Print
House Study Bill 674 - IntroducedA Bill ForAn Act 1relating to consumer data protection, providing civil
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “Decisions that produce legal or similarly significant
16effects concerning a consumer” means a decision made by a
17controller that results in the provision or denial by the
18controller of financial and lending services, housing,
19insurance, education enrollment, criminal justice, employment
20opportunities, health care services, or access to basic
21necessities, such as food and water.
2211. “De-identified data” means data that cannot reasonably
23be linked to an identified or identifiable natural person.
2412. “Health care provider” means any of the following:
25a. A general hospital, ordinary hospital, outpatient
26surgical hospital, nursing home, or certified nursing facility
27licensed or certified by the state.
28b. A mental or psychiatric hospital licensed by the state.
29c. A hospital operated by the state.
30d. A hospital operated by universities within the state.
31e. A person licensed to practice medicine or osteopathy in
32the state.
33f. A person licensed to furnish health care policies or
34plans in the state.
35g. A person licensed to practice dentistry in the state.
-2- 1h. “Health care provider” does not include a continuing
2care retirement community or any nursing care facility of a
3religious body which depends upon prayer alone for healing.
413. “Health Insurance Portability and Accountability
5Act” or “HIPAA” means the Health Insurance Portability and
6Accountability Act of 1996, Pub.L. No.104-191, including
7amendments thereto and regulations promulgated thereunder.
814. “Health record” means any written, printed, or
9electronically recorded material maintained by a health care
10provider in the course of providing health services to an
11individual concerning the individual and the services provided,
12including related health information provided in confidence to
13a health care provider.
1415. “Identified or identifiable natural person” means a
15person who can be readily identified, directly or indirectly.
1616. “Institution of higher education” means nonprofit
17private institutions of higher education and proprietary
18private institutions of higher education in the state,
19community colleges, and each associate-degree-granting and
20baccalaureate public institutions of higher education in the
21state.
2217. “Nonprofit organization” means any corporation organized
23under chapter 504, any organization exempt from taxation under
24sections 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal
25Revenue Code, and any subsidiaries and affiliates of entities
26organized pursuant to chapter 499.
2718. “Personal data” means any information that is linked or
28reasonably linkable to an identified or identifiable natural
29person. “Personal data” does not include de-identified data or
30publicly available information.
3119. “Precise geolocation data” means information derived
32from technology, including but not limited to global
33positioning system level latitude and longitude coordinates or
34other mechanisms, that identifies the specific location of a
35natural person with precision and accuracy within a radius of
-3-1one thousand seven hundred fifty feet. “Precise geolocation
2data” does not include the content of communications or any
3data generated by or connected to advanced utility metering
4infrastructure systems or equipment for use by a utility.
520. “Process” or “processing” means any operation or set
6of operations performed, whether by manual or automated means,
7on personal data or on sets of personal data, such as the
8collection, use, storage, disclosure, analysis, deletion, or
9modification of personal data.
1021. “Processor” means a person that processes personal data
11on behalf of a controller.
1222. “Profiling” means any form of solely automated
13processing performed on personal data to evaluate, analyze,
14or predict personal aspects related to an identified or
15identifiable natural person’s economic situation, health,
16personal preferences, interests, reliability, behavior,
17location, or movements.
1823. “Protected health information” means the same as
19protected health information established by HIPAA.
2024. “Pseudonymous data” means personal data that cannot
21be attributed to a specific natural person without the use
22of additional information, provided that such additional
23information is kept separately and is subject to appropriate
24technical and organizational measures to ensure that
25the personal data is not attributed to an identified or
26identifiable natural person.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data to a third
7party as an asset that is part of a proposed or actual merger,
8acquisition, bankruptcy, or other transaction in which the
9third party assumes control of all or part of the controller’s
10assets.
1126. “Sensitive data” means a category of personal data that
12includes the following:
13a. Personal data revealing racial or ethnic origin,
14religious beliefs, mental or physical health diagnosis, sexual
15orientation, or citizenship or immigration status.
16b. Genetic or biometric data that is processed for the
17purpose of uniquely identifying a natural person.
18c. The personal data collected from a known child.
19d. Precise geolocation data.
2027. “Targeted advertising” means displaying advertisements
21to a consumer where the advertisement is selected based on
22personal data obtained from that consumer’s activities over
23time and across nonaffiliated websites or online applications
24to predict such consumer’s preferences or interests. “Targeted
25advertising” does not include the following:
26a. Advertisements based on activities within a controller’s
27own or affiliated websites or online applications.
28b. Advertisements based on the context of a consumer’s
29current search query, visit to a website, or online
30application.
31c. Advertisements directed to a consumer in response to the
32consumer’s request for information or feedback.
33d. Processing personal data solely for measuring or
34reporting advertising performance, reach, or frequency.
3528. “Third party” means a natural or legal person, public
-5-1authority, agency, or body other than the consumer, controller,
2processor, or an affiliate of the processor or the controller.
329. “Trade secret” means information, including but not
4limited to a formula, pattern, compilation, program, device,
5method, technique, or process, that consists of the following:
6a. Information that derives independent economic value,
7actual or potential, from not being generally known to, and not
8being readily ascertainable by proper means by, other persons
9who can obtain economic value from its disclosure or use.
10b. Information that is the subject of efforts that are
11reasonable under the circumstances to maintain its secrecy.
12 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
131. This chapter applies to a person conducting business in
14the state or producing products or services that are targeted
15to residents of the state and that during a calendar year does
16either of the following:
17a. Controls or processes personal data of at least one
18hundred thousand consumers.
19b. Controls or processes personal data of at least
20twenty-five thousand consumers and derive over fifty percent of
21gross revenue from the sale of personal data.
222. This chapter shall not apply to the state or any
23political subdivision of the state, financial institutions
24or data subject to Tit.V of the federal Gramm-Leach-Bliley
25Act of 1999, 15 U.S.C.§6801 et seq., covered entities or
26business associates governed by the privacy, security, and
27breach notification rules issued by the Iowa department of
28human services, the Iowa department of public health, 45 C.F.R.
29pts.160 and 164 established pursuant to HIPAA, nonprofit
30organizations, or institutions of higher education.
313. The following information and data is exempt from this
32chapter:
33a. Protected health information under HIPAA.
34b. Health records.
35c. Patient identifying information for purposes of 42 U.S.C.
-6-1§290dd-2.
2d. Identifiable private information for purposes of the
3federal policy for the protection of human subjects under 45
4C.F.R.pt.46.
5e. Identifiable private information that is otherwise
6information collected as part of human subjects research
7pursuant to the good clinical practice guidelines issued by
8the international council for harmonisation of technical
9requirements for pharmaceuticals for human use.
10f. The protection of human subjects under 21 C.F.R. pts.6,
1150, and 56.
12g. Personal data used or shared in research conducted in
13accordance with the requirements set forth in this chapter, or
14other research conducted in accordance with applicable law.
15h. Information and documents created for purposes of the
16federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
17§11101 et seq.
18i. Patient safety work product for purposes of the federal
19Patient Safety And Quality Improvement Act, 42 U.S.C.§299b-21
20et seq.
21j. Information derived from any of the health care-related
22information listed in this subsection that is de-identified in
23accordance with the requirements for de-identification pursuant
24to HIPAA.
25k. Information originating from, and intermingled to be
26indistinguishable with, or information treated in the same
27manner as information exempt under this subsection that is
28maintained by a covered entity or business associate as defined
29by HIPAA or a program or a qualified service organization as
30defined by 42 U.S.C.§290dd-2.
31l. Information used only for public health activities and
32purposes as authorized by HIPAA.
33m. The collection, maintenance, disclosure, sale,
34communication, or use of any personal information bearing on a
35consumer’s credit worthiness, credit standing, credit capacity,
-7-1character, general reputation, personal characteristics, or
2mode of living by a consumer reporting agency or furnisher that
3provides information for use in a consumer report, and by a
4user of a consumer report, but only to the extent that such
5activity is regulated by and authorized under the federal Fair
6Credit Reporting Act, 15 U.S.C.§1681.
7n. Personal data collected, processed, sold, or disclosed in
8compliance with the federal Driver’s Privacy Protection Act of
91994, 18 U.S.C.§2721 et seq.
10o. Personal data regulated by the federal Family Educational
11Rights and Privacy Act, 20 U.S.C.§1232 et seq.
12p. Personal data collected, processed, sold, or disclosed in
13compliance with the federal Farm Credit Act, 12 U.S.C.§2001
14et seq.
15q. Data processed or maintained as follows:
16(1) In the course of an individual applying to, employed
17by, or acting as an agent or independent contractor of a
18controller, processor, or third party, to the extent that the
19data is collected and used within the context of that role.
20(2) As the emergency contact information of an individual
21under this chapter used for emergency contact purposes.
