Senate File 2208 - Introduced SENATE FILE 2208 BY NUNN A BILL FOR An Act relating to consumer data protection, making penalties 1 applicable, and including effective date provisions. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 TLSB 5349XS (1) 89 es/rn
S.F. 2208 Section 1. NEW SECTION . 715D.1 Definitions. 1 As used in this chapter, unless the context otherwise 2 requires: 3 1. “Aggregate data” means information that relates to a 4 group or category of consumers, from which individual consumer 5 identities have been removed, that is not linked or reasonably 6 linkable to any consumer. 7 2. “Authenticate” means verifying through reasonable means 8 that a consumer, entitled to exercise their consumer rights in 9 section 715D.3, is the same consumer exercising such consumer 10 rights with respect to the personal data at issue. 11 3. “Biometric data” means data generated by automatic 12 measurements of an individual’s biological characteristics, 13 such as a fingerprint, voiceprint, eye retinas, irises, or 14 other unique biological patterns or characteristics that is 15 used to identify a specific individual. “Biometric data” 16 does not include a physical or digital photograph, a video or 17 audio recording or data generated therefrom, or information 18 collected, used, or stored for health care treatment, payment, 19 or operations under HIPAA. 20 4. “Child” means any natural person younger than thirteen 21 years of age. 22 5. “Consent” means a clear affirmative act signifying a 23 consumer’s freely given, specific, informed, and unambiguous 24 agreement to process personal data relating to the consumer. 25 “Consent” may include a written statement, including a 26 statement written by electronic means, or any other unambiguous 27 affirmative action. 28 6. “Controller” means the person that, alone or jointly with 29 others, determines the purpose and means of processing personal 30 data. 31 7. “De-identified data” means data that cannot reasonably be 32 linked to an identified or identifiable natural person. 33 8. “Health Insurance Portability and Accountability 34 Act” or “HIPAA” means the Health Insurance Portability and 35 -1- LSB 5349XS (1) 89 es/rn 1/ 16
S.F. 2208 Accountability Act of 1996, Pub. L. No. 104-191, including 1 amendments thereto and regulations promulgated thereunder. 2 9. “Precise geolocation data” means information derived from 3 technology, including but not limited to global positioning 4 system level latitude and longitude coordinates or other 5 mechanisms, that identifies the specific location of a natural 6 person with precision and accuracy within a radius of one 7 thousand seven hundred fifty feet. “Precise geolocation 8 data” does not include the content of communications or any 9 data generated by or connected to advanced utility metering 10 infrastructure systems or equipment for use by a utility. 11 10. “Process” or “processing” means any operation or set 12 of operations performed, whether by manual or automated means, 13 on personal data or on sets of personal data, such as the 14 collection, use, storage, disclosure, analysis, deletion, or 15 modification of personal data. 16 11. “Processor” means a person that processes personal data 17 on behalf of a controller. 18 12. “Profiling” means any form of solely automated 19 processing performed on personal data to evaluate, analyze, 20 or predict personal aspects related to an identified or 21 identifiable natural person’s economic situation, health, 22 personal preferences, interests, reliability, behavior, 23 location, or movements. 24 13. “Pseudonymous data” means personal data that cannot 25 be attributed to a specific natural person without the use 26 of additional information, provided that such additional 27 information is kept separately and is subject to appropriate 28 technical and organizational measures to ensure that 29 the personal data is not attributed to an identified or 30 identifiable natural person. 31 14. “Sale of personal data” means the exchange of personal 32 data for monetary consideration by the controller to a third 33 party. Sale of personal data” does not include: 34 a. The disclosure of personal data to a processor that 35 -2- LSB 5349XS (1) 89 es/rn 2/ 16
S.F. 2208 processes the personal data on behalf of the controller. 1 b. The disclosure of personal data to a third party for 2 purposes of providing a product or service requested by the 3 consumer or a parent of a child. 4 c. The disclosure or transfer of personal data to an 5 affiliate of the controller. 6 d. The disclosure of information that the consumer 7 intentionally made available to the general public via a 8 channel of mass media and did not restrict to a specific 9 audience. 10 e. The disclosure or transfer of personal data to a third 11 party as an asset that is part of a proposed or actual merger, 12 acquisition, bankruptcy, or other transaction in which the 13 third party assumes control of all or part of the controller's 14 assets. 15 15. “Sensitive data” means a category of personal data that 16 includes: 17 a. Personal data revealing racial or ethnic origin, 18 religious beliefs, mental or physical health diagnosis, sexual 19 orientation, or citizenship or immigration status. 