
501(c)(6),
or
501(c)(12)
of
the
Internal
24
Revenue
Code,
and
any
subsidiaries
and
affiliates
of
entities
25
organized
pursuant
to
chapter
499.
26
18.
“Personal
data”
means
any
information
that
is
linked
or
27
reasonably
linkable
to
an
identified
or
identifiable
natural
28
person.
“Personal
data”
does
not
include
de-identified
data
or
29
publicly
available
information.
30
19.
“Precise
geolocation
data”
means
information
derived
31
from
technology,
including
but
not
limited
to
global
32
positioning
system
level
latitude
and
longitude
coordinates
or
33
other
mechanisms,
that
identifies
the
specific
location
of
a
34
natural
person
with
precision
and
accuracy
within
a
radius
of
35
-3-
LSB
5349HV
(3)
89
es/rn
3/
26
H.F.
2506
one
thousand
seven
hundred
fifty
feet.
“Precise
geolocation
1
data”
does
not
include
the
content
of
communications,
or
any
2
data
generated
by
or
connected
to
advanced
utility
metering
3
infrastructure
systems
or
equipment
for
use
by
a
utility.
4
20.
“Process”
or
“processing”
means
any
operation
or
set
5
of
operations
performed,
whether
by
manual
or
automated
means,
6
on
personal
data
or
on
sets
of
personal
data,
such
as
the
7
collection,
use,
storage,
disclosure,
analysis,
deletion,
or
8
modification
of
personal
data.
9
21.
“Processor”
means
a
person
that
processes
personal
data
10
on
behalf
of
a
controller.
11
22.
“Profiling”
means
any
form
of
solely
automated
12
processing
performed
on
personal
data
to
evaluate,
analyze,
13
or
predict
personal
aspects
related
to
an
identified
or
14
identifiable
natural
person’s
economic
situation,
health,
15
personal
preferences,
interests,
reliability,
behavior,
16
location,
or
movements.
17
23.
“Protected
health
information”
means
the
same
as
18
protected
health
information
established
by
HIPAA.
19
24.
“Pseudonymous
data”
means
personal
data
that
cannot
20
be
attributed
to
a
specific
natural
person
without
the
use
21
of
additional
information,
provided
that
such
additional
22
information
is
kept
separately
and
is
subject
to
appropriate
23
technical
and
organizational
measures
to
ensure
that
24
the
personal
data
is
not
attributed
to
an
identified
or
25
identifiable
natural
person.
26
25.
“Publicly
available
information”
means
information
27
that
is
lawfully
made
available
through
federal,
state,
or
28
local
government
records,
or
information
that
a
business
has
29
reasonable
basis
to
believe
is
lawfully
made
available
to
30
the
general
public
through
widely
distributed
media,
by
the
31
consumer,
or
by
a
person
to
whom
the
consumer
has
disclosed
the
32
information,
unless
the
consumer
has
restricted
the
information
33
to
a
specific
audience.
34
26.
“Sale
of
personal
data”
means
the
exchange
of
personal
35
-4-
LSB
5349HV
(3)
89
es/rn
4/
26
H.F.
2506
data
for
monetary
or
other
valuable
consideration
by
the
1
controller
to
a
third
party.
“
Sale
of
personal
data”
does
not
2
include:
3
a.
The
disclosure
of
personal
data
to
a
processor
that
4
processes
the
personal
data
on
behalf
of
the
controller.
5
b.
The
disclosure
of
personal
data
to
a
third
party
for
6
purposes
of
providing
a
product
or
service
requested
by
the
7
consumer
or
a
parent
of
a
child.
8
c.
The
disclosure
or
transfer
of
personal
data
to
an
9
affiliate
of
the
controller.
10
d.
The
disclosure
of
information
that
the
consumer
11
intentionally
made
available
to
the
general
public
via
a
12
channel
of
mass
media
and
did
not
restrict
to
a
specific
13
audience.
14
e.
The
disclosure
or
transfer
of
personal
data
to
a
third
15
party
as
an
asset
that
is
part
of
a
proposed
or
actual
merger,
16
acquisition,
bankruptcy,
or
other
transaction
in
which
the
17
third
party
assumes
control
of
all
or
part
of
the
controller’s
18
assets.
19
27.
“Sensitive
data”
means
a
category
of
personal
data
that
20
includes
the
following:
21
a.
Personal
data
revealing
racial
or
ethnic
origin,
22
religious
beliefs,
mental
or
physical
health
diagnosis,
sexual
23
orientation,
or
citizenship
or
immigration
status.
24
b.
Genetic
or
biometric
data
that
is
processed
for
the
25
purpose
of
uniquely
identifying
a
natural
person.
26
c.
The
personal
data
collected
from
a
known
child.
27
d.
Precise
geolocation
data.
28
28.
“Targeted
advertising”
means
displaying
advertisements
29
to
a
consumer
where
the
advertisement
is
selected
based
on
30
personal
data
obtained
from
that
consumer’s
activities
over
31
time
and
across
nonaffiliated
websites
or
online
applications
32
to
predict
such
consumer’s
preferences
or
interests.
“Targeted
33
advertising”
does
not
include
the
following:
34
a.
Advertisements
based
on
activities
within
a
controller’s
35
-5-
LSB
5349HV
(3)
89
es/rn
5/
26
H.F.
2506
own
or
affiliated
websites
or
online
applications.
1
b.
Advertisements
based
on
the
context
of
a
consumer’s
2
current
search
query,
visit
to
a
website,
or
online
3
application.
4
c.
Advertisements
directed
to
a
consumer
in
response
to
the
5
consumer’s
request
for
information
or
feedback.
6
d.
Processing
personal
data
solely
for
measuring
or
7
reporting
advertising
performance,
reach,
or
frequency.
8
29.
“Third
party”
means
a
natural
or
legal
person,
public
9
authority,
agency,
or
body
other
than
the
consumer,
controller,
10
processor,
or
an
affiliate
of
the
processor
or
the
controller.
11
30.
“Trade
secret”
means
information,
including
but
not
12
limited
to
a
formula,
pattern,
compilation,
program,
device,
13
method,
technique,
or
process,
that
consists
of
the
following:
14
a.
Information
that
derives
independent
economic
value,
15
actual
or
potential,
from
not
being
generally
known
to,
and
not
16
being
readily
ascertainable
by
proper
means
by,
other
persons
17
who
can
obtain
economic
value
from
its
disclosure
or
use.
18
b.
Information
that
is
the
subject
of
efforts
that
are
19
reasonable
under
the
circumstances
to
maintain
its
secrecy.
20
Sec.
2.
NEW
SECTION
.
715D.2
Scope
and
exemptions.
21
1.
