Print
House File 2506 - IntroducedA Bill ForAn Act 1relating to consumer data protection, providing civil
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “Decisions that produce legal or similarly significant
16effects concerning a consumer” means a decision made by a
17controller that results in the provision or denial by the
18controller of financial and lending services, housing,
19insurance, education enrollment, criminal justice, employment
20opportunities, health care services, or access to basic
21necessities, such as food and water.
2211. “De-identified data” means data that cannot reasonably
23be linked to an identified or identifiable natural person.
2412. “Health care provider” means any of the following:
25a. A general hospital, ordinary hospital, outpatient
26surgical hospital, nursing home, or certified nursing facility
27licensed or certified by the state.
28b. A mental or psychiatric hospital licensed by the state.
29c. A hospital operated by the state.
30d. A hospital operated by universities within the state.
31e. A person licensed to practice medicine or osteopathy in
32the state.
33f. A person licensed to furnish health care policies or
34plans in the state.
35g. A person licensed to practice dentistry in the state.
-2- 1h. “Health care provider” does not include a continuing
2care retirement community or any nursing care facility of a
3religious body which depends upon prayer alone for healing.
413. “Health Insurance Portability and Accountability
5Act” or “HIPAA” means the Health Insurance Portability and
6Accountability Act of 1996, Pub.L. No.104-191, including
7amendments thereto and regulations promulgated thereunder.
814. “Health record” means any written, printed, or
9electronically recorded material maintained by a health care
10provider in the course of providing health services to an
11individual concerning the individual and the services provided,
12including related health information provided in confidence to
13a health care provider.
1415. “Identified or identifiable natural person” means a
15person who can be readily identified, directly or indirectly.
1616. “Institution of higher education” means nonprofit
17private institutions of higher education and proprietary
18private institutions of higher education in the state,
19community colleges, and each associate-degree-granting and
20baccalaureate public institutions of higher education in the
21state.
2217. “Nonprofit organization” means any corporation organized
23under chapter 504, any organization exempt from taxation under
24sections 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal
25Revenue Code, and any subsidiaries and affiliates of entities
26organized pursuant to chapter 499.
2718. “Personal data” means any information that is linked or
28reasonably linkable to an identified or identifiable natural
29person. “Personal data” does not include de-identified data or
30publicly available information.
3119. “Precise geolocation data” means information derived
32from technology, including but not limited to global
33positioning system level latitude and longitude coordinates or
34other mechanisms, that identifies the specific location of a
35natural person with precision and accuracy within a radius of
-3-1one thousand seven hundred fifty feet. “Precise geolocation
2data” does not include the content of communications, or any
3data generated by or connected to advanced utility metering
4infrastructure systems or equipment for use by a utility.
520. “Process” or “processing” means any operation or set
6of operations performed, whether by manual or automated means,
7on personal data or on sets of personal data, such as the
8collection, use, storage, disclosure, analysis, deletion, or
9modification of personal data.
1021. “Processor” means a person that processes personal data
11on behalf of a controller.
1222. “Profiling” means any form of solely automated
13processing performed on personal data to evaluate, analyze,
14or predict personal aspects related to an identified or
15identifiable natural person’s economic situation, health,
16personal preferences, interests, reliability, behavior,
17location, or movements.
1823. “Protected health information” means the same as
19protected health information established by HIPAA.
2024. “Pseudonymous data” means personal data that cannot
21be attributed to a specific natural person without the use
22of additional information, provided that such additional
23information is kept separately and is subject to appropriate
24technical and organizational measures to ensure that
25the personal data is not attributed to an identified or
26identifiable natural person.
2725. “Publicly available information” means information
28that is lawfully made available through federal, state, or
29local government records, or information that a business has
30reasonable basis to believe is lawfully made available to
31the general public through widely distributed media, by the
32consumer, or by a person to whom the consumer has disclosed the
33information, unless the consumer has restricted the information
34to a specific audience.
3526. “Sale of personal data” means the exchange of personal
-4-1data for monetary or other valuable consideration by the
2controller to a third party. “Sale of personal data” does not
3include:
4a. The disclosure of personal data to a processor that
5processes the personal data on behalf of the controller.
6b. The disclosure of personal data to a third party for
7purposes of providing a product or service requested by the
8consumer or a parent of a child.
9c. The disclosure or transfer of personal data to an
10affiliate of the controller.
11d. The disclosure of information that the consumer
12intentionally made available to the general public via a
13channel of mass media and did not restrict to a specific
14audience.
15e. The disclosure or transfer of personal data to a third
16party as an asset that is part of a proposed or actual merger,
17acquisition, bankruptcy, or other transaction in which the
18third party assumes control of all or part of the controller’s
19assets.
2027. “Sensitive data” means a category of personal data that
21includes the following:
22a. Personal data revealing racial or ethnic origin,
23religious beliefs, mental or physical health diagnosis, sexual
24orientation, or citizenship or immigration status.
25b. Genetic or biometric data that is processed for the
26purpose of uniquely identifying a natural person.
27c. The personal data collected from a known child.
28d. Precise geolocation data.
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to residents of the state and that during a calendar year does
25either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derive over fifty percent of
30gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state, financial institutions
33or data subject to Tit.V of the federal Gramm-Leach-Bliley
34Act of 1999, 15 U.S.C.§6801 et seq., covered entities or
35business associates governed by the privacy, security, and
-6-1breach notification rules issued by the Iowa department of
2human services, the Iowa department of public health, 45 C.F.R.
3pts.160 and 164 established pursuant to HIPAA, nonprofit
4organizations, or institutions of higher education.
53. The following information and data is exempt from this
6chapter:
7a. Protected health information under HIPAA.
8b. Health records.
9c. Patient identifying information for purposes of 42 U.S.C.
10§290dd-2.
11d. Identifiable private information for purposes of the
12federal policy for the protection of human subjects under 45
13C.F.R.pt.46.
14e. Identifiable private information that is otherwise
15information collected as part of human subjects research
16pursuant to the good clinical practice guidelines issued by
17the international council for harmonisation of technical
18requirements for pharmaceuticals for human use.
19f. The protection of human subjects under 21 C.F.R. pts.6,
2050, and 56.
21g. Personal data used or shared in research conducted in
22accordance with the requirements set forth in this chapter, or
23other research conducted in accordance with applicable law.
24h. Information and documents created for purposes of the
25federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
26§11101 et seq.
27i. Patient safety work product for purposes of the federal
28Patient Safety And Quality Improvement Act, 42 U.S.C.§299b-21
29et seq.
30j. Information derived from any of the health care-related
31information listed in this subsection that is de-identified in
32accordance with the requirements for de-identification pursuant
33to HIPAA.
34k. Information originating from, and intermingled to be
35indistinguishable with, or information treated in the same
-7-1manner as information exempt under this subsection that is
2maintained by a covered entity or business associate as defined
3by HIPAA or a program or a qualified service organization as
4defined by 42 U.S.C.§290dd-2.
5l. Information used only for public health activities and
6purposes as authorized by HIPAA.
7m. The collection, maintenance, disclosure, sale,
8communication, or use of any personal information bearing on a
9consumer’s credit worthiness, credit standing, credit capacity,
10character, general reputation, personal characteristics, or
11mode of living by a consumer reporting agency or furnisher that
12provides information for use in a consumer report, and by a
13user of a consumer report, but only to the extent that such
14activity is regulated by and authorized under the federal Fair
15Credit Reporting Act, 15 U.S.C.§1681.
16n. Personal data collected, processed, sold, or disclosed in
17compliance with the federal Driver’s Privacy Protection Act of
181994, 18 U.S.C.§2721 et seq.
19o. Personal data regulated by the federal Family Educational
20Rights and Privacy Act, 20 U.S.C.§1232 et seq.
21p. Personal data collected, processed, sold, or disclosed in
22compliance with the federal Farm Credit Act, 12 U.S.C.§2001
23et seq.
24q. Data processed or maintained as follows:
25(1) In the course of an individual applying to, employed
26by, or acting as an agent or independent contractor of a
27controller, processor, or third party, to the extent that the
28data is collected and used within the context of that role.
