H.F. 2048 Section 1. NEW SECTION . 715F.1 Definitions. 1 1. “Automated decision making” means a process that uses 2 personal data to make decisions, including but not limited to 3 profiling, risk scoring, and determining eligibility, without 4 human involvement. 5 2. “Company” means a person conducting business in this 6 state that processes the personal data of five thousand or more 7 individuals who reside in this state in a single calendar year. 8 3. “Personal data” means any information that is linked 9 or reasonably linkable to an identified or identifiable 10 individual. “Personal data” does not include de-identified or 11 aggregate data or publicly available information. 12 4. “Process” means the act of performing an operation on 13 personal data, including collecting, storing, using, analyzing, 14 disclosing, or deleting personal data. 15 Sec. 2. NEW SECTION . 715F.2 Company requirements. 16 1. A company shall do all of the following: 17 a. Disclose all of the following to an individual in a clear 18 and conspicuous manner prior to processing the individual’s 19 personal data: 20 (1) The purposes for which the company intends to use 21 the individual’s personal data, including but not limited to 22 whether the personal data will be used for automated decision 23 making or artificial intelligence training. The purposes shall 24 include a plain language description of how the personal data 25 will be used. 26 (2) The types of personal data the company intends to 27 process. 28 (3) The types of persons with whom the company intends to 29 share or sell personal data. 30 (4) Whether the individual will be compensated for 31 providing personal data, and in what form such compensation 32 will come. 33 b. (1) Obtain consent from an individual to allow the 34 company to process the individual’s personal data prior to 35 -1- LSB 5397YH (3) 91 dg/jh 1/ 5

H.F. 2048 processing the individual’s personal data. 1 (2) A company shall obtain consent from an individual 2 by offering the individual a clear means to affirmatively 3 provide the consent. The company shall not use deceptive or 4 manipulative means to obtain an individual’s consent. 5 c. Collect only the personal data reasonably necessary to 6 achieve the purposes disclosed under paragraph “a” . 7 d. Allow an individual to revoke consent to allow the 8 company to process the individual’s data in a manner that is no 9 more burdensome than the manner used to obtain the individual’s 10 consent. 11 e. Cease all processing of the individual’s personal data 12 within thirty calendar days of receiving notice that the 13 individual has revoked consent to allow the company to process 14 the individual’s personal data. 15 f. Implement and maintain administrative, technical, and 16 physical practices that ensure the security of personal data 17 the company processes. The practices shall be appropriate for 18 the company given the volume, nature, and sensitivity of the 19 personal data the company processes. 20 2. A company shall not do any of the following: 21 a. Process personal data in a manner the individual to whom 22 the personal data pertains has not consented. 23 b. Deny or downgrade an individual’s service solely because 24 the individual exercised a right granted under section 715F.3. 25 Sec. 3. NEW SECTION . 715F.3 Personal data processing —— 26 individual rights. 27 A resident of this state shall have all of the following 28 rights: 29 1. To obtain confirmation from a company of whether the 30 company is processing the individual’s personal data. 31 2. To obtain a detailed summary of the personal data 32 processed by a company. 33 3. To request that a company correct inaccurate personal 34 data pertaining to the individual and processed by the company. 35 -2- LSB 5397YH (3) 91 dg/jh 2/ 5

H.F. 2048 4. Subject to other data retention requirements, to 1 request that a company delete personal data pertaining to the 2 individual and processed by the company. 3 5. To revoke, at any time, consent the individual gave to a 4 company to process the individual’s personal data. 5 Sec. 4. NEW SECTION . 715F.4 Enforcement —— penalties. 6 1. The attorney general shall have the authority to 7 investigate violations and enforce this chapter. 8 2. A violation of this chapter shall constitute an unlawful 9 practice under section 714.16. 10 3. A resident of this state may bring a private action 11 against a company for injunctive relief, civil penalties, and 12 actual damages caused by any of the following: 13 a. An unauthorized entity obtaining the resident’s personal 14 data due to the company’s failure to implement or maintain 15 sufficient administrative, technical, and physical practices to 16 ensure the security of personal data the company processes. 17 b. A violation of this chapter the company committed that 18 resulted in actual damages to the resident. 19 4. A violation of this chapter shall be punishable by a 20 civil penalty of up to seven thousand five hundred dollars per 21 violation per affected resident of this state. 22 5. Civil penalties awarded to the state under this chapter 23 shall be deposited into the general fund of the state. 24 Sec. 5. NEW SECTION . 715F.5 Exemptions. 25 This chapter shall not apply to any of the following: 26 1. Personal data processed in the course of obtaining, 27 issuing, or executing a valid warrant or subpoena. 28 2. Personal data processed solely for national security or 29 law enforcement purposes. 30 3. Personal data that has been de-identified or made 31 anonymous so that the data can no longer be reasonably linked 32 to an individual. 33 Sec. 6. Section 714.16, subsection 2, Code 2026, is amended 34 by adding the following new paragraph: 35 -3- LSB 5397YH (3) 91 dg/jh 3/ 5

H.F. 2048 NEW PARAGRAPH . t. It is an unlawful practice for a company 1 to violate chapter 715F. 2 EXPLANATION 3 The inclusion of this explanation does not constitute agreement with 4 the explanation’s substance by the members of the general assembly. 5 This bill relates to personal data (data) processing 6 practices for companies. 7 The bill defines “automated decision making” as a process 8 that uses data to make decisions, including but not limited to 9 profiling, risk scoring, and determining eligibility, without 10 human involvement. 11 The bill defines “company” as a person conducting business 12 in this state that processes the data of 5,000 or more 13 individuals who reside in this state in a single calendar year. 14 The bill defines “personal data” as any information that is 15 linked or reasonably linkable to an identified or identifiable 16 individual. “Personal data” does not include de-identified or 17 aggregate data or publicly available information. 18 The bill defines “process” as the act of performing an 19 operation on data, including collecting, storing, using, 20 analyzing, disclosing, or deleting data. 21 The bill details several disclosures a company must make 22 and acts the company must perform. The bill also prohibits a 23 company from processing data in a manner that the individual 24 to whom the personal data pertains has not consented, and 25 prohibits a company from denying or downgrading an individual’s 26 service solely because the individual exercised a right granted 27 under the bill. 28 The bill details several rights that each resident of this 29 state shall have relating to data. 30 The bill authorizes the attorney general to investigate 31 violations and enforce the bill. A violation of the bill 32 shall constitute an unlawful practice under Code section 33 714.16 (consumer frauds). A resident of this state is allowed 34 to bring a private action against a company for injunctive 35 -4- LSB 5397YH (3) 91 dg/jh 4/ 5

H.F. 2048 relief, civil penalties, and actual damages caused by an 1 unauthorized entity obtaining the resident’s personal data due 2 to the company’s failure to implement or maintain sufficient 3 administrative, technical, and physical practices to ensure 4 the security of personal data the company processes, or for a 5 violation of the bill the company committed that resulted in 6 actual damages to the resident. A violation of the bill is 7 punishable by a civil penalty of up to $7,500 per violation 8 per affected resident of this state. Penalties awarded to the 9 state shall be deposited into the general fund of the state. 10 The bill exempts personal data processed in the course of 11 obtaining, issuing, or executing a valid warrant or subpoena; 12 personal data processed solely for national security or 13 law enforcement purposes; and personal data that has been 14 de-identified or made anonymous so that the data can no 15 longer be reasonably linked to an individual from the bill’s 16 provisions. 17 The bill makes a conforming change to Code section 714.16. 18 -5- LSB 5397YH (3) 91 dg/jh 5/ 5