This
chapter
applies
to
a
person
conducting
business
in
22
the
state
or
producing
products
or
services
that
are
targeted
23
to
residents
of
the
state
and
that
during
a
calendar
year
does
24
either
of
the
following:
25
a.
Controls
or
processes
personal
data
of
at
least
one
26
hundred
thousand
consumers.
27
b.
Controls
or
processes
personal
data
of
at
least
28
twenty-five
thousand
consumers
and
derive
over
fifty
percent
of
29
gross
revenue
from
the
sale
of
personal
data.
30
2.
This
chapter
shall
not
apply
to
the
state
or
any
31
political
subdivision
of
the
state,
financial
institutions
32
or
data
subject
to
Tit.
V
of
the
federal
Gramm-Leach-Bliley
33
Act
of
1999,
15
U.S.C.
§6801
et
seq.,
covered
entities
or
34
business
associates
governed
by
the
privacy,
security,
and
35
-6-
LSB
5349HV
(3)
89
es/rn
6/
26
H.F.
2506
breach
notification
rules
issued
by
the
Iowa
department
of
1
human
services,
the
Iowa
department
of
public
health,
45
C.F.R.
2
pts.
160
and
164
established
pursuant
to
HIPAA,
nonprofit
3
organizations,
or
institutions
of
higher
education.
4
3.
The
following
information
and
data
is
exempt
from
this
5
chapter:
6
a.
Protected
health
information
under
HIPAA.
7
b.
Health
records.
8
c.
Patient
identifying
information
for
purposes
of
42
U.S.C.
9
§290dd-2.
10
d.
Identifiable
private
information
for
purposes
of
the
11
federal
policy
for
the
protection
of
human
subjects
under
45
12
C.F.R.
pt.
46.
13
e.
Identifiable
private
information
that
is
otherwise
14
information
collected
as
part
of
human
subjects
research
15
pursuant
to
the
good
clinical
practice
guidelines
issued
by
16
the
international
council
for
harmonisation
of
technical
17
requirements
for
pharmaceuticals
for
human
use.
18
f.
The
protection
of
human
subjects
under
21
C.F.R.
pts.
6,
19
50,
and
56.
20
g.
Personal
data
used
or
shared
in
research
conducted
in
21
accordance
with
the
requirements
set
forth
in
this
chapter,
or
22
other
research
conducted
in
accordance
with
applicable
law.
23
h.
Information
and
documents
created
for
purposes
of
the
24
federal
Health
Care
Quality
Improvement
Act
of
1986,
42
U.S.C.
25
§11101
et
seq.
26
i.
Patient
safety
work
product
for
purposes
of
the
federal
27
Patient
Safety
And
Quality
Improvement
Act,
42
U.S.C.
§299b-21
28
et
seq.
29
j.
Information
derived
from
any
of
the
health
care-related
30
information
listed
in
this
subsection
that
is
de-identified
in
31
accordance
with
the
requirements
for
de-identification
pursuant
32
to
HIPAA.
33
k.
Information
originating
from,
and
intermingled
to
be
34
indistinguishable
with,
or
information
treated
in
the
same
35
-7-
LSB
5349HV
(3)
89
es/rn
7/
26
H.F.
2506
manner
as
information
exempt
under
this
subsection
that
is
1
maintained
by
a
covered
entity
or
business
associate
as
defined
2
by
HIPAA
or
a
program
or
a
qualified
service
organization
as
3
defined
by
42
U.S.C.
§290dd-2.
4
l.
Information
used
only
for
public
health
activities
and
5
purposes
as
authorized
by
HIPAA.
6
m.
The
collection,
maintenance,
disclosure,
sale,
7
communication,
or
use
of
any
personal
information
bearing
on
a
8
consumer’s
credit
worthiness,
credit
standing,
credit
capacity,
9
character,
general
reputation,
personal
characteristics,
or
10
mode
of
living
by
a
consumer
reporting
agency
or
furnisher
that
11
provides
information
for
use
in
a
consumer
report,
and
by
a
12
user
of
a
consumer
report,
but
only
to
the
extent
that
such
13
activity
is
regulated
by
and
authorized
under
the
federal
Fair
14
Credit
Reporting
Act,
15
U.S.C.
§1681.
15
n.
Personal
data
collected,
processed,
sold,
or
disclosed
in
16
compliance
with
the
federal
Driver’s
Privacy
Protection
Act
of
17
1994,
18
U.S.C.
§2721
et
seq.
18
o.
Personal
data
regulated
by
the
federal
Family
Educational
19
Rights
and
Privacy
Act,
20
U.S.C.
§1232
et
seq.
20
p.
Personal
data
collected,
processed,
sold,
or
disclosed
in
21
compliance
with
the
federal
Farm
Credit
Act,
12
U.S.C.
§2001
22
et
seq.
23
q.
Data
processed
or
maintained
as
follows:
24
(1)
In
the
course
of
an
individual
applying
to,
employed
25
by,
or
acting
as
an
agent
or
independent
contractor
of
a
26
controller,
processor,
or
third
party,
to
the
extent
that
the
27
data
is
collected
and
used
within
the
context
of
that
role.
28
(2)
As
the
emergency
contact
information
of
an
individual
29
under
this
chapter
used
for
emergency
contact
purposes.
30
(3)
That
is
necessary
to
retain
to
administer
benefits
31
for
another
individual
relating
to
the
individual
under
32
subparagraph
(1)
and
used
for
the
purposes
of
administering
33
those
benefits.
34
r.
Personal
data
used
in
accordance
with
the
federal
35
-8-
LSB
5349HV
(3)
89
es/rn
8/
26
H.F.
2506
Children’s
Online
Privacy
Protection
Act,
15
U.S.C.
§6501
–
1
6506,
and
its
rules,
regulations,
and
exceptions
thereto.
2
Sec.
3.
NEW
SECTION
.
715D.3
Consumer
data
rights.
3
1.
A
consumer
may
invoke
the
consumer
rights
authorized
4
pursuant
to
this
section
at
any
time
by
submitting
a
request
to
5
a
controller
specifying
the
consumer
rights
the
consumer
wishes
6
to
invoke.
A
known
child’s
parent
or
legal
guardian
may
invoke
7
such
consumer
rights
on
behalf
of
the
known
child
regarding
8
processing
personal
data
belonging
to
the
child.
A
controller
9
shall
comply
with
an
authenticated
consumer
request
to
exercise
10
all
of
the
following:
11
a.
To
confirm
whether
a
controller
is
processing
the
12
consumer’s
personal
data
and
to
access
such
personal
data.
13
b.
To
correct
inaccuracies
in
the
consumer’s
personal
data,
14
taking
into
account
the
nature
of
the
personal
data
and
the
15
purposes
of
the
processing
of
the
consumer’s
personal
data.