29(2) As the emergency contact information of an individual
30under this chapter used for emergency contact purposes.
31(3) That is necessary to retain to administer benefits
32for another individual relating to the individual under
33subparagraph (1) and used for the purposes of administering
34those benefits.
35r. Personal data used in accordance with the federal
-8-1Children’s Online Privacy Protection Act, 15 U.S.C.§6501 –
26506, and its rules, regulations, and exceptions thereto.
3 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
41. A consumer may invoke the consumer rights authorized
5pursuant to this section at any time by submitting a request to
6a controller specifying the consumer rights the consumer wishes
7to invoke. A known child’s parent or legal guardian may invoke
8such consumer rights on behalf of the known child regarding
9processing personal data belonging to the child. A controller
10shall comply with an authenticated consumer request to exercise
11all of the following:
12a. To confirm whether a controller is processing the
13consumer’s personal data and to access such personal data.
14b. To correct inaccuracies in the consumer’s personal data,
15taking into account the nature of the personal data and the
16purposes of the processing of the consumer’s personal data.
17c. To delete personal data provided by or obtained about
18the consumer.
19d. To obtain a copy of the consumer’s personal data that the
20consumer previously provided to the controller in a portable
21and, to the extent technically practicable, readily usable
22format that allows the consumer to transmit the data to another
23controller without hindrance, where the processing is carried
24out by automated means.
25e. To opt out of the processing of the personal data for
26purposes of targeted advertising, the sale of personal data,
27or profiling in furtherance of decisions that produce legal or
28similarly significant effects concerning the consumer.
292. Except as otherwise provided in this chapter, a
30controller shall comply with a request by a consumer to
31exercise the consumer rights authorized pursuant to this
32section as follows:
33a. A controller shall respond to the consumer without undue
34delay, but in all cases within forty-five days of receipt
35of a request submitted pursuant to the methods described in
-9-1this section. The response period may be extended once by
2forty-five additional days when reasonably necessary upon
3considering the complexity and number of the consumer’s
4requests by informing the consumer of any such extension within
5the initial forty-five-day response period, together with the
6reason for the extension.
7b. If a controller declines to take action regarding the
8consumer’s request, the controller shall inform the consumer
9without undue delay of the justification for declining to take
10action and instructions for how to appeal the decision pursuant
11to this section.
12c. Information provided in response to a consumer request
13shall be provided by a controller free of charge, up to
14twice annually per consumer. If a request from a consumer
15is manifestly unfounded, excessive, or repetitive, the
16controller may charge the consumer a reasonable fee to cover
17the administrative costs of complying with the request or
18decline to act on the request. The controller bears the burden
19of demonstrating the manifestly unfounded, excessive, or
20repetitive nature of the request.
21d. If a controller is unable to authenticate a request
22using commercially reasonable efforts, the controller shall
23not be required to comply with a request to initiate an action
24under this section and may request that the consumer provide
25additional information reasonably necessary to authenticate the
26consumer and the consumer’s request.
273. A controller shall establish a process for a consumer
28to appeal the controller’s refusal to take action on a request
29within a reasonable period of time after the consumer’s
30receipt of the decision pursuant to this section. The appeal
31process shall be conspicuously available and similar to the
32process for submitting requests to initiate action pursuant
33to this section. Within sixty days of receipt of an appeal,
34a controller shall inform the consumer in writing of any
35action taken or not taken in response to the appeal, including
-10-1a written explanation of the reasons for the decision. If
2the appeal is denied, the controller shall also provide the
3consumer with an online mechanism through which the consumer
4may contact the attorney general to submit a complaint.
5 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
61. A controller shall limit the collection of personal
7data to what is adequate, relevant, and reasonably necessary
8in relation to the purposes for which such data is processed,
9as disclosed to the consumer. Except as otherwise provided
10in this chapter, a controller shall not process personal
11data for purposes that are neither reasonably necessary to
12nor compatible with the disclosed purposes for which such
13personal data is processed, as disclosed to the consumer,
14unless the controller obtains the consumer’s consent. A
15controller shall adopt and implement reasonable administrative,
16technical, and physical data security practices to protect the
17confidentiality, integrity, and accessibility of personal data.
18Such data security practices shall be appropriate to the volume
19and nature of the personal data at issue. A controller shall
20not process sensitive data without the consumer’s consent, or,
21in the case of the processing of sensitive data concerning a
22known child, without processing such data in accordance with
23the federal Children’s Online Privacy Protection Act, 15 U.S.C.
24§6501 et seq.
252. A controller shall not process personal data in
26violation of state and federal laws that prohibit unlawful
27discrimination against a consumer. A controller shall not
28discriminate against a consumer for exercising any of the
29consumer rights contained in this chapter, including denying
30goods or services, charging different prices or rates for
31goods or services, or providing a different level of quality
32of goods and services to the consumer. However, nothing in
33this chapter shall be construed to require a controller to
34provide a product or service that requires the personal data
35of a consumer that the controller does not collect or maintain
-11-1or to prohibit a controller from offering a different price,
2rate, level, quality, or selection of goods or services to a
3consumer, including offering goods or services for no fee,
4if the consumer has exercised his right to opt out pursuant
5to section 715D.3 or the offer is related to a consumer’s
6voluntary participation in a bona fide loyalty, rewards,
7premium features, discounts, or club card program.
83. Any provision of a contract or agreement that purports to
9waive or limit in any way consumer rights pursuant to section
10715D.3 shall be deemed contrary to public policy and shall be
11void and unenforceable.
124. A controller shall provide consumers with a reasonably
13accessible, clear, and meaningful privacy notice that includes
14the following:
15a. The categories of personal data processed by the
16controller.
17b. The purpose for processing personal data.
18c. How consumers may exercise their consumer rights pursuant
19to section 715D.3, including how a consumer may appeal a
20controller’s decision with regard to the consumer’s request.
21d. The categories of personal data that the controller
22shares with third parties, if any.
23e. The categories of third parties, if any, with whom the
24controller shares personal data.
255. If a controller sells a consumer’s personal data to third
26parties or uses such personal data for targeted advertising,
27the controller shall clearly and conspicuously disclose such
28activity, as well as the manner in which a consumer may
29exercise the right to opt out of such processing.
306. A controller shall establish, and shall describe in
31a privacy notice, secure and reliable means for consumers to
32submit a request to exercise their consumer rights under this
33chapter. Such means shall consider the ways in which consumers
34normally interact with the controller, the need for secure and
35reliable communication of such requests and the ability of
-12-1the controller to authenticate the identity of the consumer
2making the request. A controller shall not require a consumer
3to create a new account in order to exercise consumer rights
4pursuant to section 715D.3, but may require a consumer to use
5an existing account.
6 Sec. 5. NEW SECTION. 715D.5 Processor duties.
71. A processor shall assist a controller in duties
8required under this chapter, taking into account the nature of
9processing and the information available to the processor by
10appropriate technical and organizational measures, insofar as
11is reasonably practicable, as follows:
12a. To fulfill the controller’s obligation to respond to
13consumer rights requests pursuant to section 715D.3.
14b. To meet the controller’s obligations in relation to the
15security of processing the personal data and in relation to the
16notification of a security breach of the processor pursuant to
17section 715C.2.
18c. To provide necessary information to enable the controller
19to conduct and document data protection assessments pursuant
20to section 715D.6.
212. A contract between a controller and a processor shall
22govern the processor’s data processing procedures with respect
23to processing performed on behalf of the controller. The
24contract shall clearly set forth instructions for processing
25personal data, the nature and purpose of processing, the type
26of data subject to processing, the duration of processing, and
27the rights and duties of both parties. The contract shall also
28include requirements that the processor shall do all of the
29following:
30a. Ensure that each person processing personal data is
31subject to a duty of confidentiality with respect to the data.
32b. At the controller’s direction, delete or return all
33personal data to the controller as requested at the end of the
34provision of services, unless retention of the personal data
35is required by law.
