Senate File 2208 - IntroducedA Bill ForAn Act 1relating to consumer data protection, making penalties
2applicable, and including effective date provisions.
1   Section 1.  NEW SECTION.  715D.1  Definitions.
   2As used in this chapter, unless the context otherwise
   41.  “Aggregate data” means information that relates to a
5group or category of consumers, from which individual consumer
6identities have been removed, that is not linked or reasonably
7linkable to any consumer.
   82.  “Authenticate” means verifying through reasonable means
9that a consumer, entitled to exercise their consumer rights in
10section 715D.3, is the same consumer exercising such consumer
11rights with respect to the personal data at issue.
   123.  “Biometric data” means data generated by automatic
13measurements of an individual’s biological characteristics,
14such as a fingerprint, voiceprint, eye retinas, irises, or
15other unique biological patterns or characteristics that is
16used to identify a specific individual. “Biometric data”
17does not include a physical or digital photograph, a video or
18audio recording or data generated therefrom, or information
19collected, used, or stored for health care treatment, payment,
20or operations under HIPAA.
   214.  “Child” means any natural person younger than thirteen
22years of age.
   235.  “Consent” means a clear affirmative act signifying a
24consumer’s freely given, specific, informed, and unambiguous
25agreement to process personal data relating to the consumer.
26“Consent” may include a written statement, including a
27statement written by electronic means, or any other unambiguous
28affirmative action.
   296.  “Controller” means the person that, alone or jointly with
30others, determines the purpose and means of processing personal
   327.  “De-identified data” means data that cannot reasonably be
33linked to an identified or identifiable natural person.
   348.  “Health Insurance Portability and Accountability
or “HIPAA” means the Health Insurance Portability and
-1-1Accountability Act of 1996, Pub.L. No.104-191, including
2amendments thereto and regulations promulgated thereunder.
   39.  “Precise geolocation data” means information derived from
4technology, including but not limited to global positioning
5system level latitude and longitude coordinates or other
6mechanisms, that identifies the specific location of a natural
7person with precision and accuracy within a radius of one
8thousand seven hundred fifty feet. “Precise geolocation
does not include the content of communications or any
10data generated by or connected to advanced utility metering
11infrastructure systems or equipment for use by a utility.
   1210.  “Process” or “processing” means any operation or set
13of operations performed, whether by manual or automated means,
14on personal data or on sets of personal data, such as the
15collection, use, storage, disclosure, analysis, deletion, or
16modification of personal data.
   1711.  “Processor” means a person that processes personal data
18on behalf of a controller.
   1912.  “Profiling” means any form of solely automated
20processing performed on personal data to evaluate, analyze,
21or predict personal aspects related to an identified or
22identifiable natural person’s economic situation, health,
23personal preferences, interests, reliability, behavior,
24location, or movements.
   2513.  “Pseudonymous data” means personal data that cannot
26be attributed to a specific natural person without the use
27of additional information, provided that such additional
28information is kept separately and is subject to appropriate
29technical and organizational measures to ensure that
30the personal data is not attributed to an identified or
31identifiable natural person.
   3214.  “Sale of personal data” means the exchange of personal
33data for monetary consideration by the controller to a third
34party. “Sale of personal data” does not include:
   35a.  The disclosure of personal data to a processor that
-2-1processes the personal data on behalf of the controller.
   2b.  The disclosure of personal data to a third party for
3purposes of providing a product or service requested by the
4consumer or a parent of a child.
   5c.  The disclosure or transfer of personal data to an
6affiliate of the controller.
   7d.  The disclosure of information that the consumer
8intentionally made available to the general public via a
9channel of mass media and did not restrict to a specific
   11e.  The disclosure or transfer of personal data to a third
12party as an asset that is part of a proposed or actual merger,
13acquisition, bankruptcy, or other transaction in which the
14third party assumes control of all or part of the controller's
   1615.  “Sensitive data” means a category of personal data that
   18a.  Personal data revealing racial or ethnic origin,
19religious beliefs, mental or physical health diagnosis, sexual
20orientation, or citizenship or immigration status.