16
c.
To
delete
personal
data
provided
by
or
obtained
about
17
the
consumer.
18
d.
To
obtain
a
copy
of
the
consumer’s
personal
data
that
the
19
consumer
previously
provided
to
the
controller
in
a
portable
20
and,
to
the
extent
technically
practicable,
readily
usable
21
format
that
allows
the
consumer
to
transmit
the
data
to
another
22
controller
without
hindrance,
where
the
processing
is
carried
23
out
by
automated
means.
24
e.
To
opt
out
of
the
processing
of
the
personal
data
for
25
purposes
of
targeted
advertising,
the
sale
of
personal
data,
26
or
profiling
in
furtherance
of
decisions
that
produce
legal
or
27
similarly
significant
effects
concerning
the
consumer.
28
2.
Except
as
otherwise
provided
in
this
chapter,
a
29
controller
shall
comply
with
a
request
by
a
consumer
to
30
exercise
the
consumer
rights
authorized
pursuant
to
this
31
section
as
follows:
32
a.
A
controller
shall
respond
to
the
consumer
without
undue
33
delay,
but
in
all
cases
within
forty-five
days
of
receipt
34
of
a
request
submitted
pursuant
to
the
methods
described
in
35
-9-
LSB
5349HV
(3)
89
es/rn
9/
26
H.F.
2506
this
section.
The
response
period
may
be
extended
once
by
1
forty-five
additional
days
when
reasonably
necessary
upon
2
considering
the
complexity
and
number
of
the
consumer’s
3
requests
by
informing
the
consumer
of
any
such
extension
within
4
the
initial
forty-five-day
response
period,
together
with
the
5
reason
for
the
extension.
6
b.
If
a
controller
declines
to
take
action
regarding
the
7
consumer’s
request,
the
controller
shall
inform
the
consumer
8
without
undue
delay
of
the
justification
for
declining
to
take
9
action
and
instructions
for
how
to
appeal
the
decision
pursuant
10
to
this
section.
11
c.
Information
provided
in
response
to
a
consumer
request
12
shall
be
provided
by
a
controller
free
of
charge,
up
to
13
twice
annually
per
consumer.
If
a
request
from
a
consumer
14
is
manifestly
unfounded,
excessive,
or
repetitive,
the
15
controller
may
charge
the
consumer
a
reasonable
fee
to
cover
16
the
administrative
costs
of
complying
with
the
request
or
17
decline
to
act
on
the
request.
The
controller
bears
the
burden
18
of
demonstrating
the
manifestly
unfounded,
excessive,
or
19
repetitive
nature
of
the
request.
20
d.
If
a
controller
is
unable
to
authenticate
a
request
21
using
commercially
reasonable
efforts,
the
controller
shall
22
not
be
required
to
comply
with
a
request
to
initiate
an
action
23
under
this
section
and
may
request
that
the
consumer
provide
24
additional
information
reasonably
necessary
to
authenticate
the
25
consumer
and
the
consumer’s
request.
26
3.
A
controller
shall
establish
a
process
for
a
consumer
27
to
appeal
the
controller’s
refusal
to
take
action
on
a
request
28
within
a
reasonable
period
of
time
after
the
consumer’s
29
receipt
of
the
decision
pursuant
to
this
section.
The
appeal
30
process
shall
be
conspicuously
available
and
similar
to
the
31
process
for
submitting
requests
to
initiate
action
pursuant
32
to
this
section.
Within
sixty
days
of
receipt
of
an
appeal,
33
a
controller
shall
inform
the
consumer
in
writing
of
any
34
action
taken
or
not
taken
in
response
to
the
appeal,
including
35
-10-
LSB
5349HV
(3)
89
es/rn
10/
26
H.F.
2506
a
written
explanation
of
the
reasons
for
the
decision.
If
1
the
appeal
is
denied,
the
controller
shall
also
provide
the
2
consumer
with
an
online
mechanism
through
which
the
consumer
3
may
contact
the
attorney
general
to
submit
a
complaint.
4
Sec.
4.
NEW
SECTION
.
715D.4
Data
controller
duties.
5
1.
A
controller
shall
limit
the
collection
of
personal
6
data
to
what
is
adequate,
relevant,
and
reasonably
necessary
7
in
relation
to
the
purposes
for
which
such
data
is
processed,
8
as
disclosed
to
the
consumer.
Except
as
otherwise
provided
9
in
this
chapter,
a
controller
shall
not
process
personal
10
data
for
purposes
that
are
neither
reasonably
necessary
to
11
nor
compatible
with
the
disclosed
purposes
for
which
such
12
personal
data
is
processed,
as
disclosed
to
the
consumer,
13
unless
the
controller
obtains
the
consumer’s
consent.
A
14
controller
shall
adopt
and
implement
reasonable
administrative,
15
technical,
and
physical
data
security
practices
to
protect
the
16
confidentiality,
integrity,
and
accessibility
of
personal
data.
17
Such
data
security
practices
shall
be
appropriate
to
the
volume
18
and
nature
of
the
personal
data
at
issue.
A
controller
shall
19
not
process
sensitive
data
without
the
consumer’s
consent,
or,
20
in
the
case
of
the
processing
of
sensitive
data
concerning
a
21
known
child,
without
processing
such
data
in
accordance
with
22
the
federal
Children’s
Online
Privacy
Protection
Act,
15
U.S.C.
23
§6501
et
seq.
24
2.
A
controller
shall
not
process
personal
data
in
25
violation
of
state
and
federal
laws
that
prohibit
unlawful
26
discrimination
against
a
consumer.
A
controller
shall
not
27
discriminate
against
a
consumer
for
exercising
any
of
the
28
consumer
rights
contained
in
this
chapter,
including
denying
29
goods
or
services,
charging
different
prices
or
rates
for
30
goods
or
services,
or
providing
a
different
level
of
quality
31
of
goods
and
services
to
the
consumer.
However,
nothing
in
32
this
chapter
shall
be
construed
to
require
a
controller
to
33
provide
a
product
or
service
that
requires
the
personal
data
34
of
a
consumer
that
the
controller
does
not
collect
or
maintain
35
-11-
LSB
5349HV
(3)
89
es/rn
11/
26
H.F.
2506
or
to
prohibit
a
controller
from
offering
a
different
price,
1
rate,
level,
quality,
or
selection
of
goods
or
services
to
a
2
consumer,
including
offering
goods
or
services
for
no
fee,
3
if
the
consumer
has
exercised
his
right
to
opt
out
pursuant
4
to
section
715D.3
or
the
offer
is
related
to
a
consumer’s
5
voluntary
participation
in
a
bona
fide
loyalty,
rewards,
6
premium
features,
discounts,
or
club
card
program.