-13- 1c. Upon the reasonable request of the controller, make
2available to the controller all information in the processor’s
3possession necessary to demonstrate the processor’s compliance
4with the obligations in this chapter.
5d. Allow, and cooperate with, reasonable assessments
6by the controller or the controller’s designated assessor.
7The processor may arrange for a qualified and independent
8assessor to conduct an assessment of the processor’s policies
9and technical and organizational measures in support of
10the obligations under this chapter using an appropriate and
11accepted control standard or framework and assessment procedure
12for such assessments. The processor shall provide a report of
13such assessment to the controller upon request.
14e. Engage any subcontractor or agent pursuant to a written
15contract in accordance with this section that requires the
16subcontractor to meet the duties of the processor with respect
17to the personal data.
183. Nothing in this section shall be construed to relieve a
19controller or a processor from imposed liabilities by virtue
20of the controller or processor’s role in the processing
21relationship as defined by this chapter.
224. Determining whether a person is acting as a controller or
23processor with respect to a specific processing of data is a
24fact-based determination that depends upon the context in which
25personal data is to be processed. A processor that continues
26to adhere to a controller’s instructions with respect to a
27specific processing of personal data remains a processor.
28 Sec. 6. NEW SECTION. 715D.6 Data protection assessments.
291. A controller shall conduct and document a data protection
30assessment of each of the following processing activities
31involving personal data:
32a. The sale of personal data.
33b. The processing of personal data for targeted advertising.
34c. The processing of personal data for purposes of
35profiling, where such profiling presents a reasonably
-14-1foreseeable risk of any of the following:
2(1) Unfair or deceptive treatment of, or unlawful disparate
3impact on, consumers.
4(2) Financial, physical, or reputational injury to
5consumers.
6(3) A physical or other intrusion upon the solitude or
7seclusion, or the private affairs or concerns, of consumers,
8where such intrusion would be offensive to a reasonable person.
9(4) Other substantial injury to consumers.
10d. The processing of sensitive data.
11e. Any processing activities involving personal data that
12present a heightened risk of harm to consumers.
132. Data protection assessments conducted pursuant to
14subsection 1 shall identify and weigh the benefits that may
15flow, directly and indirectly, from the processing to the
16controller, the consumer, other stakeholders, and the public
17against the potential risks to the rights of the consumer
18associated with such processing, as mitigated by safeguards
19that can be employed by the controller to reduce such risks.
20The use of de-identified data and the reasonable expectations
21of consumers, as well as the context of the processing and the
22relationship between the controller and the consumer whose
23personal data will be processed, shall be factored into this
24assessment by the controller.
253. The attorney general may request, pursuant to a civil
26investigative demand, that a controller disclose any data
27protection assessment that is relevant to an investigation
28conducted by the attorney general, and the controller shall
29make the data protection assessment available to the attorney
30general. The attorney general may evaluate the data protection
31assessment for compliance with the responsibilities set
32forth in section 715D.4. The controller shall make the data
33protection assessment available to the attorney general.
34Data protection assessments shall be confidential and exempt
35from public inspection and copying under section 22.1. The
-15-1disclosure of a data protection assessment pursuant to a
2request from the attorney general shall not constitute a waiver
3of attorney-client privilege or work product protection with
4respect to the data protection assessment and any information
5contained in the data protection assessment. The attorney
6general may evaluate the data protection assessment for
7compliance with the responsibilities set forth in section
8715D.4.
94. Data protection assessments conducted by a controller
10for the purpose of compliance with other laws or regulations
11may comply under this section if the assessments have a
12reasonably comparable scope and effect. A single data
13protection assessment may address a comparable set of
14processing operations that include similar activities. Data
15protection assessment requirements shall apply to processing
16activities created or generated after January 1, 2024, and are
17not retroactive.
18 Sec. 7. NEW SECTION. 715D.7 Processing data — exemptions.
191. A controller in possession of de-identified data shall
20comply with the following:
21a. Take reasonable measures to ensure that the data cannot
22be associated with a natural person.
23b. Publicly commit to maintaining and using de-identified
24data without attempting to re-identify the data.
25c. Contractually obligate any recipients of the
26de-identified data to comply with all provisions of this
27chapter.
282. Nothing in this chapter shall be construed to require the
29following:
30a. A controller or processor to re-identify de-identified
31data or pseudonymous data.
32b. Maintaining data in identifiable form.
33c. Collecting, obtaining, retaining, or accessing any
34data or technology, in order to be capable of associating an
35authenticated consumer request with personal data.
-16- 13. Nothing in this chapter shall be construed to require
2a controller or processor to comply with an authenticated
3consumer rights request, pursuant to section 715D.3, if all of
4the following are true:
5a. The controller is not reasonably capable of associating
6the request with the personal data or it would be unreasonably
7burdensome for the controller to associate the request with the
8personal data.
9b. The controller does not use the personal data to
10recognize or respond to the specific consumer who is the
11subject of the personal data, or associate the personal data
12with other personal data about the same specific consumer.
13c. The controller does not sell the personal data to any
14third party or otherwise voluntarily disclose the personal data
15to any third party other than a processor, except as otherwise
16permitted in this chapter.
174. Consumer rights contained in sections 715D.3 and 715D.4
18shall not apply to pseudonymous data in cases where the
19controller is able to demonstrate any information necessary
20to identify the consumer is kept separately and is subject to
21effective technical and organizational controls that prevent
22the controller from accessing such information.
235. Controllers that disclose pseudonymous data or
24de-identified data shall exercise reasonable oversight to
25monitor compliance with any contractual commitments to which
26the pseudonymous data or de-identified data is subject and
27shall take appropriate steps to address any breaches of those
28contractual commitments.
29 Sec. 8. NEW SECTION. 715D.8 Limitations.
301. Nothing in this chapter shall be construed to restrict a
31controller’s or processor’s ability to do the following:
32a. Comply with federal, state, or local laws, rules, or
33regulations.
34b. Comply with a civil, criminal, or regulatory inquiry,
35investigation, subpoena, or summons by federal, state, local,
-17-1or other governmental authorities.
2c. Cooperate with law enforcement agencies concerning
3conduct or activity that the controller or processor reasonably
4and in good faith believes may violate federal, state, or local
5laws, rules, or regulations.
6d. Investigate, establish, exercise, prepare for, or defend
7legal claims.
8e. Provide a product or service specifically requested by a
9consumer, perform a contract to which the consumer is a party,
10including fulfilling the terms of a written warranty, or take
11steps at the request of the consumer prior to entering into a
12contract.
13f. Take immediate steps to protect an interest that is
14essential for the life or physical safety of the consumer or
15of another natural person, and where the processing cannot be
16manifestly based on another legal basis.
17g. Prevent, detect, protect against, or respond to security
18incidents, identity theft, fraud, harassment, malicious or
19deceptive activities, or any illegal activity.
20h. Preserve the integrity or security of systems.
21i. Investigate, report, or prosecute those responsible for
22any such action.
23j. Engage in public or peer-reviewed scientific or
24statistical research in the public interest that adheres to
25all other applicable ethics and privacy laws and is approved,
26monitored, and governed by an institutional review board, or
27similar independent oversight entities that determine the
28following:
29(1) If the deletion of the information is likely to provide
30substantial benefits that do not exclusively accrue to the
31controller.
32(2) The expected benefits of the research outweigh the
33privacy risks.
34(3) If the controller has implemented reasonable safeguards
35to mitigate privacy risks associated with research, including
-18-1any risks associated with re-identification.
2k. Assist another controller, processor, or third party with
3any of the obligations under this subsection.
42. The obligations imposed on a controller or processor
5under this chapter shall not restrict a controller’s or
6processor’s ability to collect, use, or retain data as follows:
7a. To conduct internal research to develop, improve, or
8repair products, services, or technology.
9b. To effectuate a product recall.
10c. To identify and repair technical errors that impair
11existing or intended functionality.
12d. To perform internal operations that are reasonably
13aligned with the expectations of the consumer or reasonably
14anticipated based on the consumer’s existing relationship with
15the controller or are otherwise compatible with processing
16data in furtherance of the provision of a product or service
17specifically requested by a consumer or the performance of a
18contract to which the consumer is a party.