20 b. Genetic or biometric data that is processed for the 21 purpose of uniquely identifying a natural person. 22 c. The personal data collected from a child. 23 d. Precise geolocation data. 24 16. “Targeted advertising” means displaying advertisements 25 to a consumer where the advertisement is selected based on 26 personal data obtained from that consumer’s activities over 27 time and across nonaffiliated websites or online applications 28 to predict such consumer’s preferences or interests. “Targeted 29 advertising” does not include: 30 a. Advertisements based on activities within a controller’s 31 own or affiliated websites or online applications. 32 b. Advertisements based on the context of a consumer’s 33 current search query, visit to a website, or online 34 application. 35 -3- LSB 5349XS (1) 89 es/rn 3/ 16
S.F. 2208 c. Advertisements directed to a consumer in response to the 1 consumer’s request for information or feedback. 2 d. Processing personal data solely for measuring or 3 reporting advertising performance, reach, or frequency. 4 17. “Trade secret” means information, including but not 5 limited to a formula, pattern, compilation, program, device, 6 method, technique, or process, that: 7 a. Derives independent economic value, actual or potential, 8 from not being generally known to, and not being readily 9 ascertainable by proper means by, other persons who can obtain 10 economic value from its disclosure or use. 11 b. Is the subject of efforts that are reasonable under the 12 circumstances to maintain its secrecy. 13 Sec. 2. NEW SECTION . 715D.2 Scope and exemptions. 14 1. This chapter applies to persons conducting business in 15 the state or producing products or services that are targeted 16 to residents of the state and that during a calendar year 17 either: 18 a. Control or process personal data of at least one hundred 19 thousand consumers. 20 b. Control or process personal data of at least twenty-five 21 thousand consumers and derive over fifty percent of gross 22 revenue from the sale of personal data. 23 2. This chapter shall not apply to the state or any 24 political subdivision of the state, financial institutions 25 or data subject to Tit. V of the federal Gramm-Leach-Bliley 26 Act of 1999, 15 U.S.C. §6801 et seq., covered entities or 27 business associates governed by the privacy, security, and 28 breach notification rules issued by the department of human 29 services, the department of health, 45 C.F.R. pts. 160 and 164 30 established pursuant to HIPAA, nonprofit organizations, or 31 institutions of higher education. 32 3. Protected information and personal data collected 33 under state or federal law, including but not limited to data 34 protected under HIPAA; the federal Fair Credit Reporting Act, 35 -4- LSB 5349XS (1) 89 es/rn 4/ 16
S.F. 2208 15 U.S.C. §1681 et seq.; confidential records protected under 1 42 U.S.C. §290dd-2; in the course of employment or application 2 for employment; emergency contact information for employees; 3 and for purposes of the protection of natural persons under 45 4 C.F.R. pt. 46; are exempt from requirements in this chapter. 5 Sec. 3. NEW SECTION . 715D.3 Consumer data rights. 6 1. A consumer may invoke the consumer rights authorized 7 pursuant to this section at any time by submitting a request to 8 a controller specifying the consumer rights the consumer wishes 9 to invoke. A child’s parent or legal guardian may invoke such 10 consumer rights on behalf of the child regarding processing 11 personal data belonging to the child. A controller shall 12 comply with an authenticated consumer request to exercise all 13 of the following: 14 a. To confirm whether a controller is processing the 15 consumer’s personal data and to access such personal data. 16 b. To correct inaccuracies in the consumer’s personal data, 17 taking into account the nature of the personal data and the 18 purposes of the processing of the consumer’s personal data. 19 c. To delete personal data provided by or obtained about 20 the consumer. 21 d. To obtain a copy of the consumer’s personal data that the 22 consumer previously provided to the controller in a portable 23 and, to the extent technically practicable, readily usable 24 format that allows the consumer to transmit the data to another 25 controller without hindrance, where the processing is carried 26 out by automated means. 27 e. To opt out of the processing of the personal data for 28 purposes of targeted advertising, the sale of personal data, 29 or profiling in furtherance of decisions that produce legal or 30 similarly significant effects concerning the consumer. 31 2. Except as otherwise provided in this chapter, a 32 controller shall comply with a request by a consumer to 33 exercise the consumer rights authorized pursuant to this 34 section as follows: 35 -5- LSB 5349XS (1) 89 es/rn 5/ 16