22(3) That is necessary to retain to administer benefits
23for another individual relating to the individual under
24subparagraph (1) and used for the purposes of administering
25those benefits.
26r. Personal data used in accordance with the federal
27Children’s Online Privacy Protection Act, 15 U.S.C.§6501 –
286506, and its rules, regulations, and exceptions thereto.
29 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
301. A consumer may invoke the consumer rights authorized
31pursuant to this section at any time by submitting a request to
32a controller specifying the consumer rights the consumer wishes
33to invoke. A known child’s parent or legal guardian may invoke
34such consumer rights on behalf of the known child regarding
35processing personal data belonging to the child. A controller
-8-1shall comply with an authenticated consumer request to exercise
2all of the following:
3a. To confirm whether a controller is processing the
4consumer’s personal data and to access such personal data.
5b. To correct inaccuracies in the consumer’s personal data,
6taking into account the nature of the personal data and the
7purposes of the processing of the consumer’s personal data.
8c. To delete personal data provided by or obtained about
9the consumer.
10d. To obtain a copy of the consumer’s personal data that the
11consumer previously provided to the controller in a portable
12and, to the extent technically practicable, readily usable
13format that allows the consumer to transmit the data to another
14controller without hindrance, where the processing is carried
15out by automated means.
16e. To opt out of the processing of the personal data for
17purposes of targeted advertising, the sale of personal data,
18or profiling in furtherance of decisions that produce legal or
19similarly significant effects concerning the consumer.
202. Except as otherwise provided in this chapter, a
21controller shall comply with a request by a consumer to
22exercise the consumer rights authorized pursuant to this
23section as follows:
24a. A controller shall respond to the consumer without undue
25delay, but in all cases within forty-five days of receipt
26of a request submitted pursuant to the methods described in
27this section. The response period may be extended once by
28forty-five additional days when reasonably necessary upon
29considering the complexity and number of the consumer’s
30requests by informing the consumer of any such extension within
31the initial forty-five-day response period, together with the
32reason for the extension.
33b. If a controller declines to take action regarding the
34consumer’s request, the controller shall inform the consumer
35without undue delay of the justification for declining to take
-9-1action and instructions for how to appeal the decision pursuant
2to this section.
3c. Information provided in response to a consumer request
4shall be provided by a controller free of charge, up to
5twice annually per consumer. If a request from a consumer
6is manifestly unfounded, excessive, or repetitive, the
7controller may charge the consumer a reasonable fee to cover
8the administrative costs of complying with the request or
9decline to act on the request. The controller bears the burden
10of demonstrating the manifestly unfounded, excessive, or
11repetitive nature of the request.
12d. If a controller is unable to authenticate a request
13using commercially reasonable efforts, the controller shall
14not be required to comply with a request to initiate an action
15under this section and may request that the consumer provide
16additional information reasonably necessary to authenticate the
17consumer and the consumer’s request.
183. A controller shall establish a process for a consumer
19to appeal the controller’s refusal to take action on a request
20within a reasonable period of time after the consumer’s
21receipt of the decision pursuant to this section. The appeal
22process shall be conspicuously available and similar to the
23process for submitting requests to initiate action pursuant
24to this section. Within sixty days of receipt of an appeal,
25a controller shall inform the consumer in writing of any
26action taken or not taken in response to the appeal, including
27a written explanation of the reasons for the decision. If
28the appeal is denied, the controller shall also provide the
29consumer with an online mechanism through which the consumer
30may contact the attorney general to submit a complaint.
31 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
321. A controller shall limit the collection of personal
33data to what is adequate, relevant, and reasonably necessary
34in relation to the purposes for which such data is processed,
35as disclosed to the consumer. Except as otherwise provided
-10-1in this chapter, a controller shall not process personal
2data for purposes that are neither reasonably necessary to
3nor compatible with the disclosed purposes for which such
4personal data is processed, as disclosed to the consumer,
5unless the controller obtains the consumer’s consent. A
6controller shall adopt and implement reasonable administrative,
7technical, and physical data security practices to protect the
8confidentiality, integrity, and accessibility of personal data.
9Such data security practices shall be appropriate to the volume
10and nature of the personal data at issue. A controller shall
11not process sensitive data without the consumer’s consent, or,
12in the case of the processing of sensitive data concerning a
13known child, without processing such data in accordance with
14the federal Children’s Online Privacy Protection Act, 15 U.S.C.
15§6501 et seq.
162. A controller shall not process personal data in
17violation of state and federal laws that prohibit unlawful
18discrimination against a consumer. A controller shall not
19discriminate against a consumer for exercising any of the
20consumer rights contained in this chapter, including denying
21goods or services, charging different prices or rates for
22goods or services, or providing a different level of quality
23of goods and services to the consumer. However, nothing in
24this chapter shall be construed to require a controller to
25provide a product or service that requires the personal data
26of a consumer that the controller does not collect or maintain
27or to prohibit a controller from offering a different price,
28rate, level, quality, or selection of goods or services to a
29consumer, including offering goods or services for no fee,
30if the consumer has exercised his right to opt out pursuant
31to section 715D.3 or the offer is related to a consumer’s
32voluntary participation in a bona fide loyalty, rewards,
33premium features, discounts, or club card program.
343. Any provision of a contract or agreement that purports to
35waive or limit in any way consumer rights pursuant to section
-11-1715D.3 shall be deemed contrary to public policy and shall be
2void and unenforceable.
34. A controller shall provide consumers with a reasonably
4accessible, clear, and meaningful privacy notice that includes
5the following:
6a. The categories of personal data processed by the
7controller.
8b. The purpose for processing personal data.
9c. How consumers may exercise their consumer rights pursuant
10to section 715D.3, including how a consumer may appeal a
11controller’s decision with regard to the consumer’s request.
12d. The categories of personal data that the controller
13shares with third parties, if any.
14e. The categories of third parties, if any, with whom the
15controller shares personal data.
165. If a controller sells a consumer’s personal data to third
17parties or uses such personal data for targeted advertising,
18the controller shall clearly and conspicuously disclose such
19activity, as well as the manner in which a consumer may
20exercise the right to opt out of such processing.
216. A controller shall establish, and shall describe in
22a privacy notice, secure and reliable means for consumers to
23submit a request to exercise their consumer rights under this
24chapter. Such means shall consider the ways in which consumers
25normally interact with the controller, the need for secure and
26reliable communication of such requests and the ability of
27the controller to authenticate the identity of the consumer
28making the request. A controller shall not require a consumer
29to create a new account in order to exercise consumer rights
30pursuant to section 715D.3, but may require a consumer to use
31an existing account.
32 Sec. 5. NEW SECTION. 715D.5 Processor duties.
331. A processor shall assist a controller in duties
34required under this chapter, taking into account the nature of
35processing and the information available to the processor by
-12-1appropriate technical and organizational measures, insofar as
2is reasonably practicable, as follows:
3a. To fulfill the controller’s obligation to respond to
4consumer rights requests pursuant to section 715D.3.
5b. To meet the controller’s obligations in relation to the
6security of processing the personal data and in relation to the
7notification of a security breach of the processor pursuant to
8section 715C.2.
9c. To provide necessary information to enable the controller
10to conduct and document data protection assessments pursuant
11to section 715D.6.
122. A contract between a controller and a processor shall
13govern the processor’s data processing procedures with respect
14to processing performed on behalf of the controller. The
15contract shall clearly set forth instructions for processing
16personal data, the nature and purpose of processing, the type
17of data subject to processing, the duration of processing, and
18the rights and duties of both parties. The contract shall also
19include requirements that the processor shall do all of the
20following:
21a. Ensure that each person processing personal data is
22subject to a duty of confidentiality with respect to the data.
23b. At the controller’s direction, delete or return all
24personal data to the controller as requested at the end of the
25provision of services, unless retention of the personal data
26is required by law.
27c. Upon the reasonable request of the controller, make
28available to the controller all information in the processor’s
29possession necessary to demonstrate the processor’s compliance
30with the obligations in this chapter.
31d. Allow, and cooperate with, reasonable assessments
32by the controller or the controller’s designated assessor.
33The processor may arrange for a qualified and independent
34assessor to conduct an assessment of the processor’s policies
35and technical and organizational measures in support of
-13-1the obligations under this chapter using an appropriate and
2accepted control standard or framework and assessment procedure
3for such assessments. The processor shall provide a report of
4such assessment to the controller upon request.
5e. Engage any subcontractor or agent pursuant to a written
6contract in accordance with this section that requires the
7subcontractor to meet the duties of the processor with respect
8to the personal data.
93. Nothing in this section shall be construed to relieve a
10controller or a processor from imposed liabilities by virtue
11of the controller or processor’s role in the processing
12relationship as defined by this chapter.