7
3.
Any
provision
of
a
contract
or
agreement
that
purports
to
8
waive
or
limit
in
any
way
consumer
rights
pursuant
to
section
9
715D.3
shall
be
deemed
contrary
to
public
policy
and
shall
be
10
void
and
unenforceable.
11
4.
A
controller
shall
provide
consumers
with
a
reasonably
12
accessible,
clear,
and
meaningful
privacy
notice
that
includes
13
the
following:
14
a.
The
categories
of
personal
data
processed
by
the
15
controller.
16
b.
The
purpose
for
processing
personal
data.
17
c.
How
consumers
may
exercise
their
consumer
rights
pursuant
18
to
section
715D.3,
including
how
a
consumer
may
appeal
a
19
controller’s
decision
with
regard
to
the
consumer’s
request.
20
d.
The
categories
of
personal
data
that
the
controller
21
shares
with
third
parties,
if
any.
22
e.
The
categories
of
third
parties,
if
any,
with
whom
the
23
controller
shares
personal
data.
24
5.
If
a
controller
sells
a
consumer’s
personal
data
to
third
25
parties
or
uses
such
personal
data
for
targeted
advertising,
26
the
controller
shall
clearly
and
conspicuously
disclose
such
27
activity,
as
well
as
the
manner
in
which
a
consumer
may
28
exercise
the
right
to
opt
out
of
such
processing.
29
6.
A
controller
shall
establish,
and
shall
describe
in
30
a
privacy
notice,
secure
and
reliable
means
for
consumers
to
31
submit
a
request
to
exercise
their
consumer
rights
under
this
32
chapter.
Such
means
shall
consider
the
ways
in
which
consumers
33
normally
interact
with
the
controller,
the
need
for
secure
and
34
reliable
communication
of
such
requests
and
the
ability
of
35
-12-
LSB
5349HV
(3)
89
es/rn
12/
26
H.F.
2506
the
controller
to
authenticate
the
identity
of
the
consumer
1
making
the
request.
A
controller
shall
not
require
a
consumer
2
to
create
a
new
account
in
order
to
exercise
consumer
rights
3
pursuant
to
section
715D.3,
but
may
require
a
consumer
to
use
4
an
existing
account.
5
Sec.
5.
NEW
SECTION
.
715D.5
Processor
duties.
6
1.
A
processor
shall
assist
a
controller
in
duties
7
required
under
this
chapter,
taking
into
account
the
nature
of
8
processing
and
the
information
available
to
the
processor
by
9
appropriate
technical
and
organizational
measures,
insofar
as
10
is
reasonably
practicable,
as
follows:
11
a.
To
fulfill
the
controller’s
obligation
to
respond
to
12
consumer
rights
requests
pursuant
to
section
715D.3.
13
b.
To
meet
the
controller’s
obligations
in
relation
to
the
14
security
of
processing
the
personal
data
and
in
relation
to
the
15
notification
of
a
security
breach
of
the
processor
pursuant
to
16
section
715C.2.
17
c.
To
provide
necessary
information
to
enable
the
controller
18
to
conduct
and
document
data
protection
assessments
pursuant
19
to
section
715D.6.
20
2.
A
contract
between
a
controller
and
a
processor
shall
21
govern
the
processor’s
data
processing
procedures
with
respect
22
to
processing
performed
on
behalf
of
the
controller.
The
23
contract
shall
clearly
set
forth
instructions
for
processing
24
personal
data,
the
nature
and
purpose
of
processing,
the
type
25
of
data
subject
to
processing,
the
duration
of
processing,
and
26
the
rights
and
duties
of
both
parties.
The
contract
shall
also
27
include
requirements
that
the
processor
shall
do
all
of
the
28
following:
29
a.
Ensure
that
each
person
processing
personal
data
is
30
subject
to
a
duty
of
confidentiality
with
respect
to
the
data.
31
b.
At
the
controller’s
direction,
delete
or
return
all
32
personal
data
to
the
controller
as
requested
at
the
end
of
the
33
provision
of
services,
unless
retention
of
the
personal
data
34
is
required
by
law.
35
-13-
LSB
5349HV
(3)
89
es/rn
13/
26
H.F.
2506
c.
Upon
the
reasonable
request
of
the
controller,
make
1
available
to
the
controller
all
information
in
the
processor’s
2
possession
necessary
to
demonstrate
the
processor’s
compliance
3
with
the
obligations
in
this
chapter.
4
d.
Allow,
and
cooperate
with,
reasonable
assessments
5
by
the
controller
or
the
controller’s
designated
assessor.
6
The
processor
may
arrange
for
a
qualified
and
independent
7
assessor
to
conduct
an
assessment
of
the
processor’s
policies
8
and
technical
and
organizational
measures
in
support
of
9
the
obligations
under
this
chapter
using
an
appropriate
and
10
accepted
control
standard
or
framework
and
assessment
procedure
11
for
such
assessments.
The
processor
shall
provide
a
report
of
12
such
assessment
to
the
controller
upon
request.
13
e.
Engage
any
subcontractor
or
agent
pursuant
to
a
written
14
contract
in
accordance
with
this
section
that
requires
the
15
subcontractor
to
meet
the
duties
of
the
processor
with
respect
16
to
the
personal
data.
17
3.
Nothing
in
this
section
shall
be
construed
to
relieve
a
18
controller
or
a
processor
from
imposed
liabilities
by
virtue
19
of
the
controller
or
processor’s
role
in
the
processing
20
relationship
as
defined
by
this
chapter.
21
4.
Determining
whether
a
person
is
acting
as
a
controller
or
22
processor
with
respect
to
a
specific
processing
of
data
is
a
23
fact-based
determination
that
depends
upon
the
context
in
which
24
personal
data
is
to
be
processed.
A
processor
that
continues
25
to
adhere
to
a
controller’s
instructions
with
respect
to
a
26
specific
processing
of
personal
data
remains
a
processor.
27
Sec.
6.
NEW
SECTION
.
715D.6
Data
protection
assessments.
28
1.
A
controller
shall
conduct
and
document
a
data
protection
29
assessment
of
each
of
the
following
processing
activities
30
involving
personal
data:
31
a.
The
sale
of
personal
data.
32
b.
The
processing
of
personal
data
for
targeted
advertising.
33
c.
The
processing
of
personal
data
for
purposes
of
34
profiling,
where
such
profiling
presents
a
reasonably
35
-14-
LSB
5349HV
(3)
89
es/rn
14/
26
H.F.
2506
foreseeable
risk
of
any
of
the
following:
1
(1)
Unfair
or
deceptive
treatment
of,
or
unlawful
disparate
2
impact
on,
consumers.