   21b.  Genetic or biometric data that is processed for the
22purpose of uniquely identifying a natural person.
   23c.  The personal data collected from a child.
   24d.  Precise geolocation data.
   2516.  “Targeted advertising” means displaying advertisements
26to a consumer where the advertisement is selected based on
27personal data obtained from that consumer’s activities over
28time and across nonaffiliated websites or online applications
29to predict such consumer’s preferences or interests. “Targeted
does not include:
   31a.  Advertisements based on activities within a controller’s
32own or affiliated websites or online applications.
   33b.  Advertisements based on the context of a consumer’s
34current search query, visit to a website, or online
   1c.  Advertisements directed to a consumer in response to the
2consumer’s request for information or feedback.
   3d.  Processing personal data solely for measuring or
4reporting advertising performance, reach, or frequency.
   517.  “Trade secret” means information, including but not
6limited to a formula, pattern, compilation, program, device,
7method, technique, or process, that:
   8a.  Derives independent economic value, actual or potential,
9from not being generally known to, and not being readily
10ascertainable by proper means by, other persons who can obtain
11economic value from its disclosure or use.
   12b.  Is the subject of efforts that are reasonable under the
13circumstances to maintain its secrecy.
14   Sec. 2.  NEW SECTION.  715D.2  Scope and exemptions.
   151.  This chapter applies to persons conducting business in
16the state or producing products or services that are targeted
17to residents of the state and that during a calendar year
   19a.  Control or process personal data of at least one hundred
20thousand consumers.
   21b.  Control or process personal data of at least twenty-five
22thousand consumers and derive over fifty percent of gross
23revenue from the sale of personal data.
   242.  This chapter shall not apply to the state or any
25political subdivision of the state, financial institutions
26or data subject to Tit.V of the federal Gramm-Leach-Bliley
27Act of 1999, 15 U.S.C.§6801 et seq., covered entities or
28business associates governed by the privacy, security, and
29breach notification rules issued by the department of human
30services, the department of health, 45 C.F.R. pts.160 and 164
31established pursuant to HIPAA, nonprofit organizations, or
32institutions of higher education.
   333.  Protected information and personal data collected
34under state or federal law, including but not limited to data
35protected under HIPAA; the federal Fair Credit Reporting Act,
-4-115 U.S.C. §1681 et seq.; confidential records protected under
242 U.S.C. §290dd-2; in the course of employment or application
3for employment; emergency contact information for employees;
4and for purposes of the protection of natural persons under 45
5C.F.R. pt.46; are exempt from requirements in this chapter.
6   Sec. 3.  NEW SECTION.  715D.3  Consumer data rights.
   71.  A consumer may invoke the consumer rights authorized
8pursuant to this section at any time by submitting a request to
9a controller specifying the consumer rights the consumer wishes
10to invoke. A child’s parent or legal guardian may invoke such
11consumer rights on behalf of the child regarding processing
12personal data belonging to the child. A controller shall
13comply with an authenticated consumer request to exercise all
14of the following:
   15a.  To confirm whether a controller is processing the
16consumer’s personal data and to access such personal data.
   17b.  To correct inaccuracies in the consumer’s personal data,
18taking into account the nature of the personal data and the
19purposes of the processing of the consumer’s personal data.
   20c.  To delete personal data provided by or obtained about
21the consumer.
   22d.  To obtain a copy of the consumer’s personal data that the
23consumer previously provided to the controller in a portable
24and, to the extent technically practicable, readily usable
25format that allows the consumer to transmit the data to another
26controller without hindrance, where the processing is carried
27out by automated means.
   28e.  To opt out of the processing of the personal data for
29purposes of targeted advertising, the sale of personal data,
30or profiling in furtherance of decisions that produce legal or
31similarly significant effects concerning the consumer.