134. Determining whether a person is acting as a controller or
14processor with respect to a specific processing of data is a
15fact-based determination that depends upon the context in which
16personal data is to be processed. A processor that continues
17to adhere to a controller’s instructions with respect to a
18specific processing of personal data remains a processor.
19 Sec. 6. NEW SECTION. 715D.6 Data protection assessments.
201. A controller shall conduct and document a data protection
21assessment of each of the following processing activities
22involving personal data:
23a. The sale of personal data.
24b. The processing of personal data for targeted advertising.
25c. The processing of personal data for purposes of
26profiling, where such profiling presents a reasonably
27foreseeable risk of any of the following:
28(1) Unfair or deceptive treatment of, or unlawful disparate
29impact on, consumers.
30(2) Financial, physical, or reputational injury to
31consumers.
32(3) A physical or other intrusion upon the solitude or
33seclusion, or the private affairs or concerns, of consumers,
34where such intrusion would be offensive to a reasonable person.
35(4) Other substantial injury to consumers.
-14- 1d. The processing of sensitive data.
2e. Any processing activities involving personal data that
3present a heightened risk of harm to consumers.
42. Data protection assessments conducted pursuant to
5subsection 1 shall identify and weigh the benefits that may
6flow, directly and indirectly, from the processing to the
7controller, the consumer, other stakeholders, and the public
8against the potential risks to the rights of the consumer
9associated with such processing, as mitigated by safeguards
10that can be employed by the controller to reduce such risks.
11The use of de-identified data and the reasonable expectations
12of consumers, as well as the context of the processing and the
13relationship between the controller and the consumer whose
14personal data will be processed, shall be factored into this
15assessment by the controller.
163. The attorney general may request, pursuant to a civil
17investigative demand, that a controller disclose any data
18protection assessment that is relevant to an investigation
19conducted by the attorney general, and the controller shall
20make the data protection assessment available to the attorney
21general. The attorney general may evaluate the data protection
22assessment for compliance with the responsibilities set
23forth in section 715D.4. The controller shall make the data
24protection assessment available to the attorney general.
25Data protection assessments shall be confidential and exempt
26from public inspection and copying under section 22.1. The
27disclosure of a data protection assessment pursuant to a
28request from the attorney general shall not constitute a waiver
29of attorney-client privilege or work product protection with
30respect to the data protection assessment and any information
31contained in the data protection assessment. The attorney
32general may evaluate the data protection assessment for
33compliance with the responsibilities set forth in section
34715D.4.
354. Data protection assessments conducted by a controller
-15-1for the purpose of compliance with other laws or regulations
2may comply under this section if the assessments have a
3reasonably comparable scope and effect. A single data
4protection assessment may address a comparable set of
5processing operations that include similar activities. Data
6protection assessment requirements shall apply to processing
7activities created or generated after January 1, 2024, and are
8not retroactive.
9 Sec. 7. NEW SECTION. 715D.7 Processing data — exemptions.
101. A controller in possession of de-identified data shall
11comply with the following:
12a. Take reasonable measures to ensure that the data cannot
13be associated with a natural person.
14b. Publicly commit to maintaining and using de-identified
15data without attempting to re-identify the data.
16c. Contractually obligate any recipients of the
17de-identified data to comply with all provisions of this
18chapter.
192. Nothing in this chapter shall be construed to require the
20following:
21a. A controller or processor to re-identify de-identified
22data or pseudonymous data.
23b. Maintaining data in identifiable form.
24c. Collecting, obtaining, retaining, or accessing any
25data or technology, in order to be capable of associating an
26authenticated consumer request with personal data.
273. Nothing in this chapter shall be construed to require
28a controller or processor to comply with an authenticated
29consumer rights request, pursuant to section 715D.3, if all of
30the following are true:
31a. The controller is not reasonably capable of associating
32the request with the personal data or it would be unreasonably
33burdensome for the controller to associate the request with the
34personal data.
35b. The controller does not use the personal data to
-16-1recognize or respond to the specific consumer who is the
2subject of the personal data, or associate the personal data
3with other personal data about the same specific consumer.
4c. The controller does not sell the personal data to any
5third party or otherwise voluntarily disclose the personal data
6to any third party other than a processor, except as otherwise
7permitted in this chapter.
84. Consumer rights contained in sections 715D.3 and 715D.4
9shall not apply to pseudonymous data in cases where the
10controller is able to demonstrate any information necessary
11to identify the consumer is kept separately and is subject to
12effective technical and organizational controls that prevent
13the controller from accessing such information.
145. Controllers that disclose pseudonymous data or
15de-identified data shall exercise reasonable oversight to
16monitor compliance with any contractual commitments to which
17the pseudonymous data or de-identified data is subject and
18shall take appropriate steps to address any breaches of those
19contractual commitments.
20 Sec. 8. NEW SECTION. 715D.8 Limitations.
211. Nothing in this chapter shall be construed to restrict a
22controller’s or processor’s ability to do the following:
23a. Comply with federal, state, or local laws, rules, or
24regulations.
25b. Comply with a civil, criminal, or regulatory inquiry,
26investigation, subpoena, or summons by federal, state, local,
27or other governmental authorities.
28c. Cooperate with law enforcement agencies concerning
29conduct or activity that the controller or processor reasonably
30and in good faith believes may violate federal, state, or local
31laws, rules, or regulations.
32d. Investigate, establish, exercise, prepare for, or defend
33legal claims.
34e. Provide a product or service specifically requested by a
35consumer, perform a contract to which the consumer is a party,
-17-1including fulfilling the terms of a written warranty, or take
2steps at the request of the consumer prior to entering into a
3contract.
4f. Take immediate steps to protect an interest that is
5essential for the life or physical safety of the consumer or
6of another natural person, and where the processing cannot be
7manifestly based on another legal basis.
8g. Prevent, detect, protect against, or respond to security
9incidents, identity theft, fraud, harassment, malicious or
10deceptive activities, or any illegal activity.
11h. Preserve the integrity or security of systems.
12i. Investigate, report, or prosecute those responsible for
13any such action.
14j. Engage in public or peer-reviewed scientific or
15statistical research in the public interest that adheres to
16all other applicable ethics and privacy laws and is approved,
17monitored, and governed by an institutional review board, or
18similar independent oversight entities that determine the
19following:
20(1) If the deletion of the information is likely to provide
21substantial benefits that do not exclusively accrue to the
22controller.
23(2) The expected benefits of the research outweigh the
24privacy risks.
25(3) If the controller has implemented reasonable safeguards
26to mitigate privacy risks associated with research, including
27any risks associated with re-identification.
28k. Assist another controller, processor, or third party with
29any of the obligations under this subsection.
302. The obligations imposed on a controller or processor
31under this chapter shall not restrict a controller’s or
32processor’s ability to collect, use, or retain data as follows:
33a. To conduct internal research to develop, improve, or
34repair products, services, or technology.
35b. To effectuate a product recall.
-18- 1c. To identify and repair technical errors that impair
2existing or intended functionality.
3d. To perform internal operations that are reasonably
4aligned with the expectations of the consumer or reasonably
5anticipated based on the consumer’s existing relationship with
6the controller or are otherwise compatible with processing
7data in furtherance of the provision of a product or service
8specifically requested by a consumer or the performance of a
9contract to which the consumer is a party.
103. The obligations imposed on controllers or processors
11under this chapter shall not apply where compliance by the
12controller or processor with this chapter would violate an
13evidentiary privilege under the laws of the state. Nothing
14in this chapter shall be construed to prevent a controller or
15processor from providing personal data concerning a consumer to
16a person covered by an evidentiary privilege under the laws of
17the state as part of a privileged communication.
184. A controller or processor that discloses personal data
19to a third-party controller or processor, in compliance with
20the requirements of this chapter, is not in violation of
21this chapter if the third-party controller or processor that
22receives and processes such personal data is in violation of
23this chapter, provided that, at the time of disclosing the
24personal data, the disclosing controller or processor did not
25have actual knowledge that the recipient intended to commit a
26violation. A third-party controller or processor receiving
27personal data from a controller or processor in compliance with
28the requirements of this chapter is likewise not in violation
29of this chapter for the offenses of the controller or processor
30from which it receives such personal data.
315. Nothing in this chapter shall be construed as an
32obligation imposed on a controller or a processor that
33adversely affects the rights or freedoms of any persons, such
34as exercising the right of free speech pursuant to the First
35Amendment to the United States Constitution, or applies to the
-19-1processing of personal data by a person in the course of a
2purely personal or household activity.
36. Personal data processed by a controller pursuant to
4this section shall not be processed for any purpose other than
5those expressly listed in this section unless otherwise allowed
6by this chapter. Personal data processed by a controller
7pursuant to this section may be processed to the extent that
8such processing is as follows:
9a. Reasonably necessary and proportionate to the purposes
10listed in this section.