S.F. 2208 a. A controller shall respond to the consumer without undue 1 delay, but in all cases within forty-five days of receipt 2 of a request submitted pursuant to the methods described in 3 this section. The response period may be extended once by 4 forty-five additional days when reasonably necessary upon 5 considering the complexity and number of the consumer’s 6 requests by informing the consumer of any such extension within 7 the initial forty-five-day response period, together with the 8 reason for the extension. 9 b. If a controller declines to take action regarding the 10 consumer’s request, the controller shall inform the consumer 11 without undue delay of the justification for declining to take 12 action and instructions for how to appeal the decision pursuant 13 to this section. 14 c. Information provided in response to a consumer request 15 shall be provided by a controller free of charge, up to 16 twice annually per consumer. If requests from a consumer 17 are manifestly unfounded, excessive, or repetitive, the 18 controller may charge the consumer a reasonable fee to cover 19 the administrative costs of complying with the request or 20 decline to act on the request. The controller bears the burden 21 of demonstrating the manifestly unfounded, excessive, or 22 repetitive nature of the request. 23 d. If a controller is unable to authenticate the request 24 using commercially reasonable efforts, the controller shall 25 not be required to comply with a request to initiate an action 26 under this section and may request that the consumer provide 27 additional information reasonably necessary to authenticate the 28 consumer and the consumer’s request. 29 3. A controller shall establish a process for a consumer 30 to appeal the controller’s refusal to take action on a request 31 within a reasonable period of time after the consumer’s 32 receipt of the decision pursuant to this section. The appeal 33 process shall be conspicuously available and similar to the 34 process for submitting requests to initiate action pursuant to 35 -6- LSB 5349XS (1) 89 es/rn 6/ 16
S.F. 2208 this section. Within sixty days of receipt of an appeal, a 1 controller shall inform the consumer in writing of any action 2 taken or not taken in response to the appeal, including a 3 written explanation of the reasons for the decisions. If 4 the appeal is denied, the controller shall also provide the 5 consumer with an online mechanism through which the consumer 6 may contact the attorney general to submit a complaint. 7 Sec. 4. NEW SECTION . 715D.4 Data controller duties. 8 1. A controller shall limit the collection of personal data 9 to what is reasonably necessary in relation to the purposes for 10 which such data is processed and disclose the collection of the 11 data to the consumer and obtain consent from the consumer for 12 the data collection. A controller shall adopt and implement 13 reasonable administrative, technical, and physical data 14 security practices to protect the confidentiality, integrity, 15 and accessibility of personal data. A controller shall not 16 process sensitive data without the consumer’s consent. 17 2. A controller shall not discriminate against a consumer 18 for exercising any of the consumer rights contained in this 19 chapter, including denying goods or services, charging 20 different prices or rates for goods or services, or providing 21 a different level of quality of goods and services to the 22 consumer. 23 3. Any provision of a contract or agreement that purports to 24 waive or limit in any way consumer rights pursuant to section 25 715E.3 shall be deemed contrary to public policy and shall be 26 void and unenforceable. 27 4. A controller shall provide consumers with a reasonably 28 accessible, clear, and meaningful privacy notice that includes: 29 a. The categories of personal data processed by the 30 controller. 31 b. The purpose for processing personal data. 32 c. How consumers may exercise their consumer rights pursuant 33 to section 715D.3, including how a consumer may appeal a 34 controller’s decision with regard to the consumer’s request. 35 -7- LSB 5349XS (1) 89 es/rn 7/ 16
S.F. 2208 d. The categories of personal data that the controller 1 shares with third parties, if any. 2 e. The categories of third parties, if any, with whom the 3 controller shares personal data. 4 5. If a controller sells a consumer’s personal data to third 5 parties or uses such personal data for targeted advertising, 6 the controller shall clearly and conspicuously disclose such 7 activity, as well as the manner in which a consumer may 8 exercise the right to opt out of such sales or use. 9 6. A controller shall establish, and shall describe in 10 a privacy notice, secure and reliable means for consumers to 11 submit a request to exercise their consumer rights under this 12 chapter. Such means shall consider the need for secure and 13 reliable communication of such requests and the ability of 14 the controller to authenticate the identity of the consumer 15 making the request. A controller shall not require a consumer 16 to create a new account in order to exercise consumer rights 17 pursuant to section 715D.3. 18 Sec. 5. NEW SECTION . 715D.5 Processor duties. 19 1. A processor shall assist a controller in duties required 20 under this chapter. 21 2. A contract between a controller and a processor shall 22 govern the processor’s data processing procedures with respect 23 to processing performed on behalf of the controller. The 24 contract shall clearly set forth instructions for processing 25 personal data, the nature and purpose of processing, the type 26 of data subject to processing, the duration of processing, and 27 the rights and duties of both parties. The contract shall also 28 include requirements that the processor shall do all of the 29 following: 30 a. Ensure that each person processing personal data is 31 subject to a duty of confidentiality with respect to the data. 32 b. At the controller’s direction, delete or return all 33 personal data to the controller as requested at the end of the 34 provision of services, unless retention of the personal data 35 -8- LSB 5349XS (1) 89 es/rn 8/ 16