   322.  Except as otherwise provided in this chapter, a
33controller shall comply with a request by a consumer to
34exercise the consumer rights authorized pursuant to this
35section as follows:
   1a.  A controller shall respond to the consumer without undue
2delay, but in all cases within forty-five days of receipt
3of a request submitted pursuant to the methods described in
4this section. The response period may be extended once by
5forty-five additional days when reasonably necessary upon
6considering the complexity and number of the consumer’s
7requests by informing the consumer of any such extension within
8the initial forty-five-day response period, together with the
9reason for the extension.
   10b.  If a controller declines to take action regarding the
11consumer’s request, the controller shall inform the consumer
12without undue delay of the justification for declining to take
13action and instructions for how to appeal the decision pursuant
14to this section.
   15c.  Information provided in response to a consumer request
16shall be provided by a controller free of charge, up to
17twice annually per consumer. If requests from a consumer
18are manifestly unfounded, excessive, or repetitive, the
19controller may charge the consumer a reasonable fee to cover
20the administrative costs of complying with the request or
21decline to act on the request. The controller bears the burden
22of demonstrating the manifestly unfounded, excessive, or
23repetitive nature of the request.
   24d.  If a controller is unable to authenticate the request
25using commercially reasonable efforts, the controller shall
26not be required to comply with a request to initiate an action
27under this section and may request that the consumer provide
28additional information reasonably necessary to authenticate the
29consumer and the consumer’s request.
   303.  A controller shall establish a process for a consumer
31to appeal the controller’s refusal to take action on a request
32within a reasonable period of time after the consumer’s
33receipt of the decision pursuant to this section. The appeal
34process shall be conspicuously available and similar to the
35process for submitting requests to initiate action pursuant to
-6-1this section. Within sixty days of receipt of an appeal, a
2controller shall inform the consumer in writing of any action
3taken or not taken in response to the appeal, including a
4written explanation of the reasons for the decisions. If
5the appeal is denied, the controller shall also provide the
6consumer with an online mechanism through which the consumer
7may contact the attorney general to submit a complaint.
8   Sec. 4.  NEW SECTION.  715D.4  Data controller duties.
   91.  A controller shall limit the collection of personal data
10to what is reasonably necessary in relation to the purposes for
11which such data is processed and disclose the collection of the
12data to the consumer and obtain consent from the consumer for
13the data collection. A controller shall adopt and implement
14reasonable administrative, technical, and physical data
15security practices to protect the confidentiality, integrity,
16and accessibility of personal data. A controller shall not
17process sensitive data without the consumer’s consent.
   182.  A controller shall not discriminate against a consumer
19for exercising any of the consumer rights contained in this
20chapter, including denying goods or services, charging
21different prices or rates for goods or services, or providing
22a different level of quality of goods and services to the
   243.  Any provision of a contract or agreement that purports to
25waive or limit in any way consumer rights pursuant to section
26715E.3 shall be deemed contrary to public policy and shall be
27void and unenforceable.
   284.  A controller shall provide consumers with a reasonably
29accessible, clear, and meaningful privacy notice that includes:
   30a.  The categories of personal data processed by the
   32b.  The purpose for processing personal data.
   33c.  How consumers may exercise their consumer rights pursuant
34to section 715D.3, including how a consumer may appeal a
35controller’s decision with regard to the consumer’s request.
   1d.  The categories of personal data that the controller
2shares with third parties, if any.
   3e.  The categories of third parties, if any, with whom the
4controller shares personal data.
   55.  If a controller sells a consumer’s personal data to third
6parties or uses such personal data for targeted advertising,
7the controller shall clearly and conspicuously disclose such
8activity, as well as the manner in which a consumer may
9exercise the right to opt out of such sales or use.
   106.  A controller shall establish, and shall describe in
11a privacy notice, secure and reliable means for consumers to
12submit a request to exercise their consumer rights under this
13chapter. Such means shall consider the need for secure and
14reliable communication of such requests and the ability of
15the controller to authenticate the identity of the consumer
16making the request. A controller shall not require a consumer
17to create a new account in order to exercise consumer rights
18pursuant to section 715D.3.
19   Sec. 5.  NEW SECTION.  715D.5  Processor duties.
   201.  A processor shall assist a controller in duties required
21under this chapter.