11b. Adequate, relevant, and limited to what is necessary
12in relation to the specific purposes listed in this section.
13Personal data collected, used, or retained pursuant to
14this section shall, where applicable, take into account
15the nature and purpose or purposes of such collection, use,
16or retention. Such data shall be subject to reasonable
17administrative, technical, and physical measures to protect the
18confidentiality, integrity, and accessibility of the personal
19data and to reduce reasonably foreseeable risks of harm to
20consumers relating to such collection, use, or retention of
21personal data.
227. If a controller processes personal data pursuant to an
23exemption in this section, the controller bears the burden of
24demonstrating that such processing qualifies for the exemption
25and complies with the requirements in subsection 6.
268. Processing personal data for the purposes expressly
27identified in subsection 1 shall not solely make an entity a
28controller with respect to such processing.
299. This chapter shall not require a controller, processor,
30third party, or consumer to disclose trade secrets.
31 Sec. 9. NEW SECTION. 715D.9 Enforcement — penalties.
321. The attorney general shall have exclusive authority to
33enforce the provisions of this chapter. Whenever the attorney
34general has reasonable cause to believe that any person has
35engaged in, is engaging in, or is about to engage in any
-20-1violation of this chapter, the attorney general is empowered to
2issue a civil investigative demand.
32. Prior to initiating any action under this chapter,
4the attorney general shall provide a controller or processor
5thirty days’ written notice identifying the specific provisions
6of this chapter the attorney general alleges have been or
7are being violated. If within the thirty-day period, the
8controller or processor cures the noticed violation and
9provides the attorney general an express written statement that
10the alleged violations have been cured and that no further such
11violations shall occur, no action shall be initiated against
12the controller or processor.
133. If a controller or processor continues to violate this
14chapter following the cure period in subsection 2 or breaches
15an express written statement provided to the attorney general
16under that subsection, the attorney general may initiate an
17action in the name of the state and may seek an injunction to
18restrain any violations of this chapter and civil penalties of
19up to seven thousand five hundred dollars for each violation
20under this chapter.
214. The attorney general may recover reasonable expenses
22incurred in investigating and preparing the case, including
23attorney fees, in any action initiated under this chapter.
245. Nothing in this chapter shall be construed as providing
25the basis for, or be subject to, a private right of action for
26violations of this chapter or under any other law.
27 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
282024.
29EXPLANATION
30The inclusion of this explanation does not constitute agreement with
31the explanation’s substance by the members of the general assembly.
32This bill relates to consumer data protection.
33The bill contains several definitions. The bill defines
34“controller” to mean a person that, alone or jointly with
35others, determines the purpose and means of processing personal
-21-1data. The bill defines “identified or identifiable natural
2person” to mean a person who can be readily identified,
3directly or indirectly. The bill defines “personal data” to
4mean any information that is linked or reasonably linkable to
5an identified or identifiable natural person, but does not
6include de-identified data or publicly available information.
7The bill defines “process” or “processing” to mean any
8operation or set of operations performed, whether by manual or
9automated means, on personal data or on sets of personal data,
10such as the collection, use, storage, disclosure, analysis,
11deletion, or modification of personal data. The bill defines
12“processor” to mean a person that processes personal data on
13behalf of a controller. The bill defines “pseudonymous data”
14to mean personal data that cannot be attributed to a specific
15natural person without the use of additional information.
16The bill defines “targeted advertising” to mean displaying
17advertisements to a consumer where the advertisement is
18selected based on personal data obtained from that consumer’s
19activities over time and across nonaffiliated websites or
20online applications to predict such consumer’s preferences or
21interests, with exceptions. The bill defines “third party”
22to mean a natural or legal person, public authority, agency,
23or body other than the consumer, controller, processor, or
24an affiliate of the processor or the controller. The bill
25contains other defined terms.
26The bill provides that persons conducting business in
27the state or producing products or services targeted to
28Iowans that annually control or process personal data of
29over 99,999 consumers or control or process personal data of
3025,000 consumers with 50 percent of gross revenue derived
31from the sale of the personal data shall be subject to the
32provisions of the bill. The state and political subdivisions
33of the state, financial institutions or data subject to the
34Gramm-Leach-Bliley Act of 1999, certain organizations governed
35by rules by the department of human services, the department
-22-1of health, certain federal governance laws and the federal
2Health Insurance Portability and Accountability Act, nonprofit
3organizations, higher learning institutions, and certain
4protected information and personal data collected under state
5or federal laws are exempt from provisions in the bill.
6The bill provides consumers have personal data rights
7that may be invoked at any time. Consumers or the parent of
8a child may submit a request to a controller for a copy of
9the controller’s information relating to personal data. The
10controller shall comply with such requests to confirm or deny
11whether the controller is processing the personal data, to
12delete or correct inaccuracies in personal data, to provide the
13consumer with a copy of their personal data, and to remove the
14consumer or child from personal data processing.
15The bill requires that controllers provide responses to
16defined personal data requests within 45 days of a consumer
17initiating a request. Responses to personal data requests
18shall be provided to a consumer free of charge up to twice per
19year except where requests are overly burdensome or manifestly
20unfounded. A business may extend the deadline for good cause,
21including complexity, once by up to 45 days after informing the
22consumer of the reason for the extension. The bill provides
23that controllers are not required to comply with requests where
24a controller is unable through commercially reasonable efforts
25to verify the identity of the consumer submitting the request.
26The bill requires that controllers permit consumers to access
27an appeals process and provide consumers with information
28regarding the appeals process in situations where a consumer’s
29request is denied.
30The bill provides that controllers shall limit the
31collection of personal data to the extent reasonably necessary.
32Controllers must disclose to the consumer the types of data
33being collected and obtain consent from the consumers regarding
34the collection of personal data and sensitive personal data
35processing. Controllers must securely store personal data
-23-1of consumers through administrative, technical, and physical
2security practices. Controllers shall not discriminate against
3consumers that exercise consumer data rights as provided in
4the bill by denying a consumer goods or services, charging
5different prices, or providing lower quality goods with
6exceptions. Contract provisions that require consumers to
7waive rights defined by the bill will be considered void and
8unenforceable.
9The bill provides that controllers give consumers reasonably
10accessible and clear privacy notices that inform consumers of
11the information regarding personal data transfer and purposes
12and the methods for consumers to exercise rights. The bill
13provides that controllers selling personal data to third
14parties or using targeted advertising must clearly disclose
15such activity and the right for the consumer to opt out of
16such sales or use. The bill requires a controller to create a
17method for private and secure processing of consumer requests.
18The bill requires processors and the assigns or
19subcontractors of processors to assist controllers in complying
20with duties created by the bill.
21The bill requires controllers to conduct assessments of
22processing activities regarding certain personal data. Data
23protection assessments shall consider benefits and risks
24regarding personal data processing to the controller, consumer,
25public, and other stakeholders among other factors identified
26by the bill. The bill provides that the attorney general may
27request an investigation and require that a controller disclose
28relevant data protection assessment information and analyze
29the provided information for compliance with duties described
30by the bill. Other data protection assessments a controller
31has conducted may suffice for purposes of the bill if the
32assessments are reasonably similar.
33The bill includes personal data processing exemptions,
34including pseudonymous data and de-identified data as defined
35by the bill. The bill requires that controllers in possession
-24-1of de-identified data take measures to ensure that the data
2remains de-identified, publicly commit to a de-identified
3maintenance process, and require agents and assigns to adhere
4to provisions of the bill. The bill identifies exceptions
5where controllers or processors are not required to comply
6with a consumer rights request pursuant to the bill. The bill
7requires controllers disclosing pseudonymous or de-identified
8data to exercise reasonable oversight of contractual
9commitments regarding such data.
10The bill provides that the bill shall not restrict
11controller or processor abilities to improve business or
12function. Controllers or processors sharing personal data with
13third parties are not liable for the noncompliance of third
14parties if the controller or processor did not have personal
15knowledge of the violation or intent to commit a violation,
16nor is a third party liable for violations of a controller
17or processor. The bill provides that if a controller seeks
18certain exemptions, the controller bears the burden of
19demonstrating that the controller qualifies for the exemption
20and the exemption complies with the requirements in the bill.
21The bill shall not require a business, consumer, or other
22party to disclose trade secrets.
23The bill provides that the attorney general shall
24investigate controllers and processors upon reasonable cause
25for violations of provisions of the bill. The attorney general
26shall provide 30 days’ notice to a controller or processor
27including the reason for which the entity is subject to an
28investigation and permit the entity to cure the defect prior
29to filing a civil action. A controller or processor found to
30be in violation of provisions of the bill is subject to a civil
31penalty of up to $7,500 per violation. The attorney general
32shall recover reasonable expenses for expenses related to the
33investigation.