3
(2)
Financial,
physical,
or
reputational
injury
to
4
consumers.
5
(3)
A
physical
or
other
intrusion
upon
the
solitude
or
6
seclusion,
or
the
private
affairs
or
concerns,
of
consumers,
7
where
such
intrusion
would
be
offensive
to
a
reasonable
person.
8
(4)
Other
substantial
injury
to
consumers.
9
d.
The
processing
of
sensitive
data.
10
e.
Any
processing
activities
involving
personal
data
that
11
present
a
heightened
risk
of
harm
to
consumers.
12
2.
Data
protection
assessments
conducted
pursuant
to
13
subsection
1
shall
identify
and
weigh
the
benefits
that
may
14
flow,
directly
and
indirectly,
from
the
processing
to
the
15
controller,
the
consumer,
other
stakeholders,
and
the
public
16
against
the
potential
risks
to
the
rights
of
the
consumer
17
associated
with
such
processing,
as
mitigated
by
safeguards
18
that
can
be
employed
by
the
controller
to
reduce
such
risks.
19
The
use
of
de-identified
data
and
the
reasonable
expectations
20
of
consumers,
as
well
as
the
context
of
the
processing
and
the
21
relationship
between
the
controller
and
the
consumer
whose
22
personal
data
will
be
processed,
shall
be
factored
into
this
23
assessment
by
the
controller.
24
3.
The
attorney
general
may
request,
pursuant
to
a
civil
25
investigative
demand,
that
a
controller
disclose
any
data
26
protection
assessment
that
is
relevant
to
an
investigation
27
conducted
by
the
attorney
general,
and
the
controller
shall
28
make
the
data
protection
assessment
available
to
the
attorney
29
general.
The
attorney
general
may
evaluate
the
data
protection
30
assessment
for
compliance
with
the
responsibilities
set
31
forth
in
section
715D.4.
The
controller
shall
make
the
data
32
protection
assessment
available
to
the
attorney
general.
33
Data
protection
assessments
shall
be
confidential
and
exempt
34
from
public
inspection
and
copying
under
section
22.1.
The
35
-15-
LSB
5349HV
(3)
89
es/rn
15/
26
H.F.
2506
disclosure
of
a
data
protection
assessment
pursuant
to
a
1
request
from
the
attorney
general
shall
not
constitute
a
waiver
2
of
attorney-client
privilege
or
work
product
protection
with
3
respect
to
the
data
protection
assessment
and
any
information
4
contained
in
the
data
protection
assessment.
The
attorney
5
general
may
evaluate
the
data
protection
assessment
for
6
compliance
with
the
responsibilities
set
forth
in
section
7
715D.4.
8
4.
Data
protection
assessments
conducted
by
a
controller
9
for
the
purpose
of
compliance
with
other
laws
or
regulations
10
may
comply
under
this
section
if
the
assessments
have
a
11
reasonably
comparable
scope
and
effect.
A
single
data
12
protection
assessment
may
address
a
comparable
set
of
13
processing
operations
that
include
similar
activities.
Data
14
protection
assessment
requirements
shall
apply
to
processing
15
activities
created
or
generated
after
January
1,
2024,
and
are
16
not
retroactive.
17
Sec.
7.
NEW
SECTION
.
715D.7
Processing
data
——
exemptions.
18
1.
A
controller
in
possession
of
de-identified
data
shall
19
comply
with
the
following:
20
a.
Take
reasonable
measures
to
ensure
that
the
data
cannot
21
be
associated
with
a
natural
person.
22
b.
Publicly
commit
to
maintaining
and
using
de-identified
23
data
without
attempting
to
re-identify
the
data.
24
c.
Contractually
obligate
any
recipients
of
the
25
de-identified
data
to
comply
with
all
provisions
of
this
26
chapter.
27
2.
Nothing
in
this
chapter
shall
be
construed
to
require
the
28
following:
29
a.
A
controller
or
processor
to
re-identify
de-identified
30
data
or
pseudonymous
data.
31
b.
Maintaining
data
in
identifiable
form.
32
c.
Collecting,
obtaining,
retaining,
or
accessing
any
33
data
or
technology,
in
order
to
be
capable
of
associating
an
34
authenticated
consumer
request
with
personal
data.
35
-16-
LSB
5349HV
(3)
89
es/rn
16/
26
H.F.
2506
3.
Nothing
in
this
chapter
shall
be
construed
to
require
1
a
controller
or
processor
to
comply
with
an
authenticated
2
consumer
rights
request,
pursuant
to
section
715D.3,
if
all
of
3
the
following
are
true:
4
a.
The
controller
is
not
reasonably
capable
of
associating
5
the
request
with
the
personal
data
or
it
would
be
unreasonably
6
burdensome
for
the
controller
to
associate
the
request
with
the
7
personal
data.
8
b.
The
controller
does
not
use
the
personal
data
to
9
recognize
or
respond
to
the
specific
consumer
who
is
the
10
subject
of
the
personal
data,
or
associate
the
personal
data
11
with
other
personal
data
about
the
same
specific
consumer.
12
c.
The
controller
does
not
sell
the
personal
data
to
any
13
third
party
or
otherwise
voluntarily
disclose
the
personal
data
14
to
any
third
party
other
than
a
processor,
except
as
otherwise
15
permitted
in
this
chapter.
16
4.
Consumer
rights
contained
in
sections
715D.3
and
715D.4
17
shall
not
apply
to
pseudonymous
data
in
cases
where
the
18
controller
is
able
to
demonstrate
any
information
necessary
19
to
identify
the
consumer
is
kept
separately
and
is
subject
to
20
effective
technical
and
organizational
controls
that
prevent
21
the
controller
from
accessing
such
information.
22
5.
Controllers
that
disclose
pseudonymous
data
or
23
de-identified
data
shall
exercise
reasonable
oversight
to
24
monitor
compliance
with
any
contractual
commitments
to
which
25
the
pseudonymous
data
or
de-identified
data
is
subject
and
26
shall
take
appropriate
steps
to
address
any
breaches
of
those
27
contractual
commitments.
28
Sec.
8.
NEW
SECTION
.
715D.8
Limitations.
29
1.
Nothing
in
this
chapter
shall
be
construed
to
restrict
a
30
controller’s
or
processor’s
ability
to
do
the
following:
31
a.
Comply
with
federal,
state,
or
local
laws,
rules,
or
32
regulations.
33
b.
Comply
with
a
civil,
criminal,
or
regulatory
inquiry,
34
investigation,
subpoena,
or
summons
by
federal,
state,
local,
35
-17-
LSB
5349HV
(3)
89
es/rn
17/
26
H.F.
2506
or
other
governmental
authorities.
1
c.