   222.  A contract between a controller and a processor shall
23govern the processor’s data processing procedures with respect
24to processing performed on behalf of the controller. The
25contract shall clearly set forth instructions for processing
26personal data, the nature and purpose of processing, the type
27of data subject to processing, the duration of processing, and
28the rights and duties of both parties. The contract shall also
29include requirements that the processor shall do all of the
   31a.  Ensure that each person processing personal data is
32subject to a duty of confidentiality with respect to the data.
   33b.  At the controller’s direction, delete or return all
34personal data to the controller as requested at the end of the
35provision of services, unless retention of the personal data
-8-1is required by law.
   2c.  Upon the reasonable request of the controller, make
3available to the controller all information in the processor’s
4possession necessary to demonstrate the processor’s compliance
5with the duties in this chapter.
   6d.  Cooperate with reasonable assessments by the controller,
7the controller’s designated assessor, or qualified and
8independent third-party assessor as chosen by the processor
9that will provide a report of such assessment to the controller
10upon request.
   11e.  Engage any subcontractor or agent pursuant to a written
12contract in accordance with this section that requires the
13subcontractor to meet the duties of the processor with respect
14to the personal data.
15   Sec. 6.  NEW SECTION.  715D.6  Data protection assessments.
   161.  A controller shall conduct and document a data protection
17assessment regarding processing activities involving personal
18data, including but not limited to the sale of personal
19data, the use of personal data for targeted advertising, and
20processing that results in a reasonably foreseeable risk of
21unfair discrimination, injury, or intrusions to a consumer’s
22expectation of privacy.
   232.  Data protection assessments conducted pursuant to
24subsection 1 shall identify and evaluate benefits and risks
25regarding data processing, the controller, the consumer,
26other stakeholders, and the public. Safeguards used by
27the controller and processor may be considered. The use
28of de-identified data and the reasonable expectations of
29consumers, as well as the context of the processing and the
30relationship between the controller and the consumer whose
31personal data will be processed, shall be factored into this
32assessment by the controller.
   333.  The attorney general may request, pursuant to a consumer
34complaint, that a controller disclose relevant data protection
35assessment information during an investigation conducted by the
-9-1attorney general under section 714.16. The controller shall
2make the data protection assessment available to the attorney
3general. The attorney general may evaluate the data protection
4assessment for compliance with the responsibilities set forth
5in section 715D.4. Pursuant to section 714.16, subsection 7,
6the attorney general may seek and obtain an order that a party
7held in violation of this section pay damages to the attorney
8general on behalf of a person injured by the violation.
   94.  Data protection assessments conducted by a controller
10for the purpose of compliance with other laws or regulations
11may comply under this section if the assessments have a
12reasonably comparable scope and effect.
13   Sec. 7.  NEW SECTION.  715D.7  Processing data — exemptions.
   141.  A controller in possession of de-identified data shall
15comply with the following:
   16a.  Take reasonable measures to ensure that the data cannot
17be associated with a natural person.
   18b.  Publicly commit to maintaining and using de-identified
19data without attempting to re-identify the data.
   20c.  Contractually obligate any recipients of the
21de-identified data to comply with all provisions of this
   232.  Nothing in this chapter shall be construed to require
24a controller or processor to comply with an authenticated
25consumer rights request, pursuant to section 715D.3, if all of
26the following are true:
   27a.  The controller is not reasonably capable of associating
28the request with the personal data or it would be unreasonably
29burdensome for the controller to associate the request with the
30personal data.
   31b.  The controller does not use the personal data to
32recognize or respond to the specific consumer who is the
33subject of the personal data, or associate the personal data
34with other personal data about the same specific consumer.
   35c.  The controller does not sell the personal data to any
-10-1third party or otherwise voluntarily disclose the personal data
2to any third party other than a processor, except as otherwise
3permitted in this chapter.