34The bill takes effect January 1, 2024.
-25-es/rn
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “Decisions that produce legal or similarly significant
16effects concerning a consumer” means a decision made by a
17controller that results in the provision or denial by the
18controller of financial and lending services, housing,
19insurance, education enrollment, criminal justice, employment
20opportunities, health care services, or access to basic
21necessities, such as food and water.
2211. “De-identified data” means data that cannot reasonably
23be linked to an identified or identifiable natural person.
2412. “Health care provider” means any of the following:
25a. A general hospital, ordinary hospital, outpatient
26surgical hospital, nursing home, or certified nursing facility
27licensed or certified by the state.
28b. A mental or psychiatric hospital licensed by the state.
29c. A hospital operated by the state.
30d. A hospital operated by universities within the state.
31e. A person licensed to practice medicine or osteopathy in
32the state.
33f. A person licensed to furnish health care policies or
34plans in the state.
35g. A person licensed to practice dentistry in the state.
-2- 1h. “Health care provider” does not include a continuing
2care retirement community or any nursing care facility of a
3religious body which depends upon prayer alone for healing.
413. “Health Insurance Portability and Accountability
5Act” or “HIPAA” means the Health Insurance Portability and
6Accountability Act of 1996, Pub.L. No.104-191, including
7amendments thereto and regulations promulgated thereunder.
814. “Health record” means any written, printed, or
9electronically recorded material maintained by a health care
10provider in the course of providing health services to an
11individual concerning the individual and the services provided,
12including related health information provided in confidence to
13a health care provider.
1415. “Identified or identifiable natural person” means a
15person who can be readily identified, directly or indirectly.
1616. “Institution of higher education” means nonprofit
17private institutions of higher education and proprietary
18private institutions of higher education in the state,
19community colleges, and each associate-degree-granting and
20baccalaureate public institutions of higher education in the
21state.
2217. “Nonprofit organization” means any corporation organized
23under chapter 504, any organization exempt from taxation under
24sections 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal
25Revenue Code, and any subsidiaries and affiliates of entities
26organized pursuant to chapter 499.
2718. “Personal data” means any information that is linked or
28reasonably linkable to an identified or identifiable natural
29person. “Personal data” does not include de-identified data or
30publicly available information.
3119. “Precise geolocation data” means information derived
32from technology, including but not limited to global
33positioning system level latitude and longitude coordinates or
34other mechanisms, that identifies the specific location of a
35natural person with precision and accuracy within a radius of
-3-1one thousand seven hundred fifty feet. “Precise geolocation
2data” does not include the content of communications or any
3data generated by or connected to advanced utility metering
4infrastructure systems or equipment for use by a utility.
520. “Process” or “processing” means any operation or set
6of operations performed, whether by manual or automated means,
7on personal data or on sets of personal data, such as the
8collection, use, storage, disclosure, analysis, deletion, or
9modification of personal data.
1021. “Processor” means a person that processes personal data
11on behalf of a controller.
1222. “Profiling” means any form of solely automated
13processing performed on personal data to evaluate, analyze,
14or predict personal aspects related to an identified or
15identifiable natural person’s economic situation, health,
16personal preferences, interests, reliability, behavior,
17location, or movements.
1823. “Protected health information” means the same as
19protected health information established by HIPAA.
2024. “Pseudonymous data” means personal data that cannot
21be attributed to a specific natural person without the use
22of additional information, provided that such additional
23information is kept separately and is subject to appropriate
24technical and organizational measures to ensure that
25the personal data is not attributed to an identified or
26identifiable natural person.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data to a third
7party as an asset that is part of a proposed or actual merger,
8acquisition, bankruptcy, or other transaction in which the
9third party assumes control of all or part of the controller’s
10assets.
1126. “Sensitive data” means a category of personal data that
12includes the following:
13a. Personal data revealing racial or ethnic origin,
14religious beliefs, mental or physical health diagnosis, sexual
15orientation, or citizenship or immigration status.
16b. Genetic or biometric data that is processed for the
17purpose of uniquely identifying a natural person.
18c. The personal data collected from a known child.
19d. Precise geolocation data.
2027. “Targeted advertising” means displaying advertisements
21to a consumer where the advertisement is selected based on
22personal data obtained from that consumer’s activities over
23time and across nonaffiliated websites or online applications
24to predict such consumer’s preferences or interests. “Targeted
25advertising” does not include the following:
26a. Advertisements based on activities within a controller’s
27own or affiliated websites or online applications.
28b. Advertisements based on the context of a consumer’s
29current search query, visit to a website, or online
30application.
31c. Advertisements directed to a consumer in response to the
32consumer’s request for information or feedback.
33d. Processing personal data solely for measuring or
34reporting advertising performance, reach, or frequency.
3528. “Third party” means a natural or legal person, public
-5-1authority, agency, or body other than the consumer, controller,
2processor, or an affiliate of the processor or the controller.
329. “Trade secret” means information, including but not
4limited to a formula, pattern, compilation, program, device,
5method, technique, or process, that consists of the following:
6a. Information that derives independent economic value,
7actual or potential, from not being generally known to, and not
8being readily ascertainable by proper means by, other persons
9who can obtain economic value from its disclosure or use.
10b. Information that is the subject of efforts that are
11reasonable under the circumstances to maintain its secrecy.
12 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
131. This chapter applies to a person conducting business in
14the state or producing products or services that are targeted
15to residents of the state and that during a calendar year does
16either of the following:
17a. Controls or processes personal data of at least one
18hundred thousand consumers.
19b. Controls or processes personal data of at least
20twenty-five thousand consumers and derive over fifty percent of
21gross revenue from the sale of personal data.
222. This chapter shall not apply to the state or any
23political subdivision of the state, financial institutions
24or data subject to Tit.V of the federal Gramm-Leach-Bliley
25Act of 1999, 15 U.S.C.§6801 et seq., covered entities or
26business associates governed by the privacy, security, and
27breach notification rules issued by the Iowa department of
28human services, the Iowa department of public health, 45 C.F.R.
29pts.160 and 164 established pursuant to HIPAA, nonprofit
30organizations, or institutions of higher education.
313. The following information and data is exempt from this
32chapter:
33a. Protected health information under HIPAA.
34b. Health records.
35c. Patient identifying information for purposes of 42 U.S.C.
-6-1§290dd-2.
2d. Identifiable private information for purposes of the
3federal policy for the protection of human subjects under 45
4C.F.R.pt.46.
5e. Identifiable private information that is otherwise
6information collected as part of human subjects research
7pursuant to the good clinical practice guidelines issued by
8the international council for harmonisation of technical
9requirements for pharmaceuticals for human use.
10f. The protection of human subjects under 21 C.F.R. pts.6,
1150, and 56.
12g. Personal data used or shared in research conducted in
13accordance with the requirements set forth in this chapter, or
14other research conducted in accordance with applicable law.
15h. Information and documents created for purposes of the
16federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
17§11101 et seq.
18i. Patient safety work product for purposes of the federal
19Patient Safety And Quality Improvement Act, 42 U.S.C.§299b-21
20et seq.
21j. Information derived from any of the health care-related
22information listed in this subsection that is de-identified in
23accordance with the requirements for de-identification pursuant
24to HIPAA.
25k. Information originating from, and intermingled to be
26indistinguishable with, or information treated in the same
27manner as information exempt under this subsection that is
28maintained by a covered entity or business associate as defined
29by HIPAA or a program or a qualified service organization as
30defined by 42 U.S.C.§290dd-2.
31l. Information used only for public health activities and
32purposes as authorized by HIPAA.
33m. The collection, maintenance, disclosure, sale,
34communication, or use of any personal information bearing on a
35consumer’s credit worthiness, credit standing, credit capacity,
-7-1character, general reputation, personal characteristics, or
2mode of living by a consumer reporting agency or furnisher that
3provides information for use in a consumer report, and by a
4user of a consumer report, but only to the extent that such
5activity is regulated by and authorized under the federal Fair
6Credit Reporting Act, 15 U.S.C.§1681.
7n. Personal data collected, processed, sold, or disclosed in
8compliance with the federal Driver’s Privacy Protection Act of
91994, 18 U.S.C.§2721 et seq.
10o. Personal data regulated by the federal Family Educational
11Rights and Privacy Act, 20 U.S.C.§1232 et seq.
12p. Personal data collected, processed, sold, or disclosed in
13compliance with the federal Farm Credit Act, 12 U.S.C.§2001
14et seq.
15q. Data processed or maintained as follows:
16(1) In the course of an individual applying to, employed
17by, or acting as an agent or independent contractor of a
18controller, processor, or third party, to the extent that the
19data is collected and used within the context of that role.
20(2) As the emergency contact information of an individual
21under this chapter used for emergency contact purposes.