Cooperate
with
law
enforcement
agencies
concerning
2
conduct
or
activity
that
the
controller
or
processor
reasonably
3
and
in
good
faith
believes
may
violate
federal,
state,
or
local
4
laws,
rules,
or
regulations.
5
d.
Investigate,
establish,
exercise,
prepare
for,
or
defend
6
legal
claims.
7
e.
Provide
a
product
or
service
specifically
requested
by
a
8
consumer,
perform
a
contract
to
which
the
consumer
is
a
party,
9
including
fulfilling
the
terms
of
a
written
warranty,
or
take
10
steps
at
the
request
of
the
consumer
prior
to
entering
into
a
11
contract.
12
f.
Take
immediate
steps
to
protect
an
interest
that
is
13
essential
for
the
life
or
physical
safety
of
the
consumer
or
14
of
another
natural
person,
and
where
the
processing
cannot
be
15
manifestly
based
on
another
legal
basis.
16
g.
Prevent,
detect,
protect
against,
or
respond
to
security
17
incidents,
identity
theft,
fraud,
harassment,
malicious
or
18
deceptive
activities,
or
any
illegal
activity.
19
h.
Preserve
the
integrity
or
security
of
systems.
20
i.
Investigate,
report,
or
prosecute
those
responsible
for
21
any
such
action.
22
j.
Engage
in
public
or
peer-reviewed
scientific
or
23
statistical
research
in
the
public
interest
that
adheres
to
24
all
other
applicable
ethics
and
privacy
laws
and
is
approved,
25
monitored,
and
governed
by
an
institutional
review
board,
or
26
similar
independent
oversight
entities
that
determine
the
27
following:
28
(1)
If
the
deletion
of
the
information
is
likely
to
provide
29
substantial
benefits
that
do
not
exclusively
accrue
to
the
30
controller.
31
(2)
The
expected
benefits
of
the
research
outweigh
the
32
privacy
risks.
33
(3)
If
the
controller
has
implemented
reasonable
safeguards
34
to
mitigate
privacy
risks
associated
with
research,
including
35
-18-
LSB
5349HV
(3)
89
es/rn
18/
26
H.F.
2506
any
risks
associated
with
re-identification.
1
k.
Assist
another
controller,
processor,
or
third
party
with
2
any
of
the
obligations
under
this
subsection.
3
2.
The
obligations
imposed
on
a
controller
or
processor
4
under
this
chapter
shall
not
restrict
a
controller’s
or
5
processor’s
ability
to
collect,
use,
or
retain
data
as
follows:
6
a.
To
conduct
internal
research
to
develop,
improve,
or
7
repair
products,
services,
or
technology.
8
b.
To
effectuate
a
product
recall.
9
c.
To
identify
and
repair
technical
errors
that
impair
10
existing
or
intended
functionality.
11
d.
To
perform
internal
operations
that
are
reasonably
12
aligned
with
the
expectations
of
the
consumer
or
reasonably
13
anticipated
based
on
the
consumer’s
existing
relationship
with
14
the
controller
or
are
otherwise
compatible
with
processing
15
data
in
furtherance
of
the
provision
of
a
product
or
service
16
specifically
requested
by
a
consumer
or
the
performance
of
a
17
contract
to
which
the
consumer
is
a
party.
18
3.
The
obligations
imposed
on
controllers
or
processors
19
under
this
chapter
shall
not
apply
where
compliance
by
the
20
controller
or
processor
with
this
chapter
would
violate
an
21
evidentiary
privilege
under
the
laws
of
the
state.
Nothing
22
in
this
chapter
shall
be
construed
to
prevent
a
controller
or
23
processor
from
providing
personal
data
concerning
a
consumer
to
24
a
person
covered
by
an
evidentiary
privilege
under
the
laws
of
25
the
state
as
part
of
a
privileged
communication.
26
4.
A
controller
or
processor
that
discloses
personal
data
27
to
a
third-party
controller
or
processor,
in
compliance
with
28
the
requirements
of
this
chapter,
is
not
in
violation
of
29
this
chapter
if
the
third-party
controller
or
processor
that
30
receives
and
processes
such
personal
data
is
in
violation
of
31
this
chapter,
provided
that,
at
the
time
of
disclosing
the
32
personal
data,
the
disclosing
controller
or
processor
did
not
33
have
actual
knowledge
that
the
recipient
intended
to
commit
a
34
violation.
A
third-party
controller
or
processor
receiving
35
-19-
LSB
5349HV
(3)
89
es/rn
19/
26
H.F.
2506
personal
data
from
a
controller
or
processor
in
compliance
with
1
the
requirements
of
this
chapter
is
likewise
not
in
violation
2
of
this
chapter
for
the
offenses
of
the
controller
or
processor
3
from
which
it
receives
such
personal
data.
4
5.
Nothing
in
this
chapter
shall
be
construed
as
an
5
obligation
imposed
on
a
controller
or
a
processor
that
6
adversely
affects
the
rights
or
freedoms
of
any
persons,
such
7
as
exercising
the
right
of
free
speech
pursuant
to
the
First
8
Amendment
to
the
United
States
Constitution,
or
applies
to
the
9
processing
of
personal
data
by
a
person
in
the
course
of
a
10
purely
personal
or
household
activity.
11
6.
Personal
data
processed
by
a
controller
pursuant
to
12
this
section
shall
not
be
processed
for
any
purpose
other
than
13
those
expressly
listed
in
this
section
unless
otherwise
allowed
14
by
this
chapter.
Personal
data
processed
by
a
controller
15
pursuant
to
this
section
may
be
processed
to
the
extent
that
16
such
processing
is
as
follows:
17
a.
Reasonably
necessary
and
proportionate
to
the
purposes
18
listed
in
this
section.
19
b.
Adequate,
relevant,
and
limited
to
what
is
necessary
20
in
relation
to
the
specific
purposes
listed
in
this
section.
21
Personal
data
collected,
used,
or
retained
pursuant
to
22
this
section
shall,
where
applicable,
take
into
account
23
the
nature
and
purpose
or
purposes
of
such
collection,
use,
24
or
retention.
Such
data
shall
be
subject
to
reasonable
25
administrative,
technical,
and
physical
measures
to
protect
the
26
confidentiality,
integrity,
and
accessibility
of
the
personal
27
data
and
to
reduce
reasonably
foreseeable
risks
of
harm
to
28
consumers
relating
to
such
collection,
use,
or
retention
of
29
personal
data.
30
7.
If
a
controller
processes
personal
data
pursuant
to
an
31
exemption
in
this
section,
the
controller
bears
the
burden
of
32
demonstrating
that
such
processing
qualifies
for
the
exemption
33
and
complies
with
the
requirements
in
subsection
6.