   43.  Consumer rights contained in sections 715D.3 and 715D.4
5shall not apply to pseudonymous data in cases where the
6controller is able to demonstrate any information necessary
7to identify the consumer is kept separately and is subject to
8effective technical and organizational controls that prevent
9the controller from accessing such information.
   104.  Controllers that disclose pseudonymous data or
11de-identified data shall exercise reasonable oversight to
12monitor compliance with any contractual commitments to which
13the pseudonymous data or de-identified data is subject and
14shall take appropriate steps to address any breaches of those
15contractual commitments.
16   Sec. 8.  NEW SECTION.  715D.8  Limitations.
   171.  The duties imposed on a controller or processor under
18this chapter shall not restrict a controller’s or processor's
19ability beyond the extent reasonably necessary to improve
20essential internal processes; collect, use, or retain data
21to conduct internal research to develop, improve, or repair
22products, services, or technology; effectuate a product recall;
23or identify and repair technical errors that impair existing or
24intended functionality.
   252.  A controller or processor that discloses personal data
26to a third-party controller or processor, in compliance with
27the requirements of this chapter, is not in violation of
28this chapter if the third-party controller or processor that
29receives and processes such personal data is in violation of
30this chapter, provided that, at the time of disclosing the
31personal data, the disclosing controller or processor did not
32have actual knowledge that the recipient intended to commit a
33violation. A third-party controller or processor receiving
34personal data from a controller or processor in compliance with
35the requirements of this chapter is likewise not in violation
-11-1of this chapter for the offenses of the controller or processor
2from which it receives such personal data.
   33.  If a controller processes personal data pursuant to an
4exemption, the controller bears the burden of demonstrating
5that such processing qualifies for the exemption and complies
6with the requirements in this chapter.
   74.  This chapter shall not require a controller, processor,
8third party, or consumer to disclose trade secrets.
9   Sec. 9.  Section 714.16, subsection 2, Code 2022, is amended
10by adding the following new paragraph:
11   NEW PARAGRAPH.  q.  It is an unlawful practice for a
12controller or processor of personal data to violate any of the
13provisions of chapter 715D.
14   Sec. 10.  EFFECTIVE DATE.  This Act takes effect January 1,
17The inclusion of this explanation does not constitute agreement with
18the explanation’s substance by the members of the general assembly.
   19This bill relates to consumer data protection.
   20The bill defines “controller” to mean a person that, alone
21or jointly with others, determines the purpose and means
22of processing personal data. The bill defines “process”
23or “processing” to mean any operation or set of operations
24performed, whether by manual or automated means, on personal
25data or on sets of personal data, such as the collection, use,
26storage, disclosure, analysis, deletion, or modification of
27personal data. The bill defines “processor” to mean a person
28that processes personal data on behalf of a controller. The
29bill defines “pseudonymous data” to mean personal data that
30cannot be attributed to a specific natural person without the
31use of additional information. The bill defines “targeted
32advertising” to mean displaying advertisements to a consumer
33where the advertisement is selected based on personal data
34obtained from that consumer’s activities over time and across
35nonaffiliated websites or online applications to predict such
-12-1consumer’s preferences or interests, with exceptions.
   2The bill provides that persons conducting business in the
3state or producing products or services targeted to Iowans
4that annually control or process personal data of over 99,999
5consumers or control or process personal data of 25,000
6consumers with 50 percent of gross revenue from the sale of the
7personal data shall be subject to the provisions of the bill.
8The state and political subdivisions of the state, financial
9institutions or data subject to the Gramm-Leach-Bliley Act of
101999, certain organizations governed by rules by the department
11of human services, the department of health, certain federal
12governance laws and HIPAA, nonprofit organizations, higher
13learning institutions, and certain protected information and
14personal data collected under state or federal laws are exempt
15from provisions in the bill.
   16The bill provides consumers have personal data rights
17that may be invoked at any time. Consumers or the parent of
18a child may submit a request to a controller for a copy of
19the controller’s information relating to personal data. The
20controller shall comply with such requests to confirm or deny
21whether the controller is processing the personal data, to
22delete or correct inaccuracies in personal data, to provide the
23consumer with a copy of their personal data, and to remove the
24consumer or child from personal data processing.