193. The obligations imposed on controllers or processors
20under this chapter shall not apply where compliance by the
21controller or processor with this chapter would violate an
22evidentiary privilege under the laws of the state. Nothing
23in this chapter shall be construed to prevent a controller or
24processor from providing personal data concerning a consumer to
25a person covered by an evidentiary privilege under the laws of
26the state as part of a privileged communication.
274. A controller or processor that discloses personal data
28to a third-party controller or processor, in compliance with
29the requirements of this chapter, is not in violation of
30this chapter if the third-party controller or processor that
31receives and processes such personal data is in violation of
32this chapter, provided that, at the time of disclosing the
33personal data, the disclosing controller or processor did not
34have actual knowledge that the recipient intended to commit a
35violation. A third-party controller or processor receiving
-19-1personal data from a controller or processor in compliance with
2the requirements of this chapter is likewise not in violation
3of this chapter for the offenses of the controller or processor
4from which it receives such personal data.
55. Nothing in this chapter shall be construed as an
6obligation imposed on a controller or a processor that
7adversely affects the rights or freedoms of any persons, such
8as exercising the right of free speech pursuant to the First
9Amendment to the United States Constitution, or applies to the
10processing of personal data by a person in the course of a
11purely personal or household activity.
126. Personal data processed by a controller pursuant to
13this section shall not be processed for any purpose other than
14those expressly listed in this section unless otherwise allowed
15by this chapter. Personal data processed by a controller
16pursuant to this section may be processed to the extent that
17such processing is as follows:
18a. Reasonably necessary and proportionate to the purposes
19listed in this section.
20b. Adequate, relevant, and limited to what is necessary
21in relation to the specific purposes listed in this section.
22Personal data collected, used, or retained pursuant to
23this section shall, where applicable, take into account
24the nature and purpose or purposes of such collection, use,
25or retention. Such data shall be subject to reasonable
26administrative, technical, and physical measures to protect the
27confidentiality, integrity, and accessibility of the personal
28data and to reduce reasonably foreseeable risks of harm to
29consumers relating to such collection, use, or retention of
30personal data.
317. If a controller processes personal data pursuant to an
32exemption in this section, the controller bears the burden of
33demonstrating that such processing qualifies for the exemption
34and complies with the requirements in subsection 6.
358. Processing personal data for the purposes expressly
-20-1identified in subsection 1 shall not solely make an entity a
2controller with respect to such processing.
39. This chapter shall not require a controller, processor,
4third party, or consumer to disclose trade secrets.
5 Sec. 9. NEW SECTION. 715D.9 Enforcement — penalties.
61. The attorney general shall have exclusive authority to
7enforce the provisions of this chapter. Whenever the attorney
8general has reasonable cause to believe that any person has
9engaged in, is engaging in, or is about to engage in any
10violation of this chapter, the attorney general is empowered to
11issue a civil investigative demand.
122. Prior to initiating any action under this chapter,
13the attorney general shall provide a controller or processor
14thirty days’ written notice identifying the specific provisions
15of this chapter the attorney general alleges have been or
16are being violated. If within the thirty-day period, the
17controller or processor cures the noticed violation and
18provides the attorney general an express written statement that
19the alleged violations have been cured and that no further such
20violations shall occur, no action shall be initiated against
21the controller or processor.
223. If a controller or processor continues to violate this
23chapter following the cure period in subsection 2 or breaches
24an express written statement provided to the attorney general
25under that subsection, the attorney general may initiate an
26action in the name of the state and may seek an injunction to
27restrain any violations of this chapter and civil penalties of
28up to seven thousand five hundred dollars for each violation
29under this chapter. Any moneys collected under this section
30including civil penalties, costs, attorneys fees, or amounts
31which are specifically directed shall be paid into the consumer
32education and litigation fund established under section
33714.16C.
344. The attorney general may recover reasonable expenses
35incurred in investigating and preparing the case, including
-21-1attorney fees, in any action initiated under this chapter.
25. Nothing in this chapter shall be construed as providing
3the basis for, or be subject to, a private right of action for
4violations of this chapter or under any other law.
5 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
62024.
7EXPLANATION
8The inclusion of this explanation does not constitute agreement with
9the explanation’s substance by the members of the general assembly.
10This bill relates to consumer data protection.
11The bill contains several definitions. The bill defines
12“controller” to mean a person that, alone or jointly with
13others, determines the purpose and means of processing personal
14data. The bill defines “identified or identifiable natural
15person” to mean a person who can be readily identified,
16directly or indirectly. The bill defines “personal data” to
17mean any information that is linked or reasonably linkable to
18an identified or identifiable natural person, but does not
19include de-identified data or publicly available information.
20The bill defines “process” or “processing” to mean any
21operation or set of operations performed, whether by manual or
22automated means, on personal data or on sets of personal data,
23such as the collection, use, storage, disclosure, analysis,
24deletion, or modification of personal data. The bill defines
25“processor” to mean a person that processes personal data
26on behalf of a controller. The bill defines “pseudonymous
27data” to mean personal data that cannot be attributed to
28a specific natural person without the use of additional
29information. The bill defines “publicly available information”
30to mean information that is lawfully made available to the
31general public through certain records or information that
32a business has reasonable basis to believe is lawfully made
33available under certain conditions. The bill defines “targeted
34advertising” to mean displaying advertisements to a consumer
35where the advertisement is selected based on personal data
-22-1obtained from that consumer’s activities over time and across
2nonaffiliated websites or online applications to predict such
3consumer’s preferences or interests, with exceptions. The bill
4defines “third party” to mean a natural or legal person, public
5authority, agency, or body other than the consumer, controller,
6processor, or an affiliate of the processor or the controller.
7The bill contains other defined terms.
8The bill provides that persons conducting business in
9the state or producing products or services targeted to
10Iowans that annually control or process personal data of
11over 99,999 consumers or control or process personal data of
1225,000 consumers with 50 percent of gross revenue derived
13from the sale of the personal data shall be subject to the
14provisions of the bill. The state and political subdivisions
15of the state, financial institutions or data subject to the
16Gramm-Leach-Bliley Act of 1999, certain organizations governed
17by rules by the department of human services, the department
18of health, certain federal governance laws and the federal
19Health Insurance Portability and Accountability Act, nonprofit
20organizations, higher learning institutions, and certain
21protected information and personal data collected under state
22or federal laws are exempt from provisions in the bill.
23The bill provides consumers have personal data rights
24that may be invoked at any time. Consumers or the parent of
25a child may submit a request to a controller for a copy of
26the controller’s information relating to personal data. The
27controller shall comply with such requests to confirm or deny
28whether the controller is processing the personal data, to
29delete or correct inaccuracies in personal data, to provide the
30consumer with a copy of their personal data, and to remove the
31consumer or child from personal data processing.
32The bill requires that controllers provide responses to
33defined personal data requests within 45 days of a consumer
34initiating a request. Responses to personal data requests
35shall be provided to a consumer free of charge up to twice per
-23-1year except where requests are overly burdensome or manifestly
2unfounded. A business may extend the deadline for good cause,
3including complexity, once by up to 45 days after informing the
4consumer of the reason for the extension. The bill provides
5that controllers are not required to comply with requests where
6a controller is unable through commercially reasonable efforts
7to verify the identity of the consumer submitting the request.
8The bill requires that controllers permit consumers to access
9an appeals process and provide consumers with information
10regarding the appeals process in situations where a consumer’s
11request is denied.
12The bill provides that controllers shall limit the
13collection of personal data to the extent reasonably necessary.
14Controllers must disclose to the consumer the types of data
15being collected and obtain consent from the consumers regarding
16the collection of personal data and sensitive personal data
17processing. Controllers must securely store personal data
18of consumers through administrative, technical, and physical
19security practices. Controllers shall not discriminate against
20consumers that exercise consumer data rights as provided in
21the bill by denying a consumer goods or services, charging
22different prices, or providing lower quality goods with
23exceptions. Contract provisions that require consumers to
24waive rights defined by the bill will be considered void and
25unenforceable.