22(3) That is necessary to retain to administer benefits
23for another individual relating to the individual under
24subparagraph (1) and used for the purposes of administering
25those benefits.
26r. Personal data used in accordance with the federal
27Children’s Online Privacy Protection Act, 15 U.S.C.§6501 –
286506, and its rules, regulations, and exceptions thereto.
29 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
301. A consumer may invoke the consumer rights authorized
31pursuant to this section at any time by submitting a request to
32a controller specifying the consumer rights the consumer wishes
33to invoke. A known child’s parent or legal guardian may invoke
34such consumer rights on behalf of the known child regarding
35processing personal data belonging to the child. A controller
-8-1shall comply with an authenticated consumer request to exercise
2all of the following:
3a. To confirm whether a controller is processing the
4consumer’s personal data and to access such personal data.
5b. To correct inaccuracies in the consumer’s personal data,
6taking into account the nature of the personal data and the
7purposes of the processing of the consumer’s personal data.
8c. To delete personal data provided by or obtained about
9the consumer.
10d. To obtain a copy of the consumer’s personal data that the
11consumer previously provided to the controller in a portable
12and, to the extent technically practicable, readily usable
13format that allows the consumer to transmit the data to another
14controller without hindrance, where the processing is carried
15out by automated means.
16e. To opt out of the processing of the personal data for
17purposes of targeted advertising, the sale of personal data,
18or profiling in furtherance of decisions that produce legal or
19similarly significant effects concerning the consumer.
202. Except as otherwise provided in this chapter, a
21controller shall comply with a request by a consumer to
22exercise the consumer rights authorized pursuant to this
23section as follows:
24a. A controller shall respond to the consumer without undue
25delay, but in all cases within forty-five days of receipt
26of a request submitted pursuant to the methods described in
27this section. The response period may be extended once by
28forty-five additional days when reasonably necessary upon
29considering the complexity and number of the consumer’s
30requests by informing the consumer of any such extension within
31the initial forty-five-day response period, together with the
32reason for the extension.
33b. If a controller declines to take action regarding the
34consumer’s request, the controller shall inform the consumer
35without undue delay of the justification for declining to take
-9-1action and instructions for how to appeal the decision pursuant
2to this section.
3c. Information provided in response to a consumer request
4shall be provided by a controller free of charge, up to
5twice annually per consumer. If a request from a consumer
6is manifestly unfounded, excessive, or repetitive, the
7controller may charge the consumer a reasonable fee to cover
8the administrative costs of complying with the request or
9decline to act on the request. The controller bears the burden
10of demonstrating the manifestly unfounded, excessive, or
11repetitive nature of the request.
12d. If a controller is unable to authenticate a request
13using commercially reasonable efforts, the controller shall
14not be required to comply with a request to initiate an action
15under this section and may request that the consumer provide
16additional information reasonably necessary to authenticate the
17consumer and the consumer’s request.
183. A controller shall establish a process for a consumer
19to appeal the controller’s refusal to take action on a request
20within a reasonable period of time after the consumer’s
21receipt of the decision pursuant to this section. The appeal
22process shall be conspicuously available and similar to the
23process for submitting requests to initiate action pursuant
24to this section. Within sixty days of receipt of an appeal,
25a controller shall inform the consumer in writing of any
26action taken or not taken in response to the appeal, including
27a written explanation of the reasons for the decision. If
28the appeal is denied, the controller shall also provide the
29consumer with an online mechanism through which the consumer
30may contact the attorney general to submit a complaint.
31 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
321. A controller shall limit the collection of personal
33data to what is adequate, relevant, and reasonably necessary
34in relation to the purposes for which such data is processed,
35as disclosed to the consumer. Except as otherwise provided
-10-1in this chapter, a controller shall not process personal
2data for purposes that are neither reasonably necessary to
3nor compatible with the disclosed purposes for which such
4personal data is processed, as disclosed to the consumer,
5unless the controller obtains the consumer’s consent. A
6controller shall adopt and implement reasonable administrative,
7technical, and physical data security practices to protect the
8confidentiality, integrity, and accessibility of personal data.
9Such data security practices shall be appropriate to the volume
10and nature of the personal data at issue. A controller shall
11not process sensitive data without the consumer’s consent, or,
12in the case of the processing of sensitive data concerning a
13known child, without processing such data in accordance with
14the federal Children’s Online Privacy Protection Act, 15 U.S.C.
15§6501 et seq.
162. A controller shall not process personal data in
17violation of state and federal laws that prohibit unlawful
18discrimination against a consumer. A controller shall not
19discriminate against a consumer for exercising any of the
20consumer rights contained in this chapter, including denying
21goods or services, charging different prices or rates for
22goods or services, or providing a different level of quality
23of goods and services to the consumer. However, nothing in
24this chapter shall be construed to require a controller to
25provide a product or service that requires the personal data
26of a consumer that the controller does not collect or maintain
27or to prohibit a controller from offering a different price,
28rate, level, quality, or selection of goods or services to a
29consumer, including offering goods or services for no fee,
30if the consumer has exercised his right to opt out pursuant
31to section 715D.3 or the offer is related to a consumer’s
32voluntary participation in a bona fide loyalty, rewards,
33premium features, discounts, or club card program.
343. Any provision of a contract or agreement that purports to
35waive or limit in any way consumer rights pursuant to section
-11-1715D.3 shall be deemed contrary to public policy and shall be
2void and unenforceable.
34. A controller shall provide consumers with a reasonably
4accessible, clear, and meaningful privacy notice that includes
5the following:
6a. The categories of personal data processed by the
7controller.
8b. The purpose for processing personal data.
9c. How consumers may exercise their consumer rights pursuant
10to section 715D.3, including how a consumer may appeal a
11controller’s decision with regard to the consumer’s request.
12d. The categories of personal data that the controller
13shares with third parties, if any.
14e. The categories of third parties, if any, with whom the
15controller shares personal data.
165. If a controller sells a consumer’s personal data to third
17parties or uses such personal data for targeted advertising,
18the controller shall clearly and conspicuously disclose such
19activity, as well as the manner in which a consumer may
20exercise the right to opt out of such processing.
216. A controller shall establish, and shall describe in
22a privacy notice, secure and reliable means for consumers to
23submit a request to exercise their consumer rights under this
24chapter. Such means shall consider the ways in which consumers
25normally interact with the controller, the need for secure and
26reliable communication of such requests and the ability of
27the controller to authenticate the identity of the consumer
28making the request. A controller shall not require a consumer
29to create a new account in order to exercise consumer rights
30pursuant to section 715D.3, but may require a consumer to use
31an existing account.
32 Sec. 5. NEW SECTION. 715D.5 Processor duties.
331. A processor shall assist a controller in duties
34required under this chapter, taking into account the nature of
35processing and the information available to the processor by
-12-1appropriate technical and organizational measures, insofar as
2is reasonably practicable, as follows:
3a. To fulfill the controller’s obligation to respond to
4consumer rights requests pursuant to section 715D.3.
5b. To meet the controller’s obligations in relation to the
6security of processing the personal data and in relation to the
7notification of a security breach of the processor pursuant to
8section 715C.2.
9c. To provide necessary information to enable the controller
10to conduct and document data protection assessments pursuant
11to section 715D.6.
122. A contract between a controller and a processor shall
13govern the processor’s data processing procedures with respect
14to processing performed on behalf of the controller. The
15contract shall clearly set forth instructions for processing
16personal data, the nature and purpose of processing, the type
17of data subject to processing, the duration of processing, and
18the rights and duties of both parties. The contract shall also
19include requirements that the processor shall do all of the
20following:
21a. Ensure that each person processing personal data is
22subject to a duty of confidentiality with respect to the data.
23b. At the controller’s direction, delete or return all
24personal data to the controller as requested at the end of the
25provision of services, unless retention of the personal data
26is required by law.
27c. Upon the reasonable request of the controller, make
28available to the controller all information in the processor’s
29possession necessary to demonstrate the processor’s compliance
30with the obligations in this chapter.
31d. Allow, and cooperate with, reasonable assessments
32by the controller or the controller’s designated assessor.
33The processor may arrange for a qualified and independent
34assessor to conduct an assessment of the processor’s policies
35and technical and organizational measures in support of
-13-1the obligations under this chapter using an appropriate and
2accepted control standard or framework and assessment procedure
3for such assessments. The processor shall provide a report of
4such assessment to the controller upon request.
5e. Engage any subcontractor or agent pursuant to a written
6contract in accordance with this section that requires the
7subcontractor to meet the duties of the processor with respect
8to the personal data.
93. Nothing in this section shall be construed to relieve a
10controller or a processor from imposed liabilities by virtue
11of the controller or processor’s role in the processing
12relationship as defined by this chapter.