   25The bill requires that controllers provide responses to
26defined personal data requests within 45 days of a consumer
27initiating a request. Responses to personal data requests
28shall be provided to a consumer free of charge up to twice per
29year except where requests are overly burdensome or manifestly
30unfounded. A business may extend the deadline for good cause,
31including complexity, once by up to 45 days after informing the
32consumer of the reason for the extension. The bill provides
33that controllers are not required to comply with requests where
34a controller is unable through commercially reasonable efforts
35to verify the identity of the consumer submitting the request.
-13-1The bill requires that controllers permit consumers to access
2an appeals process and provide consumers with information
3regarding the appeals process in situations where a consumer’s
4request is denied.
   5The bill provides that controllers shall limit the
6collection of personal data to the extent reasonably necessary.
7Controllers must disclose to the consumer the types of data
8being collected and obtain consent from the consumers regarding
9the collection of personal data and sensitive personal data
10processing. Controllers must securely store personal data
11of consumers through administrative, technical, and physical
12security practices. Controllers shall not discriminate against
13consumers that exercise consumer data rights as provided in
14the bill by denying a consumer goods or services, charging
15different prices, or providing lower quality goods. Contract
16provisions that require consumers to waive rights defined by
17the bill will be considered void and unenforceable.
   18The bill provides that controllers give consumers reasonably
19accessible and clear privacy notices that inform consumers of
20the information regarding personal data transfer and purposes
21and the methods for consumers to exercise rights. The bill
22provides that controllers selling personal data to third
23parties or using targeted advertising must clearly disclose
24such activity and the right for the consumer to opt out of
25such sales or use. The bill requires a controller to create a
26method for private and secure processing of consumer requests.
   27The bill requires processors and the assigns or
28subcontractors of processors to assist controllers in complying
29with duties created by the bill.
   30The bill requires controllers to conduct assessments of
31processing activities regarding personal data. Data protection
32assessments shall consider benefits and risks regarding
33personal data processing to the controller, consumer, public,
34and other stakeholders among other factors identified by the
35bill. The bill provides that the attorney general may request,
-14-1pursuant to a consumer complaint, an investigation pursuant
2to Code section 714.16 and require that a controller disclose
3relevant data protection assessment information and analyze
4the provided information for compliance with duties described
5by the bill. Other data protection assessments a controller
6has conducted may suffice for purposes of the bill if the
7assessments are reasonably similar.
   8The bill includes personal data processing exemptions,
9including pseudonymous data and de-identified data as defined
10by the bill. The bill requires that controllers in possession
11of de-identified data take measures to ensure that the data
12remains de-identified, publicly commit to a de-identified
13maintenance process, and require agents and assigns to adhere
14to provisions of the bill. The bill identifies exceptions
15where controllers or processors are not required to comply
16with a consumer rights request pursuant to the bill. The bill
17requires controllers disclosing pseudonymous or de-identified
18data to exercise reasonable oversight, security, and breach
19mitigation measures.
   20The bill provides that the bill shall not, beyond the
21degree reasonably necessary, restrict controller or processor
22abilities to improve business or function. Controllers or
23processors sharing personal data with third parties are not
24liable for the noncompliance of third parties if the controller
25or processor did not have personal knowledge of the violation
26or intent to commit a violation, nor is a third party liable
27for violations of a controller or processor. The bill provides
28that if a controller seeks an exemption, the controller bears
29the burden of demonstrating that the controller qualifies for
30the exemption and the exemption complies with the requirements
31in the bill.
   32The bill shall not require a business, consumer, or other
33party to disclose trade secrets.
   34 A violation of the bill’s provisions constitutes an
35unlawful practice under Code section 714.16 (consumer frauds).
-15-1Several types of remedies are available if a court finds that a
2person has committed an unlawful practice, including injunctive
3relief, disgorgement of moneys or property, and a civil penalty
4not to exceed $40,000 per violation.
   5The bill takes effect January 1, 2024.