26The bill provides that controllers give consumers reasonably
27accessible and clear privacy notices that inform consumers of
28the information regarding personal data transfer and purposes
29and the methods for consumers to exercise rights. The bill
30provides that controllers selling personal data to third
31parties or using targeted advertising must clearly disclose
32such activity and the right for the consumer to opt out of
33such sales or use. The bill requires a controller to create a
34method for private and secure processing of consumer requests.
35The bill requires processors and the assigns or
-24-1subcontractors of processors to assist controllers in complying
2with duties created by the bill.
3The bill requires controllers to conduct assessments of
4processing activities regarding certain personal data. Data
5protection assessments shall consider benefits and risks
6regarding personal data processing to the controller, consumer,
7public, and other stakeholders among other factors identified
8by the bill. The bill provides that the attorney general may
9request an investigation and require that a controller disclose
10relevant data protection assessment information and analyze
11the provided information for compliance with duties described
12by the bill. Other data protection assessments a controller
13has conducted may suffice for purposes of the bill if the
14assessments are reasonably similar.
15The bill includes personal data processing exemptions,
16including pseudonymous data and de-identified data as defined
17by the bill. The bill requires that controllers in possession
18of de-identified data take measures to ensure that the data
19remains de-identified, publicly commit to a de-identified
20maintenance process, and require agents and assigns to adhere
21to provisions of the bill. The bill identifies exceptions
22where controllers or processors are not required to comply
23with a consumer rights request pursuant to the bill. The bill
24requires controllers disclosing pseudonymous or de-identified
25data to exercise reasonable oversight of contractual
26commitments regarding such data.
27The bill provides that the bill shall not restrict
28controller or processor abilities to improve business or
29function. Controllers or processors sharing personal data with
30third parties are not liable for the noncompliance of third
31parties if the controller or processor did not have personal
32knowledge of the violation or intent to commit a violation,
33nor is a third party liable for violations of a controller
34or processor. The bill provides that if a controller seeks
35certain exemptions, the controller bears the burden of
-25-1demonstrating that the controller qualifies for the exemption
2and the exemption complies with the requirements in the bill.
3The bill shall not require a business, consumer, or other
4party to disclose trade secrets.
5The bill provides that the attorney general shall
6investigate controllers and processors upon reasonable cause
7for violations of provisions of the bill. The attorney general
8shall provide 30 days’ notice to a controller or processor
9including the reason for which the entity is subject to an
10investigation and permit the entity to cure the defect prior
11to filing a civil action. A controller or processor found
12to be in violation of provisions of the bill is subject to a
13civil penalty of up to $7,500 per violation. Moneys collected
14by the attorney general under the bill shall be paid into the
15consumer education and litigation fund established under Code
16section 714.16C. The attorney general shall recover reasonable
17expenses for expenses related to the investigation.
18The bill takes effect January 1, 2024.
-26-es/rn
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “Decisions that produce legal or similarly significant
16effects concerning a consumer” means a decision made by a
17controller that results in the provision or denial by the
18controller of financial and lending services, housing,
19insurance, education enrollment, criminal justice, employment
20opportunities, health care services, or access to basic
21necessities, such as food and water.
2211. “De-identified data” means data that cannot reasonably
23be linked to an identified or identifiable natural person.
2412. “Health care provider” means any of the following:
25a. A general hospital, ordinary hospital, outpatient
26surgical hospital, nursing home, or certified nursing facility
27licensed or certified by the state.
28b. A mental or psychiatric hospital licensed by the state.
29c. A hospital operated by the state.
30d. A hospital operated by universities within the state.
31e. A person licensed to practice medicine or osteopathy in
32the state.
33f. A person licensed to furnish health care policies or
34plans in the state.
35g. A person licensed to practice dentistry in the state.
-2- 1h. “Health care provider” does not include a continuing
2care retirement community or any nursing care facility of a
3religious body which depends upon prayer alone for healing.
413. “Health Insurance Portability and Accountability
5Act” or “HIPAA” means the Health Insurance Portability and
6Accountability Act of 1996, Pub.L. No.104-191, including
7amendments thereto and regulations promulgated thereunder.
814. “Health record” means any written, printed, or
9electronically recorded material maintained by a health care
10provider in the course of providing health services to an
11individual concerning the individual and the services provided,
12including related health information provided in confidence to
13a health care provider.
1415. “Identified or identifiable natural person” means a
15person who can be readily identified, directly or indirectly.
1616. “Institution of higher education” means nonprofit
17private institutions of higher education and proprietary
18private institutions of higher education in the state,
19community colleges, and each associate-degree-granting and
20baccalaureate public institutions of higher education in the
21state.
2217. “Nonprofit organization” means any corporation organized
23under chapter 504, any organization exempt from taxation under
24sections 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal
25Revenue Code, and any subsidiaries and affiliates of entities
26organized pursuant to chapter 499.
2718. “Personal data” means any information that is linked or
28reasonably linkable to an identified or identifiable natural
29person. “Personal data” does not include de-identified data or
30publicly available information.
3119. “Precise geolocation data” means information derived
32from technology, including but not limited to global
33positioning system level latitude and longitude coordinates or
34other mechanisms, that identifies the specific location of a
35natural person with precision and accuracy within a radius of
-3-1one thousand seven hundred fifty feet. “Precise geolocation
2data” does not include the content of communications, or any
3data generated by or connected to advanced utility metering
4infrastructure systems or equipment for use by a utility.
520. “Process” or “processing” means any operation or set
6of operations performed, whether by manual or automated means,
7on personal data or on sets of personal data, such as the
8collection, use, storage, disclosure, analysis, deletion, or
9modification of personal data.
1021. “Processor” means a person that processes personal data
11on behalf of a controller.
1222. “Profiling” means any form of solely automated
13processing performed on personal data to evaluate, analyze,
14or predict personal aspects related to an identified or
15identifiable natural person’s economic situation, health,
16personal preferences, interests, reliability, behavior,
17location, or movements.
1823. “Protected health information” means the same as
19protected health information established by HIPAA.
2024. “Pseudonymous data” means personal data that cannot
21be attributed to a specific natural person without the use
22of additional information, provided that such additional
23information is kept separately and is subject to appropriate
24technical and organizational measures to ensure that
25the personal data is not attributed to an identified or
26identifiable natural person.
2725. “Publicly available information” means information
28that is lawfully made available through federal, state, or
29local government records, or information that a business has
30reasonable basis to believe is lawfully made available to
31the general public through widely distributed media, by the
32consumer, or by a person to whom the consumer has disclosed the
33information, unless the consumer has restricted the information
34to a specific audience.
3526. “Sale of personal data” means the exchange of personal
-4-1data for monetary or other valuable consideration by the
2controller to a third party. “Sale of personal data” does not
3include:
4a. The disclosure of personal data to a processor that
5processes the personal data on behalf of the controller.
6b. The disclosure of personal data to a third party for
7purposes of providing a product or service requested by the
8consumer or a parent of a child.
9c. The disclosure or transfer of personal data to an
10affiliate of the controller.
11d. The disclosure of information that the consumer
12intentionally made available to the general public via a
13channel of mass media and did not restrict to a specific
14audience.
15e. The disclosure or transfer of personal data to a third
16party as an asset that is part of a proposed or actual merger,
17acquisition, bankruptcy, or other transaction in which the
18third party assumes control of all or part of the controller’s
19assets.
2027. “Sensitive data” means a category of personal data that
21includes the following:
22a. Personal data revealing racial or ethnic origin,
23religious beliefs, mental or physical health diagnosis, sexual
24orientation, or citizenship or immigration status.
25b. Genetic or biometric data that is processed for the
26purpose of uniquely identifying a natural person.
27c. The personal data collected from a known child.
28d. Precise geolocation data.