S.F. 2208 is required by law. 1 c. Upon the reasonable request of the controller, make 2 available to the controller all information in the processor’s 3 possession necessary to demonstrate the processor’s compliance 4 with the duties in this chapter. 5 d. Cooperate with reasonable assessments by the controller, 6 the controller’s designated assessor, or qualified and 7 independent third-party assessor as chosen by the processor 8 that will provide a report of such assessment to the controller 9 upon request. 10 e. Engage any subcontractor or agent pursuant to a written 11 contract in accordance with this section that requires the 12 subcontractor to meet the duties of the processor with respect 13 to the personal data. 14 Sec. 6. NEW SECTION . 715D.6 Data protection assessments. 15 1. A controller shall conduct and document a data protection 16 assessment regarding processing activities involving personal 17 data, including but not limited to the sale of personal 18 data, the use of personal data for targeted advertising, and 19 processing that results in a reasonably foreseeable risk of 20 unfair discrimination, injury, or intrusions to a consumer’s 21 expectation of privacy. 22 2. Data protection assessments conducted pursuant to 23 subsection 1 shall identify and evaluate benefits and risks 24 regarding data processing, the controller, the consumer, 25 other stakeholders, and the public. Safeguards used by 26 the controller and processor may be considered. The use 27 of de-identified data and the reasonable expectations of 28 consumers, as well as the context of the processing and the 29 relationship between the controller and the consumer whose 30 personal data will be processed, shall be factored into this 31 assessment by the controller. 32 3. The attorney general may request, pursuant to a consumer 33 complaint, that a controller disclose relevant data protection 34 assessment information during an investigation conducted by the 35 -9- LSB 5349XS (1) 89 es/rn 9/ 16
S.F. 2208 attorney general under section 714.16. The controller shall 1 make the data protection assessment available to the attorney 2 general. The attorney general may evaluate the data protection 3 assessment for compliance with the responsibilities set forth 4 in section 715D.4. Pursuant to section 714.16, subsection 7, 5 the attorney general may seek and obtain an order that a party 6 held in violation of this section pay damages to the attorney 7 general on behalf of a person injured by the violation. 8 4. Data protection assessments conducted by a controller 9 for the purpose of compliance with other laws or regulations 10 may comply under this section if the assessments have a 11 reasonably comparable scope and effect. 12 Sec. 7. NEW SECTION . 715D.7 Processing data —— exemptions. 13 1. A controller in possession of de-identified data shall 14 comply with the following: 15 a. Take reasonable measures to ensure that the data cannot 16 be associated with a natural person. 17 b. Publicly commit to maintaining and using de-identified 18 data without attempting to re-identify the data. 19 c. Contractually obligate any recipients of the 20 de-identified data to comply with all provisions of this 21 chapter. 22 2. Nothing in this chapter shall be construed to require 23 a controller or processor to comply with an authenticated 24 consumer rights request, pursuant to section 715D.3, if all of 25 the following are true: 26 a. The controller is not reasonably capable of associating 27 the request with the personal data or it would be unreasonably 28 burdensome for the controller to associate the request with the 29 personal data. 30 b. The controller does not use the personal data to 31 recognize or respond to the specific consumer who is the 32 subject of the personal data, or associate the personal data 33 with other personal data about the same specific consumer. 34 c. The controller does not sell the personal data to any 35 -10- LSB 5349XS (1) 89 es/rn 10/ 16