34
8.
Processing
personal
data
for
the
purposes
expressly
35
-20-
LSB
5349HV
(3)
89
es/rn
20/
26
H.F.
2506
identified
in
subsection
1
shall
not
solely
make
an
entity
a
1
controller
with
respect
to
such
processing.
2
9.
This
chapter
shall
not
require
a
controller,
processor,
3
third
party,
or
consumer
to
disclose
trade
secrets.
4
Sec.
9.
NEW
SECTION
.
715D.9
Enforcement
——
penalties.
5
1.
The
attorney
general
shall
have
exclusive
authority
to
6
enforce
the
provisions
of
this
chapter.
Whenever
the
attorney
7
general
has
reasonable
cause
to
believe
that
any
person
has
8
engaged
in,
is
engaging
in,
or
is
about
to
engage
in
any
9
violation
of
this
chapter,
the
attorney
general
is
empowered
to
10
issue
a
civil
investigative
demand.
11
2.
Prior
to
initiating
any
action
under
this
chapter,
12
the
attorney
general
shall
provide
a
controller
or
processor
13
thirty
days’
written
notice
identifying
the
specific
provisions
14
of
this
chapter
the
attorney
general
alleges
have
been
or
15
are
being
violated.
If
within
the
thirty-day
period,
the
16
controller
or
processor
cures
the
noticed
violation
and
17
provides
the
attorney
general
an
express
written
statement
that
18
the
alleged
violations
have
been
cured
and
that
no
further
such
19
violations
shall
occur,
no
action
shall
be
initiated
against
20
the
controller
or
processor.
21
3.
If
a
controller
or
processor
continues
to
violate
this
22
chapter
following
the
cure
period
in
subsection
2
or
breaches
23
an
express
written
statement
provided
to
the
attorney
general
24
under
that
subsection,
the
attorney
general
may
initiate
an
25
action
in
the
name
of
the
state
and
may
seek
an
injunction
to
26
restrain
any
violations
of
this
chapter
and
civil
penalties
of
27
up
to
seven
thousand
five
hundred
dollars
for
each
violation
28
under
this
chapter.
Any
moneys
collected
under
this
section
29
including
civil
penalties,
costs,
attorneys
fees,
or
amounts
30
which
are
specifically
directed
shall
be
paid
into
the
consumer
31
education
and
litigation
fund
established
under
section
32
714.16C.
33
4.
The
attorney
general
may
recover
reasonable
expenses
34
incurred
in
investigating
and
preparing
the
case,
including
35
-21-
LSB
5349HV
(3)
89
es/rn
21/
26
H.F.
2506
attorney
fees,
in
any
action
initiated
under
this
chapter.
1
5.
Nothing
in
this
chapter
shall
be
construed
as
providing
2
the
basis
for,
or
be
subject
to,
a
private
right
of
action
for
3
violations
of
this
chapter
or
under
any
other
law.
4
Sec.
10.
EFFECTIVE
DATE.
This
Act
takes
effect
January
1,
5
2024.
6
EXPLANATION
7
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
8
the
explanation’s
substance
by
the
members
of
the
general
assembly.
9
This
bill
relates
to
consumer
data
protection.
10
The
bill
contains
several
definitions.
The
bill
defines
11
“controller”
to
mean
a
person
that,
alone
or
jointly
with
12
others,
determines
the
purpose
and
means
of
processing
personal
13
data.
The
bill
defines
“identified
or
identifiable
natural
14
person”
to
mean
a
person
who
can
be
readily
identified,
15
directly
or
indirectly.
The
bill
defines
“personal
data”
to
16
mean
any
information
that
is
linked
or
reasonably
linkable
to
17
an
identified
or
identifiable
natural
person,
but
does
not
18
include
de-identified
data
or
publicly
available
information.
19
The
bill
defines
“process”
or
“processing”
to
mean
any
20
operation
or
set
of
operations
performed,
whether
by
manual
or
21
automated
means,
on
personal
data
or
on
sets
of
personal
data,
22
such
as
the
collection,
use,
storage,
disclosure,
analysis,
23
deletion,
or
modification
of
personal
data.
The
bill
defines
24
“processor”
to
mean
a
person
that
processes
personal
data
25
on
behalf
of
a
controller.
The
bill
defines
“pseudonymous
26
data”
to
mean
personal
data
that
cannot
be
attributed
to
27
a
specific
natural
person
without
the
use
of
additional
28
information.
The
bill
defines
“publicly
available
information”
29
to
mean
information
that
is
lawfully
made
available
to
the
30
general
public
through
certain
records
or
information
that
31
a
business
has
reasonable
basis
to
believe
is
lawfully
made
32
available
under
certain
conditions.
The
bill
defines
“targeted
33
advertising”
to
mean
displaying
advertisements
to
a
consumer
34
where
the
advertisement
is
selected
based
on
personal
data
35
-22-
LSB
5349HV
(3)
89
es/rn
22/
26
H.F.
2506
obtained
from
that
consumer’s
activities
over
time
and
across
1
nonaffiliated
websites
or
online
applications
to
predict
such
2
consumer’s
preferences
or
interests,
with
exceptions.
The
bill
3
defines
“third
party”
to
mean
a
natural
or
legal
person,
public
4
authority,
agency,
or
body
other
than
the
consumer,
controller,
5
processor,
or
an
affiliate
of
the
processor
or
the
controller.
6
The
bill
contains
other
defined
terms.
7
The
bill
provides
that
persons
conducting
business
in
8
the
state
or
producing
products
or
services
targeted
to
9
Iowans
that
annually
control
or
process
personal
data
of
10
over
99,999
consumers
or
control
or
process
personal
data
of
11
25,000
consumers
with
50
percent
of
gross
revenue
derived
12
from
the
sale
of
the
personal
data
shall
be
subject
to
the
13
provisions
of
the
bill.
The
state
and
political
subdivisions
14
of
the
state,
financial
institutions
or
data
subject
to
the
15
Gramm-Leach-Bliley
Act
of
1999,
certain
organizations
governed
16
by
rules
by
the
department
of
human
services,
the
department
17
of
health,
certain
federal
governance
laws
and
the
federal
18
Health
Insurance
Portability
and
Accountability
Act,
nonprofit
19
organizations,
higher
learning
institutions,
and
certain
20
protected
information
and
personal
data
collected
under
state
21
or
federal
laws
are
exempt
from
provisions
in
the
bill.
22
The
bill
provides
consumers
have
personal
data
rights
23
that
may
be
invoked
at
any
time.
Consumers
or
the
parent
of
24
a
child
may
submit
a
request
to
a
controller
for
a
copy
of
25
the
controller’s
information
relating
to
personal
data.