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to residents of the state and that during a calendar year does
25either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derive over fifty percent of
30gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state, financial institutions
33or data subject to Tit.V of the federal Gramm-Leach-Bliley
34Act of 1999, 15 U.S.C.§6801 et seq., covered entities or
35business associates governed by the privacy, security, and
-6-1breach notification rules issued by the Iowa department of
2human services, the Iowa department of public health, 45 C.F.R.
3pts.160 and 164 established pursuant to HIPAA, nonprofit
4organizations, or institutions of higher education.
53. The following information and data is exempt from this
6chapter:
7a. Protected health information under HIPAA.
8b. Health records.
9c. Patient identifying information for purposes of 42 U.S.C.
10§290dd-2.
11d. Identifiable private information for purposes of the
12federal policy for the protection of human subjects under 45
13C.F.R.pt.46.
14e. Identifiable private information that is otherwise
15information collected as part of human subjects research
16pursuant to the good clinical practice guidelines issued by
17the international council for harmonisation of technical
18requirements for pharmaceuticals for human use.
19f. The protection of human subjects under 21 C.F.R. pts.6,
2050, and 56.
21g. Personal data used or shared in research conducted in
22accordance with the requirements set forth in this chapter, or
23other research conducted in accordance with applicable law.
24h. Information and documents created for purposes of the
25federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
26§11101 et seq.
27i. Patient safety work product for purposes of the federal
28Patient Safety And Quality Improvement Act, 42 U.S.C.§299b-21
29et seq.
30j. Information derived from any of the health care-related
31information listed in this subsection that is de-identified in
32accordance with the requirements for de-identification pursuant
33to HIPAA.
34k. Information originating from, and intermingled to be
35indistinguishable with, or information treated in the same
-7-1manner as information exempt under this subsection that is
2maintained by a covered entity or business associate as defined
3by HIPAA or a program or a qualified service organization as
4defined by 42 U.S.C.§290dd-2.
5l. Information used only for public health activities and
6purposes as authorized by HIPAA.
7m. The collection, maintenance, disclosure, sale,
8communication, or use of any personal information bearing on a
9consumer’s credit worthiness, credit standing, credit capacity,
10character, general reputation, personal characteristics, or
11mode of living by a consumer reporting agency or furnisher that
12provides information for use in a consumer report, and by a
13user of a consumer report, but only to the extent that such
14activity is regulated by and authorized under the federal Fair
15Credit Reporting Act, 15 U.S.C.§1681.
16n. Personal data collected, processed, sold, or disclosed in
17compliance with the federal Driver’s Privacy Protection Act of
181994, 18 U.S.C.§2721 et seq.
19o. Personal data regulated by the federal Family Educational
20Rights and Privacy Act, 20 U.S.C.§1232 et seq.
21p. Personal data collected, processed, sold, or disclosed in
22compliance with the federal Farm Credit Act, 12 U.S.C.§2001
23et seq.
24q. Data processed or maintained as follows:
25(1) In the course of an individual applying to, employed
26by, or acting as an agent or independent contractor of a
27controller, processor, or third party, to the extent that the
28data is collected and used within the context of that role.
29(2) As the emergency contact information of an individual
30under this chapter used for emergency contact purposes.
31(3) That is necessary to retain to administer benefits
32for another individual relating to the individual under
33subparagraph (1) and used for the purposes of administering
34those benefits.
35r. Personal data used in accordance with the federal
-8-1Children’s Online Privacy Protection Act, 15 U.S.C.§6501 –
26506, and its rules, regulations, and exceptions thereto.
3 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
41. A consumer may invoke the consumer rights authorized
5pursuant to this section at any time by submitting a request to
6a controller specifying the consumer rights the consumer wishes
7to invoke. A known child’s parent or legal guardian may invoke
8such consumer rights on behalf of the known child regarding
9processing personal data belonging to the child. A controller
10shall comply with an authenticated consumer request to exercise
11all of the following:
12a. To confirm whether a controller is processing the
13consumer’s personal data and to access such personal data.
14b. To correct inaccuracies in the consumer’s personal data,
15taking into account the nature of the personal data and the
16purposes of the processing of the consumer’s personal data.
17c. To delete personal data provided by or obtained about
18the consumer.
19d. To obtain a copy of the consumer’s personal data that the
20consumer previously provided to the controller in a portable
21and, to the extent technically practicable, readily usable
22format that allows the consumer to transmit the data to another
23controller without hindrance, where the processing is carried
24out by automated means.
25e. To opt out of the processing of the personal data for
26purposes of targeted advertising, the sale of personal data,
27or profiling in furtherance of decisions that produce legal or
28similarly significant effects concerning the consumer.
292. Except as otherwise provided in this chapter, a
30controller shall comply with a request by a consumer to
31exercise the consumer rights authorized pursuant to this
32section as follows:
33a. A controller shall respond to the consumer without undue
34delay, but in all cases within forty-five days of receipt
35of a request submitted pursuant to the methods described in
-9-1this section. The response period may be extended once by
2forty-five additional days when reasonably necessary upon
3considering the complexity and number of the consumer’s
4requests by informing the consumer of any such extension within
5the initial forty-five-day response period, together with the
6reason for the extension.
7b. If a controller declines to take action regarding the
8consumer’s request, the controller shall inform the consumer
9without undue delay of the justification for declining to take
10action and instructions for how to appeal the decision pursuant
11to this section.
12c. Information provided in response to a consumer request
13shall be provided by a controller free of charge, up to
14twice annually per consumer. If a request from a consumer
15is manifestly unfounded, excessive, or repetitive, the
16controller may charge the consumer a reasonable fee to cover
17the administrative costs of complying with the request or
18decline to act on the request. The controller bears the burden
19of demonstrating the manifestly unfounded, excessive, or
20repetitive nature of the request.
21d. If a controller is unable to authenticate a request
22using commercially reasonable efforts, the controller shall
23not be required to comply with a request to initiate an action
24under this section and may request that the consumer provide
25additional information reasonably necessary to authenticate the
26consumer and the consumer’s request.
273. A controller shall establish a process for a consumer
28to appeal the controller’s refusal to take action on a request
29within a reasonable period of time after the consumer’s
30receipt of the decision pursuant to this section. The appeal
31process shall be conspicuously available and similar to the
32process for submitting requests to initiate action pursuant
33to this section. Within sixty days of receipt of an appeal,
34a controller shall inform the consumer in writing of any
35action taken or not taken in response to the appeal, including
-10-1a written explanation of the reasons for the decision. If
2the appeal is denied, the controller shall also provide the
3consumer with an online mechanism through which the consumer
4may contact the attorney general to submit a complaint.
5 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
61. A controller shall limit the collection of personal
7data to what is adequate, relevant, and reasonably necessary
8in relation to the purposes for which such data is processed,
9as disclosed to the consumer. Except as otherwise provided
10in this chapter, a controller shall not process personal
11data for purposes that are neither reasonably necessary to
12nor compatible with the disclosed purposes for which such
13personal data is processed, as disclosed to the consumer,
14unless the controller obtains the consumer’s consent. A
15controller shall adopt and implement reasonable administrative,
16technical, and physical data security practices to protect the
17confidentiality, integrity, and accessibility of personal data.
18Such data security practices shall be appropriate to the volume
19and nature of the personal data at issue. A controller shall
20not process sensitive data without the consumer’s consent, or,
21in the case of the processing of sensitive data concerning a
22known child, without processing such data in accordance with
23the federal Children’s Online Privacy Protection Act, 15 U.S.C.
24§6501 et seq.
252. A controller shall not process personal data in
26violation of state and federal laws that prohibit unlawful
27discrimination against a consumer. A controller shall not
28discriminate against a consumer for exercising any of the
29consumer rights contained in this chapter, including denying
30goods or services, charging different prices or rates for
31goods or services, or providing a different level of quality
32of goods and services to the consumer. However, nothing in
33this chapter shall be construed to require a controller to
34provide a product or service that requires the personal data
35of a consumer that the controller does not collect or maintain
-11-1or to prohibit a controller from offering a different price,
2rate, level, quality, or selection of goods or services to a
3consumer, including offering goods or services for no fee,
4if the consumer has exercised his right to opt out pursuant
5to section 715D.3 or the offer is related to a consumer’s
6voluntary participation in a bona fide loyalty, rewards,
7premium features, discounts, or club card program.