134. Determining whether a person is acting as a controller or
14processor with respect to a specific processing of data is a
15fact-based determination that depends upon the context in which
16personal data is to be processed. A processor that continues
17to adhere to a controller’s instructions with respect to a
18specific processing of personal data remains a processor.
19 Sec. 6. NEW SECTION. 715D.6 Data protection assessments.
201. A controller shall conduct and document a data protection
21assessment of each of the following processing activities
22involving personal data:
23a. The sale of personal data.
24b. The processing of personal data for targeted advertising.
25c. The processing of personal data for purposes of
26profiling, where such profiling presents a reasonably
27foreseeable risk of any of the following:
28(1) Unfair or deceptive treatment of, or unlawful disparate
29impact on, consumers.
30(2) Financial, physical, or reputational injury to
31consumers.
32(3) A physical or other intrusion upon the solitude or
33seclusion, or the private affairs or concerns, of consumers,
34where such intrusion would be offensive to a reasonable person.
35(4) Other substantial injury to consumers.
-14- 1d. The processing of sensitive data.
2e. Any processing activities involving personal data that
3present a heightened risk of harm to consumers.
42. Data protection assessments conducted pursuant to
5subsection 1 shall identify and weigh the benefits that may
6flow, directly and indirectly, from the processing to the
7controller, the consumer, other stakeholders, and the public
8against the potential risks to the rights of the consumer
9associated with such processing, as mitigated by safeguards
10that can be employed by the controller to reduce such risks.
11The use of de-identified data and the reasonable expectations
12of consumers, as well as the context of the processing and the
13relationship between the controller and the consumer whose
14personal data will be processed, shall be factored into this
15assessment by the controller.
163. The attorney general may request, pursuant to a civil
17investigative demand, that a controller disclose any data
18protection assessment that is relevant to an investigation
19conducted by the attorney general, and the controller shall
20make the data protection assessment available to the attorney
21general. The attorney general may evaluate the data protection
22assessment for compliance with the responsibilities set
23forth in section 715D.4. The controller shall make the data
24protection assessment available to the attorney general.
25Data protection assessments shall be confidential and exempt
26from public inspection and copying under section 22.1. The
27disclosure of a data protection assessment pursuant to a
28request from the attorney general shall not constitute a waiver
29of attorney-client privilege or work product protection with
30respect to the data protection assessment and any information
31contained in the data protection assessment. The attorney
32general may evaluate the data protection assessment for
33compliance with the responsibilities set forth in section
34715D.4.
354. Data protection assessments conducted by a controller
-15-1for the purpose of compliance with other laws or regulations
2may comply under this section if the assessments have a
3reasonably comparable scope and effect. A single data
4protection assessment may address a comparable set of
5processing operations that include similar activities. Data
6protection assessment requirements shall apply to processing
7activities created or generated after January 1, 2024, and are
8not retroactive.
9 Sec. 7. NEW SECTION. 715D.7 Processing data — exemptions.
101. A controller in possession of de-identified data shall
11comply with the following:
12a. Take reasonable measures to ensure that the data cannot
13be associated with a natural person.
14b. Publicly commit to maintaining and using de-identified
15data without attempting to re-identify the data.
16c. Contractually obligate any recipients of the
17de-identified data to comply with all provisions of this
18chapter.
192. Nothing in this chapter shall be construed to require the
20following:
21a. A controller or processor to re-identify de-identified
22data or pseudonymous data.
23b. Maintaining data in identifiable form.
24c. Collecting, obtaining, retaining, or accessing any
25data or technology, in order to be capable of associating an
26authenticated consumer request with personal data.
273. Nothing in this chapter shall be construed to require
28a controller or processor to comply with an authenticated
29consumer rights request, pursuant to section 715D.3, if all of
30the following are true:
31a. The controller is not reasonably capable of associating
32the request with the personal data or it would be unreasonably
33burdensome for the controller to associate the request with the
34personal data.
35b. The controller does not use the personal data to
-16-1recognize or respond to the specific consumer who is the
2subject of the personal data, or associate the personal data
3with other personal data about the same specific consumer.
4c. The controller does not sell the personal data to any
5third party or otherwise voluntarily disclose the personal data
6to any third party other than a processor, except as otherwise
7permitted in this chapter.
84. Consumer rights contained in sections 715D.3 and 715D.4
9shall not apply to pseudonymous data in cases where the
10controller is able to demonstrate any information necessary
11to identify the consumer is kept separately and is subject to
12effective technical and organizational controls that prevent
13the controller from accessing such information.
145. Controllers that disclose pseudonymous data or
15de-identified data shall exercise reasonable oversight to
16monitor compliance with any contractual commitments to which
17the pseudonymous data or de-identified data is subject and
18shall take appropriate steps to address any breaches of those
19contractual commitments.
20 Sec. 8. NEW SECTION. 715D.8 Limitations.
211. Nothing in this chapter shall be construed to restrict a
22controller’s or processor’s ability to do the following:
23a. Comply with federal, state, or local laws, rules, or
24regulations.
25b. Comply with a civil, criminal, or regulatory inquiry,
26investigation, subpoena, or summons by federal, state, local,
27or other governmental authorities.
28c. Cooperate with law enforcement agencies concerning
29conduct or activity that the controller or processor reasonably
30and in good faith believes may violate federal, state, or local
31laws, rules, or regulations.
32d. Investigate, establish, exercise, prepare for, or defend
33legal claims.
34e. Provide a product or service specifically requested by a
35consumer, perform a contract to which the consumer is a party,
-17-1including fulfilling the terms of a written warranty, or take
2steps at the request of the consumer prior to entering into a
3contract.
4f. Take immediate steps to protect an interest that is
5essential for the life or physical safety of the consumer or
6of another natural person, and where the processing cannot be
7manifestly based on another legal basis.
8g. Prevent, detect, protect against, or respond to security
9incidents, identity theft, fraud, harassment, malicious or
10deceptive activities, or any illegal activity.
11h. Preserve the integrity or security of systems.
12i. Investigate, report, or prosecute those responsible for
13any such action.
14j. Engage in public or peer-reviewed scientific or
15statistical research in the public interest that adheres to
16all other applicable ethics and privacy laws and is approved,
17monitored, and governed by an institutional review board, or
18similar independent oversight entities that determine the
19following:
20(1) If the deletion of the information is likely to provide
21substantial benefits that do not exclusively accrue to the
22controller.
23(2) The expected benefits of the research outweigh the
24privacy risks.
25(3) If the controller has implemented reasonable safeguards
26to mitigate privacy risks associated with research, including
27any risks associated with re-identification.
28k. Assist another controller, processor, or third party with
29any of the obligations under this subsection.
302. The obligations imposed on a controller or processor
31under this chapter shall not restrict a controller’s or
32processor’s ability to collect, use, or retain data as follows:
33a. To conduct internal research to develop, improve, or
34repair products, services, or technology.
35b. To effectuate a product recall.
-18- 1c. To identify and repair technical errors that impair
2existing or intended functionality.
3d. To perform internal operations that are reasonably
4aligned with the expectations of the consumer or reasonably
5anticipated based on the consumer’s existing relationship with
6the controller or are otherwise compatible with processing
7data in furtherance of the provision of a product or service
8specifically requested by a consumer or the performance of a
9contract to which the consumer is a party.
103. The obligations imposed on controllers or processors
11under this chapter shall not apply where compliance by the
12controller or processor with this chapter would violate an
13evidentiary privilege under the laws of the state. Nothing
14in this chapter shall be construed to prevent a controller or
15processor from providing personal data concerning a consumer to
16a person covered by an evidentiary privilege under the laws of
17the state as part of a privileged communication.
184. A controller or processor that discloses personal data
19to a third-party controller or processor, in compliance with
20the requirements of this chapter, is not in violation of
21this chapter if the third-party controller or processor that
22receives and processes such personal data is in violation of
23this chapter, provided that, at the time of disclosing the
24personal data, the disclosing controller or processor did not
25have actual knowledge that the recipient intended to commit a
26violation. A third-party controller or processor receiving
27personal data from a controller or processor in compliance with
28the requirements of this chapter is likewise not in violation
29of this chapter for the offenses of the controller or processor
30from which it receives such personal data.
315. Nothing in this chapter shall be construed as an
32obligation imposed on a controller or a processor that
33adversely affects the rights or freedoms of any persons, such
34as exercising the right of free speech pursuant to the First
35Amendment to the United States Constitution, or applies to the
-19-1processing of personal data by a person in the course of a
2purely personal or household activity.
36. Personal data processed by a controller pursuant to
4this section shall not be processed for any purpose other than
5those expressly listed in this section unless otherwise allowed
6by this chapter. Personal data processed by a controller
7pursuant to this section may be processed to the extent that
8such processing is as follows:
9a. Reasonably necessary and proportionate to the purposes
10listed in this section.