The
26
controller
shall
comply
with
such
requests
to
confirm
or
deny
27
whether
the
controller
is
processing
the
personal
data,
to
28
delete
or
correct
inaccuracies
in
personal
data,
to
provide
the
29
consumer
with
a
copy
of
their
personal
data,
and
to
remove
the
30
consumer
or
child
from
personal
data
processing.
31
The
bill
requires
that
controllers
provide
responses
to
32
defined
personal
data
requests
within
45
days
of
a
consumer
33
initiating
a
request.
Responses
to
personal
data
requests
34
shall
be
provided
to
a
consumer
free
of
charge
up
to
twice
per
35
-23-
LSB
5349HV
(3)
89
es/rn
23/
26
H.F.
2506
year
except
where
requests
are
overly
burdensome
or
manifestly
1
unfounded.
A
business
may
extend
the
deadline
for
good
cause,
2
including
complexity,
once
by
up
to
45
days
after
informing
the
3
consumer
of
the
reason
for
the
extension.
The
bill
provides
4
that
controllers
are
not
required
to
comply
with
requests
where
5
a
controller
is
unable
through
commercially
reasonable
efforts
6
to
verify
the
identity
of
the
consumer
submitting
the
request.
7
The
bill
requires
that
controllers
permit
consumers
to
access
8
an
appeals
process
and
provide
consumers
with
information
9
regarding
the
appeals
process
in
situations
where
a
consumer’s
10
request
is
denied.
11
The
bill
provides
that
controllers
shall
limit
the
12
collection
of
personal
data
to
the
extent
reasonably
necessary.
13
Controllers
must
disclose
to
the
consumer
the
types
of
data
14
being
collected
and
obtain
consent
from
the
consumers
regarding
15
the
collection
of
personal
data
and
sensitive
personal
data
16
processing.
Controllers
must
securely
store
personal
data
17
of
consumers
through
administrative,
technical,
and
physical
18
security
practices.
Controllers
shall
not
discriminate
against
19
consumers
that
exercise
consumer
data
rights
as
provided
in
20
the
bill
by
denying
a
consumer
goods
or
services,
charging
21
different
prices,
or
providing
lower
quality
goods
with
22
exceptions.
Contract
provisions
that
require
consumers
to
23
waive
rights
defined
by
the
bill
will
be
considered
void
and
24
unenforceable.
25
The
bill
provides
that
controllers
give
consumers
reasonably
26
accessible
and
clear
privacy
notices
that
inform
consumers
of
27
the
information
regarding
personal
data
transfer
and
purposes
28
and
the
methods
for
consumers
to
exercise
rights.
The
bill
29
provides
that
controllers
selling
personal
data
to
third
30
parties
or
using
targeted
advertising
must
clearly
disclose
31
such
activity
and
the
right
for
the
consumer
to
opt
out
of
32
such
sales
or
use.
The
bill
requires
a
controller
to
create
a
33
method
for
private
and
secure
processing
of
consumer
requests.
34
The
bill
requires
processors
and
the
assigns
or
35
-24-
LSB
5349HV
(3)
89
es/rn
24/
26
H.F.
2506
subcontractors
of
processors
to
assist
controllers
in
complying
1
with
duties
created
by
the
bill.
2
The
bill
requires
controllers
to
conduct
assessments
of
3
processing
activities
regarding
certain
personal
data.
Data
4
protection
assessments
shall
consider
benefits
and
risks
5
regarding
personal
data
processing
to
the
controller,
consumer,
6
public,
and
other
stakeholders
among
other
factors
identified
7
by
the
bill.
The
bill
provides
that
the
attorney
general
may
8
request
an
investigation
and
require
that
a
controller
disclose
9
relevant
data
protection
assessment
information
and
analyze
10
the
provided
information
for
compliance
with
duties
described
11
by
the
bill.
Other
data
protection
assessments
a
controller
12
has
conducted
may
suffice
for
purposes
of
the
bill
if
the
13
assessments
are
reasonably
similar.
14
The
bill
includes
personal
data
processing
exemptions,
15
including
pseudonymous
data
and
de-identified
data
as
defined
16
by
the
bill.
The
bill
requires
that
controllers
in
possession
17
of
de-identified
data
take
measures
to
ensure
that
the
data
18
remains
de-identified,
publicly
commit
to
a
de-identified
19
maintenance
process,
and
require
agents
and
assigns
to
adhere
20
to
provisions
of
the
bill.
The
bill
identifies
exceptions
21
where
controllers
or
processors
are
not
required
to
comply
22
with
a
consumer
rights
request
pursuant
to
the
bill.
The
bill
23
requires
controllers
disclosing
pseudonymous
or
de-identified
24
data
to
exercise
reasonable
oversight
of
contractual
25
commitments
regarding
such
data.
26
The
bill
provides
that
the
bill
shall
not
restrict
27
controller
or
processor
abilities
to
improve
business
or
28
function.
Controllers
or
processors
sharing
personal
data
with
29
third
parties
are
not
liable
for
the
noncompliance
of
third
30
parties
if
the
controller
or
processor
did
not
have
personal
31
knowledge
of
the
violation
or
intent
to
commit
a
violation,
32
nor
is
a
third
party
liable
for
violations
of
a
controller
33
or
processor.
The
bill
provides
that
if
a
controller
seeks
34
certain
exemptions,
the
controller
bears
the
burden
of
35
-25-
LSB
5349HV
(3)
89
es/rn
25/
26
H.F.
2506
demonstrating
that
the
controller
qualifies
for
the
exemption
1
and
the
exemption
complies
with
the
requirements
in
the
bill.
2
The
bill
shall
not
require
a
business,
consumer,
or
other
3
party
to
disclose
trade
secrets.
4
The
bill
provides
that
the
attorney
general
shall
5
investigate
controllers
and
processors
upon
reasonable
cause
6
for
violations
of
provisions
of
the
bill.
The
attorney
general
7
shall
provide
30
days’
notice
to
a
controller
or
processor
8
including
the
reason
for
which
the
entity
is
subject
to
an
9
investigation
and
permit
the
entity
to
cure
the
defect
prior
10
to
filing
a
civil
action.
A
controller
or
processor
found
11
to
be
in
violation
of
provisions
of
the
bill
is
subject
to
a
12
civil
penalty
of
up
to
$7,500
per
violation.
Moneys
collected
13
by
the
attorney
general
under
the
bill
shall
be
paid
into
the
14
consumer
education
and
litigation
fund
established
under
Code
15
section
714.16C.
The
attorney
general
shall
recover
reasonable
16
expenses
for
expenses
related
to
the
investigation.
17
The
bill
takes
effect
January
1,
2024.
18
-26-
LSB
5349HV
(3)
89
es/rn
26/
26