83. Any provision of a contract or agreement that purports to
9waive or limit in any way consumer rights pursuant to section
10715D.3 shall be deemed contrary to public policy and shall be
11void and unenforceable.
124. A controller shall provide consumers with a reasonably
13accessible, clear, and meaningful privacy notice that includes
14the following:
15a. The categories of personal data processed by the
16controller.
17b. The purpose for processing personal data.
18c. How consumers may exercise their consumer rights pursuant
19to section 715D.3, including how a consumer may appeal a
20controller’s decision with regard to the consumer’s request.
21d. The categories of personal data that the controller
22shares with third parties, if any.
23e. The categories of third parties, if any, with whom the
24controller shares personal data.
255. If a controller sells a consumer’s personal data to third
26parties or uses such personal data for targeted advertising,
27the controller shall clearly and conspicuously disclose such
28activity, as well as the manner in which a consumer may
29exercise the right to opt out of such processing.
306. A controller shall establish, and shall describe in
31a privacy notice, secure and reliable means for consumers to
32submit a request to exercise their consumer rights under this
33chapter. Such means shall consider the ways in which consumers
34normally interact with the controller, the need for secure and
35reliable communication of such requests and the ability of
-12-1the controller to authenticate the identity of the consumer
2making the request. A controller shall not require a consumer
3to create a new account in order to exercise consumer rights
4pursuant to section 715D.3, but may require a consumer to use
5an existing account.
6 Sec. 5. NEW SECTION. 715D.5 Processor duties.
71. A processor shall assist a controller in duties
8required under this chapter, taking into account the nature of
9processing and the information available to the processor by
10appropriate technical and organizational measures, insofar as
11is reasonably practicable, as follows:
12a. To fulfill the controller’s obligation to respond to
13consumer rights requests pursuant to section 715D.3.
14b. To meet the controller’s obligations in relation to the
15security of processing the personal data and in relation to the
16notification of a security breach of the processor pursuant to
17section 715C.2.
18c. To provide necessary information to enable the controller
19to conduct and document data protection assessments pursuant
20to section 715D.6.
212. A contract between a controller and a processor shall
22govern the processor’s data processing procedures with respect
23to processing performed on behalf of the controller. The
24contract shall clearly set forth instructions for processing
25personal data, the nature and purpose of processing, the type
26of data subject to processing, the duration of processing, and
27the rights and duties of both parties. The contract shall also
28include requirements that the processor shall do all of the
29following:
30a. Ensure that each person processing personal data is
31subject to a duty of confidentiality with respect to the data.
32b. At the controller’s direction, delete or return all
33personal data to the controller as requested at the end of the
34provision of services, unless retention of the personal data
35is required by law.
-13- 1c. Upon the reasonable request of the controller, make
2available to the controller all information in the processor’s
3possession necessary to demonstrate the processor’s compliance
4with the obligations in this chapter.
5d. Allow, and cooperate with, reasonable assessments
6by the controller or the controller’s designated assessor.
7The processor may arrange for a qualified and independent
8assessor to conduct an assessment of the processor’s policies
9and technical and organizational measures in support of
10the obligations under this chapter using an appropriate and
11accepted control standard or framework and assessment procedure
12for such assessments. The processor shall provide a report of
13such assessment to the controller upon request.
14e. Engage any subcontractor or agent pursuant to a written
15contract in accordance with this section that requires the
16subcontractor to meet the duties of the processor with respect
17to the personal data.
183. Nothing in this section shall be construed to relieve a
19controller or a processor from imposed liabilities by virtue
20of the controller or processor’s role in the processing
21relationship as defined by this chapter.
224. Determining whether a person is acting as a controller or
23processor with respect to a specific processing of data is a
24fact-based determination that depends upon the context in which
25personal data is to be processed. A processor that continues
26to adhere to a controller’s instructions with respect to a
27specific processing of personal data remains a processor.
28 Sec. 6. NEW SECTION. 715D.6 Data protection assessments.
291. A controller shall conduct and document a data protection
30assessment of each of the following processing activities
31involving personal data:
32a. The sale of personal data.
33b. The processing of personal data for targeted advertising.
34c. The processing of personal data for purposes of
35profiling, where such profiling presents a reasonably
-14-1foreseeable risk of any of the following:
2(1) Unfair or deceptive treatment of, or unlawful disparate
3impact on, consumers.
4(2) Financial, physical, or reputational injury to
5consumers.
6(3) A physical or other intrusion upon the solitude or
7seclusion, or the private affairs or concerns, of consumers,
8where such intrusion would be offensive to a reasonable person.
9(4) Other substantial injury to consumers.
10d. The processing of sensitive data.
11e. Any processing activities involving personal data that
12present a heightened risk of harm to consumers.
132. Data protection assessments conducted pursuant to
14subsection 1 shall identify and weigh the benefits that may
15flow, directly and indirectly, from the processing to the
16controller, the consumer, other stakeholders, and the public
17against the potential risks to the rights of the consumer
18associated with such processing, as mitigated by safeguards
19that can be employed by the controller to reduce such risks.
20The use of de-identified data and the reasonable expectations
21of consumers, as well as the context of the processing and the
22relationship between the controller and the consumer whose
23personal data will be processed, shall be factored into this
24assessment by the controller.
253. The attorney general may request, pursuant to a civil
26investigative demand, that a controller disclose any data
27protection assessment that is relevant to an investigation
28conducted by the attorney general, and the controller shall
29make the data protection assessment available to the attorney
30general. The attorney general may evaluate the data protection
31assessment for compliance with the responsibilities set
32forth in section 715D.4. The controller shall make the data
33protection assessment available to the attorney general.
34Data protection assessments shall be confidential and exempt
35from public inspection and copying under section 22.1. The
-15-1disclosure of a data protection assessment pursuant to a
2request from the attorney general shall not constitute a waiver
3of attorney-client privilege or work product protection with
4respect to the data protection assessment and any information
5contained in the data protection assessment. The attorney
6general may evaluate the data protection assessment for
7compliance with the responsibilities set forth in section
8715D.4.
94. Data protection assessments conducted by a controller
10for the purpose of compliance with other laws or regulations
11may comply under this section if the assessments have a
12reasonably comparable scope and effect. A single data
13protection assessment may address a comparable set of
14processing operations that include similar activities. Data
15protection assessment requirements shall apply to processing
16activities created or generated after January 1, 2024, and are
17not retroactive.
18 Sec. 7. NEW SECTION. 715D.7 Processing data — exemptions.
191. A controller in possession of de-identified data shall
20comply with the following:
21a. Take reasonable measures to ensure that the data cannot
22be associated with a natural person.
23b. Publicly commit to maintaining and using de-identified
24data without attempting to re-identify the data.
25c. Contractually obligate any recipients of the
26de-identified data to comply with all provisions of this
27chapter.
282. Nothing in this chapter shall be construed to require the
29following:
30a. A controller or processor to re-identify de-identified
31data or pseudonymous data.
32b. Maintaining data in identifiable form.
33c. Collecting, obtaining, retaining, or accessing any
34data or technology, in order to be capable of associating an
35authenticated consumer request with personal data.
-16- 13. Nothing in this chapter shall be construed to require
2a controller or processor to comply with an authenticated
3consumer rights request, pursuant to section 715D.3, if all of
4the following are true:
5a. The controller is not reasonably capable of associating
6the request with the personal data or it would be unreasonably
7burdensome for the controller to associate the request with the
8personal data.
9b. The controller does not use the personal data to
10recognize or respond to the specific consumer who is the
11subject of the personal data, or associate the personal data
12with other personal data about the same specific consumer.
13c. The controller does not sell the personal data to any
14third party or otherwise voluntarily disclose the personal data
15to any third party other than a processor, except as otherwise
16permitted in this chapter.