S.F. 2208 third party or otherwise voluntarily disclose the personal data 1 to any third party other than a processor, except as otherwise 2 permitted in this chapter. 3 3. Consumer rights contained in sections 715D.3 and 715D.4 4 shall not apply to pseudonymous data in cases where the 5 controller is able to demonstrate any information necessary 6 to identify the consumer is kept separately and is subject to 7 effective technical and organizational controls that prevent 8 the controller from accessing such information. 9 4. Controllers that disclose pseudonymous data or 10 de-identified data shall exercise reasonable oversight to 11 monitor compliance with any contractual commitments to which 12 the pseudonymous data or de-identified data is subject and 13 shall take appropriate steps to address any breaches of those 14 contractual commitments. 15 Sec. 8. NEW SECTION . 715D.8 Limitations. 16 1. The duties imposed on a controller or processor under 17 this chapter shall not restrict a controller’s or processor's 18 ability beyond the extent reasonably necessary to improve 19 essential internal processes; collect, use, or retain data 20 to conduct internal research to develop, improve, or repair 21 products, services, or technology; effectuate a product recall; 22 or identify and repair technical errors that impair existing or 23 intended functionality. 24 2. A controller or processor that discloses personal data 25 to a third-party controller or processor, in compliance with 26 the requirements of this chapter, is not in violation of 27 this chapter if the third-party controller or processor that 28 receives and processes such personal data is in violation of 29 this chapter, provided that, at the time of disclosing the 30 personal data, the disclosing controller or processor did not 31 have actual knowledge that the recipient intended to commit a 32 violation. A third-party controller or processor receiving 33 personal data from a controller or processor in compliance with 34 the requirements of this chapter is likewise not in violation 35 -11- LSB 5349XS (1) 89 es/rn 11/ 16
S.F. 2208 of this chapter for the offenses of the controller or processor 1 from which it receives such personal data. 2 3. If a controller processes personal data pursuant to an 3 exemption, the controller bears the burden of demonstrating 4 that such processing qualifies for the exemption and complies 5 with the requirements in this chapter. 6 4. This chapter shall not require a controller, processor, 7 third party, or consumer to disclose trade secrets. 8 Sec. 9. Section 714.16, subsection 2, Code 2022, is amended 9 by adding the following new paragraph: 10 NEW PARAGRAPH . q. It is an unlawful practice for a 11 controller or processor of personal data to violate any of the 12 provisions of chapter 715D. 13 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1, 14 2024. 15 EXPLANATION 16 The inclusion of this explanation does not constitute agreement with 17 the explanation’s substance by the members of the general assembly. 18 This bill relates to consumer data protection. 19 The bill defines “controller” to mean a person that, alone 20 or jointly with others, determines the purpose and means 21 of processing personal data. The bill defines “process” 22 or “processing” to mean any operation or set of operations 23 performed, whether by manual or automated means, on personal 24 data or on sets of personal data, such as the collection, use, 25 storage, disclosure, analysis, deletion, or modification of 26 personal data. The bill defines “processor” to mean a person 27 that processes personal data on behalf of a controller. The 28 bill defines “pseudonymous data” to mean personal data that 29 cannot be attributed to a specific natural person without the 30 use of additional information. The bill defines “targeted 31 advertising” to mean displaying advertisements to a consumer 32 where the advertisement is selected based on personal data 33 obtained from that consumer’s activities over time and across 34 nonaffiliated websites or online applications to predict such 35 -12- LSB 5349XS (1) 89 es/rn 12/ 16
S.F. 2208 consumer’s preferences or interests, with exceptions. 1 The bill provides that persons conducting business in the 2 state or producing products or services targeted to Iowans 3 that annually control or process personal data of over 99,999 4 consumers or control or process personal data of 25,000 5 consumers with 50 percent of gross revenue from the sale of the 6 personal data shall be subject to the provisions of the bill. 7 The state and political subdivisions of the state, financial 8 institutions or data subject to the Gramm-Leach-Bliley Act of 9 1999, certain organizations governed by rules by the department 10 of human services, the department of health, certain federal 11 governance laws and HIPAA, nonprofit organizations, higher 12 learning institutions, and certain protected information and 13 personal data collected under state or federal laws are exempt 14 from provisions in the bill. 15 The bill provides consumers have personal data rights 16 that may be invoked at any time. Consumers or the parent of 17 a child may submit a request to a controller for a copy of 18 the controller’s information relating to personal data. The 19 controller shall comply with such requests to confirm or deny 20 whether the controller is processing the personal data, to 21 delete or correct inaccuracies in personal data, to provide the 22 consumer with a copy of their personal data, and to remove the 23 consumer or child from personal data processing. 24 The bill requires that controllers provide responses to 25 defined personal data requests within 45 days of a consumer 26 initiating a request. Responses to personal data requests 27 shall be provided to a consumer free of charge up to twice per 28 year except where requests are overly burdensome or manifestly 29 unfounded. A business may extend the deadline for good cause, 30 including complexity, once by up to 45 days after informing the 31 consumer of the reason for the extension. The bill provides 32 that controllers are not required to comply with requests where 33 a controller is unable through commercially reasonable efforts 34 to verify the identity of the consumer submitting the request. 35 -13- LSB 5349XS (1) 89 es/rn 13/ 16