11b. Adequate, relevant, and limited to what is necessary
12in relation to the specific purposes listed in this section.
13Personal data collected, used, or retained pursuant to
14this section shall, where applicable, take into account
15the nature and purpose or purposes of such collection, use,
16or retention. Such data shall be subject to reasonable
17administrative, technical, and physical measures to protect the
18confidentiality, integrity, and accessibility of the personal
19data and to reduce reasonably foreseeable risks of harm to
20consumers relating to such collection, use, or retention of
21personal data.
227. If a controller processes personal data pursuant to an
23exemption in this section, the controller bears the burden of
24demonstrating that such processing qualifies for the exemption
25and complies with the requirements in subsection 6.
268. Processing personal data for the purposes expressly
27identified in subsection 1 shall not solely make an entity a
28controller with respect to such processing.
299. This chapter shall not require a controller, processor,
30third party, or consumer to disclose trade secrets.
31 Sec. 9. NEW SECTION. 715D.9 Enforcement — penalties.
321. The attorney general shall have exclusive authority to
33enforce the provisions of this chapter. Whenever the attorney
34general has reasonable cause to believe that any person has
35engaged in, is engaging in, or is about to engage in any
-20-1violation of this chapter, the attorney general is empowered to
2issue a civil investigative demand.
32. Prior to initiating any action under this chapter,
4the attorney general shall provide a controller or processor
5thirty days’ written notice identifying the specific provisions
6of this chapter the attorney general alleges have been or
7are being violated. If within the thirty-day period, the
8controller or processor cures the noticed violation and
9provides the attorney general an express written statement that
10the alleged violations have been cured and that no further such
11violations shall occur, no action shall be initiated against
12the controller or processor.
133. If a controller or processor continues to violate this
14chapter following the cure period in subsection 2 or breaches
15an express written statement provided to the attorney general
16under that subsection, the attorney general may initiate an
17action in the name of the state and may seek an injunction to
18restrain any violations of this chapter and civil penalties of
19up to seven thousand five hundred dollars for each violation
20under this chapter.
214. The attorney general may recover reasonable expenses
22incurred in investigating and preparing the case, including
23attorney fees, in any action initiated under this chapter.
245. Nothing in this chapter shall be construed as providing
25the basis for, or be subject to, a private right of action for
26violations of this chapter or under any other law.
27 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
282024.
29EXPLANATION
30The inclusion of this explanation does not constitute agreement with
31the explanation’s substance by the members of the general assembly.
32This bill relates to consumer data protection.
33The bill contains several definitions. The bill defines
34“controller” to mean a person that, alone or jointly with
35others, determines the purpose and means of processing personal
-21-1data. The bill defines “identified or identifiable natural
2person” to mean a person who can be readily identified,
3directly or indirectly. The bill defines “personal data” to
4mean any information that is linked or reasonably linkable to
5an identified or identifiable natural person, but does not
6include de-identified data or publicly available information.
7The bill defines “process” or “processing” to mean any
8operation or set of operations performed, whether by manual or
9automated means, on personal data or on sets of personal data,
10such as the collection, use, storage, disclosure, analysis,
11deletion, or modification of personal data. The bill defines
12“processor” to mean a person that processes personal data on
13behalf of a controller. The bill defines “pseudonymous data”
14to mean personal data that cannot be attributed to a specific
15natural person without the use of additional information.
16The bill defines “targeted advertising” to mean displaying
17advertisements to a consumer where the advertisement is
18selected based on personal data obtained from that consumer’s
19activities over time and across nonaffiliated websites or
20online applications to predict such consumer’s preferences or
21interests, with exceptions. The bill defines “third party”
22to mean a natural or legal person, public authority, agency,
23or body other than the consumer, controller, processor, or
24an affiliate of the processor or the controller. The bill
25contains other defined terms.
26The bill provides that persons conducting business in
27the state or producing products or services targeted to
28Iowans that annually control or process personal data of
29over 99,999 consumers or control or process personal data of
3025,000 consumers with 50 percent of gross revenue derived
31from the sale of the personal data shall be subject to the
32provisions of the bill. The state and political subdivisions
33of the state, financial institutions or data subject to the
34Gramm-Leach-Bliley Act of 1999, certain organizations governed
35by rules by the department of human services, the department
-22-1of health, certain federal governance laws and the federal
2Health Insurance Portability and Accountability Act, nonprofit
3organizations, higher learning institutions, and certain
4protected information and personal data collected under state
5or federal laws are exempt from provisions in the bill.
6The bill provides consumers have personal data rights
7that may be invoked at any time. Consumers or the parent of
8a child may submit a request to a controller for a copy of
9the controller’s information relating to personal data. The
10controller shall comply with such requests to confirm or deny
11whether the controller is processing the personal data, to
12delete or correct inaccuracies in personal data, to provide the
13consumer with a copy of their personal data, and to remove the
14consumer or child from personal data processing.
15The bill requires that controllers provide responses to
16defined personal data requests within 45 days of a consumer
17initiating a request. Responses to personal data requests
18shall be provided to a consumer free of charge up to twice per
19year except where requests are overly burdensome or manifestly
20unfounded. A business may extend the deadline for good cause,
21including complexity, once by up to 45 days after informing the
22consumer of the reason for the extension. The bill provides
23that controllers are not required to comply with requests where
24a controller is unable through commercially reasonable efforts
25to verify the identity of the consumer submitting the request.
26The bill requires that controllers permit consumers to access
27an appeals process and provide consumers with information
28regarding the appeals process in situations where a consumer’s
29request is denied.
30The bill provides that controllers shall limit the
31collection of personal data to the extent reasonably necessary.
32Controllers must disclose to the consumer the types of data
33being collected and obtain consent from the consumers regarding
34the collection of personal data and sensitive personal data
35processing. Controllers must securely store personal data
-23-1of consumers through administrative, technical, and physical
2security practices. Controllers shall not discriminate against
3consumers that exercise consumer data rights as provided in
4the bill by denying a consumer goods or services, charging
5different prices, or providing lower quality goods with
6exceptions. Contract provisions that require consumers to
7waive rights defined by the bill will be considered void and
8unenforceable.
9The bill provides that controllers give consumers reasonably
10accessible and clear privacy notices that inform consumers of
11the information regarding personal data transfer and purposes
12and the methods for consumers to exercise rights. The bill
13provides that controllers selling personal data to third
14parties or using targeted advertising must clearly disclose
15such activity and the right for the consumer to opt out of
16such sales or use. The bill requires a controller to create a
17method for private and secure processing of consumer requests.
18The bill requires processors and the assigns or
19subcontractors of processors to assist controllers in complying
20with duties created by the bill.
21The bill requires controllers to conduct assessments of
22processing activities regarding certain personal data. Data
23protection assessments shall consider benefits and risks
24regarding personal data processing to the controller, consumer,
25public, and other stakeholders among other factors identified
26by the bill. The bill provides that the attorney general may
27request an investigation and require that a controller disclose
28relevant data protection assessment information and analyze
29the provided information for compliance with duties described
30by the bill. Other data protection assessments a controller
31has conducted may suffice for purposes of the bill if the
32assessments are reasonably similar.
33The bill includes personal data processing exemptions,
34including pseudonymous data and de-identified data as defined
35by the bill. The bill requires that controllers in possession
-24-1of de-identified data take measures to ensure that the data
2remains de-identified, publicly commit to a de-identified
3maintenance process, and require agents and assigns to adhere
4to provisions of the bill. The bill identifies exceptions
5where controllers or processors are not required to comply
6with a consumer rights request pursuant to the bill. The bill
7requires controllers disclosing pseudonymous or de-identified
8data to exercise reasonable oversight of contractual
9commitments regarding such data.
10The bill provides that the bill shall not restrict
11controller or processor abilities to improve business or
12function. Controllers or processors sharing personal data with
13third parties are not liable for the noncompliance of third
14parties if the controller or processor did not have personal
15knowledge of the violation or intent to commit a violation,
16nor is a third party liable for violations of a controller
17or processor. The bill provides that if a controller seeks
18certain exemptions, the controller bears the burden of
19demonstrating that the controller qualifies for the exemption
20and the exemption complies with the requirements in the bill.
21The bill shall not require a business, consumer, or other
22party to disclose trade secrets.
23The bill provides that the attorney general shall
24investigate controllers and processors upon reasonable cause
25for violations of provisions of the bill. The attorney general
26shall provide 30 days’ notice to a controller or processor
27including the reason for which the entity is subject to an
28investigation and permit the entity to cure the defect prior
29to filing a civil action. A controller or processor found to
30be in violation of provisions of the bill is subject to a civil
31penalty of up to $7,500 per violation. The attorney general
32shall recover reasonable expenses for expenses related to the
33investigation.
34The bill takes effect January 1, 2024.
-25-es/rn