S.F. 2321 Section 1. Section 715D.1, subsection 5, as enacted by 1 2023 Iowa Acts, chapter 17, section 1, is amended to read as 2 follows: 3 5. “Child” means any natural person younger than thirteen 4 eighteen years of age. 5 Sec. 2. Section 715D.1, as enacted by 2023 Iowa Acts, 6 chapter 17, section 1, is amended by adding the following new 7 subsections: 8 NEW SUBSECTION . 9A. “Decision that produces legal or 9 similarly significant effects concerning a consumer” means a 10 decision made by a controller that affects the ability of a 11 person to access any of the following: 12 a. Financial and lending services. 13 b. Housing. 14 c. Insurance. 15 d. Education. 16 e. Criminal justice services. 17 f. Employment opportunities. 18 g. Health care services. 19 h. Basic necessities, such as food and water. 20 NEW SUBSECTION . 12A. “Health data” means data that 21 pertains to the health status of an individual that discloses 22 information related to the past, current, or future physical or 23 mental health status of the individual. 24 NEW SUBSECTION . 21A. “Profiling” means any form of 25 automated processing performed on personal data to evaluate, 26 analyze, or predict specific factors related to the economic 27 status, health, personal preferences, interests, reliability, 28 behavior, location, or movements of an identified or 29 identifiable individual. 30 Sec. 3. Section 715D.1, subsection 14, as enacted by 31 2023 Iowa Acts, chapter 17, section 1, is amended to read as 32 follows: 33 14. “Health record” means any written, printed, or 34 electronically recorded material maintained by a health care 35 -1- LSB 5571SV (1) 90 nls/ko 1/ 4

S.F. 2321 provider in the course of providing health services to an 1 individual concerning the individual and the services provided, 2 including related health information and associated nonhealth 3 information, provided in confidence to a health care provider. 4 Sec. 4. Section 715D.1, subsection 26, as enacted by 2023 5 Iowa Acts, chapter 17, section 1, is amended by adding the 6 following new paragraph: 7 NEW PARAGRAPH . e. Health data. 8 Sec. 5. Section 715D.2, subsection 2, as enacted by 2023 9 Iowa Acts, chapter 17, section 2, is amended to read as 10 follows: 11 2. This Except as it relates to health data, this chapter 12 shall not apply to the state or any political subdivision of 13 the state; financial institutions, affiliates of financial 14 institutions, or data subject to Tit. V of the federal 15 Gramm-Leach-Bliley Act of 1999, l5 U.S.C. §6801 et seq.; 16 persons who are subject to and comply with regulations 17 promulgated pursuant to Tit. II, subtit. F, of the federal 18 Health Insurance Portability and Accountability Act of 1996, 19 Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal 20 Health Information Technology for Economic and Clinical Health 21 Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations; 22 or institutions of higher education. 23 Sec. 6. Section 715D.2, subsection 3, as enacted by 2023 24 Iowa Acts, chapter 17, section 2, is amended by adding the 25 following new paragraph: 26 NEW PARAGRAPH . 0b. Information or data maintained by a 27 public health authority, as defined by HIPAA, provided the 28 public health authority has received the consumer’s consent 29 unless otherwise required by HIPAA. 30 Sec. 7. Section 715D.2, subsection 3, paragraph l, as 31 enacted by 2023 Iowa Acts, chapter 17, section 2, is amended 32 to read as follows: 33 l. Information used only for public health activities and 34 purposes Purposes as authorized by HIPAA . , provided that the 35 -2- LSB 5571SV (1) 90 nls/ko 2/ 4

S.F. 2321 information is all of the following: 1 (1) De-identified. 2 (2) Aggregated. 3 (3) Processed in batches of no less than one hundred 4 consumers. 5 Sec. 8. Section 715D.3, subsection 1, paragraph d, as 6 enacted by 2023 Iowa Acts, chapter 17, section 3, is amended 7 by striking the paragraph and inserting in lieu thereof the 8 following: 9 d. To be notified of, or to opt out of, profiling in 10 furtherance of a decision that produces legal or similarly 11 significant effects concerning a consumer. Notification to 12 the consumer pursuant to this paragraph shall be in plain 13 language and include the type of data subject to profiling, 14 any requirements for a person receiving the consumer’s data to 15 delete or return the data, and the process for a consumer to 16 file a complaint. 17 Sec. 9. EFFECTIVE DATE. This Act takes effect January 1, 18 2025. 19 EXPLANATION 20 The inclusion of this explanation does not constitute agreement with 21 the explanation’s substance by the members of the general assembly. 22 This bill relates to consumer data protection and amends 23 2023 Iowa Acts, chapter 17. 24 Under Code section 715D.1, as enacted by 2023 Iowa Acts, 25 chapter 17, section 1, “child” is defined as any natural person 26 younger than 13 years of age. Under the bill, “child” is 27 defined as any natural person younger than 18 years of age. 28 The bill expands the definition of “health record” to 29 include, in addition to any record containing related health 30 information, any record containing nonhealth information that 31 is related to health information provided in confidence to a 32 health care provider. 33 The bill expands the definition of “sensitive data” to 34 include health data. “Health data” is defined in the bill. 35 -3- LSB 5571SV (1) 90 nls/ko 3/ 4

S.F. 2321 Under the bill, except as it relates to health data, the 1 Code chapter shall not apply to the state or any political 2 subdivision of the state; financial institutions, affiliates 3 of financial institutions, or data subject to Tit. V of the 4 federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et 5 seq.; persons who are subject to and comply with regulations 6 promulgated pursuant to Tit. II, subtit. F, of the federal 7 Health Insurance Portability and Accountability Act of 1996, 8 Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal 9 Health Information Technology for Economic and Clinical Health 10 Act of 2009, 42 U.S.C. §17921 – 17954; nonprofit organizations; 11 or institutions of higher education. 12 The bill exempts information or data maintained by a 13 public health authority, as defined by HIPAA, from the Code 14 chapter provided the public health authority has received the 15 consumer’s authorization, unless otherwise required by HIPAA. 16 The bill exempts information used only for public health 17 activities and purposes as authorized by HIPAA, provided that 18 the information is de-identified, aggregated, and processed in 19 batches of no less than 100 consumers from the Code chapter. 20 Under the bill, a consumer shall have the right to request 21 to be notified of, or to opt out of, profiling in furtherance 22 of a decision that produces legal or similarly significant 23 effects concerning a consumer. The bill defines “profiling” 24 as any form of automated processing performed on personal data 25 to evaluate, analyze, or predict specific factors related to 26 the economic status, health, personal preferences, interests, 27 reliability, behavior, location, or movements of an individual. 28 Notification to the consumer shall be in plain language and 29 include the type of data subject to profiling, any requirements 30 for a person receiving the consumer’s data to delete or return 31 the data, and the process for a consumer to file a complaint. 32 “Decision that produces legal or similarly significant effects 33 concerning a consumer” is defined in the bill. 34 The bill takes effect January 1, 2025. 35 -4- LSB 5571SV (1) 90 nls/ko 4/ 4