S.F. 2208 The bill requires that controllers permit consumers to access 1 an appeals process and provide consumers with information 2 regarding the appeals process in situations where a consumer’s 3 request is denied. 4 The bill provides that controllers shall limit the 5 collection of personal data to the extent reasonably necessary. 6 Controllers must disclose to the consumer the types of data 7 being collected and obtain consent from the consumers regarding 8 the collection of personal data and sensitive personal data 9 processing. Controllers must securely store personal data 10 of consumers through administrative, technical, and physical 11 security practices. Controllers shall not discriminate against 12 consumers that exercise consumer data rights as provided in 13 the bill by denying a consumer goods or services, charging 14 different prices, or providing lower quality goods. Contract 15 provisions that require consumers to waive rights defined by 16 the bill will be considered void and unenforceable. 17 The bill provides that controllers give consumers reasonably 18 accessible and clear privacy notices that inform consumers of 19 the information regarding personal data transfer and purposes 20 and the methods for consumers to exercise rights. The bill 21 provides that controllers selling personal data to third 22 parties or using targeted advertising must clearly disclose 23 such activity and the right for the consumer to opt out of 24 such sales or use. The bill requires a controller to create a 25 method for private and secure processing of consumer requests. 26 The bill requires processors and the assigns or 27 subcontractors of processors to assist controllers in complying 28 with duties created by the bill. 29 The bill requires controllers to conduct assessments of 30 processing activities regarding personal data. Data protection 31 assessments shall consider benefits and risks regarding 32 personal data processing to the controller, consumer, public, 33 and other stakeholders among other factors identified by the 34 bill. The bill provides that the attorney general may request, 35 -14- LSB 5349XS (1) 89 es/rn 14/ 16
S.F. 2208 pursuant to a consumer complaint, an investigation pursuant 1 to Code section 714.16 and require that a controller disclose 2 relevant data protection assessment information and analyze 3 the provided information for compliance with duties described 4 by the bill. Other data protection assessments a controller 5 has conducted may suffice for purposes of the bill if the 6 assessments are reasonably similar. 7 The bill includes personal data processing exemptions, 8 including pseudonymous data and de-identified data as defined 9 by the bill. The bill requires that controllers in possession 10 of de-identified data take measures to ensure that the data 11 remains de-identified, publicly commit to a de-identified 12 maintenance process, and require agents and assigns to adhere 13 to provisions of the bill. The bill identifies exceptions 14 where controllers or processors are not required to comply 15 with a consumer rights request pursuant to the bill. The bill 16 requires controllers disclosing pseudonymous or de-identified 17 data to exercise reasonable oversight, security, and breach 18 mitigation measures. 19 The bill provides that the bill shall not, beyond the 20 degree reasonably necessary, restrict controller or processor 21 abilities to improve business or function. Controllers or 22 processors sharing personal data with third parties are not 23 liable for the noncompliance of third parties if the controller 24 or processor did not have personal knowledge of the violation 25 or intent to commit a violation, nor is a third party liable 26 for violations of a controller or processor. The bill provides 27 that if a controller seeks an exemption, the controller bears 28 the burden of demonstrating that the controller qualifies for 29 the exemption and the exemption complies with the requirements 30 in the bill. 31 The bill shall not require a business, consumer, or other 32 party to disclose trade secrets. 33 A violation of the bill’s provisions constitutes an 34 unlawful practice under Code section 714.16 (consumer frauds). 35 -15- LSB 5349XS (1) 89 es/rn 15/ 16
S.F. 2208 Several types of remedies are available if a court finds that a 1 person has committed an unlawful practice, including injunctive 2 relief, disgorgement of moneys or property, and a civil penalty 3 not to exceed $40,000 per violation. 4 The bill takes effect January 1, 2024. 5 -16- LSB 5349XS (1) 89 es/rn 16/ 16