174. Consumer rights contained in sections 715D.3 and 715D.4
18shall not apply to pseudonymous data in cases where the
19controller is able to demonstrate any information necessary
20to identify the consumer is kept separately and is subject to
21effective technical and organizational controls that prevent
22the controller from accessing such information.
235. Controllers that disclose pseudonymous data or
24de-identified data shall exercise reasonable oversight to
25monitor compliance with any contractual commitments to which
26the pseudonymous data or de-identified data is subject and
27shall take appropriate steps to address any breaches of those
28contractual commitments.
29 Sec. 8. NEW SECTION. 715D.8 Limitations.
301. Nothing in this chapter shall be construed to restrict a
31controller’s or processor’s ability to do the following:
32a. Comply with federal, state, or local laws, rules, or
33regulations.
34b. Comply with a civil, criminal, or regulatory inquiry,
35investigation, subpoena, or summons by federal, state, local,
-17-1or other governmental authorities.
2c. Cooperate with law enforcement agencies concerning
3conduct or activity that the controller or processor reasonably
4and in good faith believes may violate federal, state, or local
5laws, rules, or regulations.
6d. Investigate, establish, exercise, prepare for, or defend
7legal claims.
8e. Provide a product or service specifically requested by a
9consumer, perform a contract to which the consumer is a party,
10including fulfilling the terms of a written warranty, or take
11steps at the request of the consumer prior to entering into a
12contract.
13f. Take immediate steps to protect an interest that is
14essential for the life or physical safety of the consumer or
15of another natural person, and where the processing cannot be
16manifestly based on another legal basis.
17g. Prevent, detect, protect against, or respond to security
18incidents, identity theft, fraud, harassment, malicious or
19deceptive activities, or any illegal activity.
20h. Preserve the integrity or security of systems.
21i. Investigate, report, or prosecute those responsible for
22any such action.
23j. Engage in public or peer-reviewed scientific or
24statistical research in the public interest that adheres to
25all other applicable ethics and privacy laws and is approved,
26monitored, and governed by an institutional review board, or
27similar independent oversight entities that determine the
28following:
29(1) If the deletion of the information is likely to provide
30substantial benefits that do not exclusively accrue to the
31controller.
32(2) The expected benefits of the research outweigh the
33privacy risks.
34(3) If the controller has implemented reasonable safeguards
35to mitigate privacy risks associated with research, including
-18-1any risks associated with re-identification.
2k. Assist another controller, processor, or third party with
3any of the obligations under this subsection.
42. The obligations imposed on a controller or processor
5under this chapter shall not restrict a controller’s or
6processor’s ability to collect, use, or retain data as follows:
7a. To conduct internal research to develop, improve, or
8repair products, services, or technology.
9b. To effectuate a product recall.
10c. To identify and repair technical errors that impair
11existing or intended functionality.
12d. To perform internal operations that are reasonably
13aligned with the expectations of the consumer or reasonably
14anticipated based on the consumer’s existing relationship with
15the controller or are otherwise compatible with processing
16data in furtherance of the provision of a product or service
17specifically requested by a consumer or the performance of a
18contract to which the consumer is a party.
193. The obligations imposed on controllers or processors
20under this chapter shall not apply where compliance by the
21controller or processor with this chapter would violate an
22evidentiary privilege under the laws of the state. Nothing
23in this chapter shall be construed to prevent a controller or
24processor from providing personal data concerning a consumer to
25a person covered by an evidentiary privilege under the laws of
26the state as part of a privileged communication.
274. A controller or processor that discloses personal data
28to a third-party controller or processor, in compliance with
29the requirements of this chapter, is not in violation of
30this chapter if the third-party controller or processor that
31receives and processes such personal data is in violation of
32this chapter, provided that, at the time of disclosing the
33personal data, the disclosing controller or processor did not
34have actual knowledge that the recipient intended to commit a
35violation. A third-party controller or processor receiving
-19-1personal data from a controller or processor in compliance with
2the requirements of this chapter is likewise not in violation
3of this chapter for the offenses of the controller or processor
4from which it receives such personal data.
55. Nothing in this chapter shall be construed as an
6obligation imposed on a controller or a processor that
7adversely affects the rights or freedoms of any persons, such
8as exercising the right of free speech pursuant to the First
9Amendment to the United States Constitution, or applies to the
10processing of personal data by a person in the course of a
11purely personal or household activity.
126. Personal data processed by a controller pursuant to
13this section shall not be processed for any purpose other than
14those expressly listed in this section unless otherwise allowed
15by this chapter. Personal data processed by a controller
16pursuant to this section may be processed to the extent that
17such processing is as follows:
18a. Reasonably necessary and proportionate to the purposes
19listed in this section.
20b. Adequate, relevant, and limited to what is necessary
21in relation to the specific purposes listed in this section.
22Personal data collected, used, or retained pursuant to
23this section shall, where applicable, take into account
24the nature and purpose or purposes of such collection, use,
25or retention. Such data shall be subject to reasonable
26administrative, technical, and physical measures to protect the
27confidentiality, integrity, and accessibility of the personal
28data and to reduce reasonably foreseeable risks of harm to
29consumers relating to such collection, use, or retention of
30personal data.
317. If a controller processes personal data pursuant to an
32exemption in this section, the controller bears the burden of
33demonstrating that such processing qualifies for the exemption
34and complies with the requirements in subsection 6.
358. Processing personal data for the purposes expressly
-20-1identified in subsection 1 shall not solely make an entity a
2controller with respect to such processing.
39. This chapter shall not require a controller, processor,
4third party, or consumer to disclose trade secrets.
5 Sec. 9. NEW SECTION. 715D.9 Enforcement — penalties.
61. The attorney general shall have exclusive authority to
7enforce the provisions of this chapter. Whenever the attorney
8general has reasonable cause to believe that any person has
9engaged in, is engaging in, or is about to engage in any
10violation of this chapter, the attorney general is empowered to
11issue a civil investigative demand.
122. Prior to initiating any action under this chapter,
13the attorney general shall provide a controller or processor
14thirty days’ written notice identifying the specific provisions
15of this chapter the attorney general alleges have been or
16are being violated. If within the thirty-day period, the
17controller or processor cures the noticed violation and
18provides the attorney general an express written statement that
19the alleged violations have been cured and that no further such
20violations shall occur, no action shall be initiated against
21the controller or processor.
223. If a controller or processor continues to violate this
23chapter following the cure period in subsection 2 or breaches
24an express written statement provided to the attorney general
25under that subsection, the attorney general may initiate an
26action in the name of the state and may seek an injunction to
27restrain any violations of this chapter and civil penalties of
28up to seven thousand five hundred dollars for each violation
29under this chapter. Any moneys collected under this section
30including civil penalties, costs, attorneys fees, or amounts
31which are specifically directed shall be paid into the consumer
32education and litigation fund established under section
33714.16C.
344. The attorney general may recover reasonable expenses
35incurred in investigating and preparing the case, including
-21-1attorney fees, in any action initiated under this chapter.
25. Nothing in this chapter shall be construed as providing
3the basis for, or be subject to, a private right of action for
4violations of this chapter or under any other law.
5 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
62024.
7EXPLANATION
8The inclusion of this explanation does not constitute agreement with
9the explanation’s substance by the members of the general assembly.
10This bill relates to consumer data protection.
11The bill contains several definitions. The bill defines
12“controller” to mean a person that, alone or jointly with
13others, determines the purpose and means of processing personal
14data. The bill defines “identified or identifiable natural
15person” to mean a person who can be readily identified,
16directly or indirectly. The bill defines “personal data” to
17mean any information that is linked or reasonably linkable to
18an identified or identifiable natural person, but does not
19include de-identified data or publicly available information.
20The bill defines “process” or “processing” to mean any
21operation or set of operations performed, whether by manual or
22automated means, on personal data or on sets of personal data,
23such as the collection, use, storage, disclosure, analysis,
24deletion, or modification of personal data. The bill defines
25“processor” to mean a person that processes personal data
26on behalf of a controller. The bill defines “pseudonymous
27data” to mean personal data that cannot be attributed to
28a specific natural person without the use of additional
29information. The bill defines “publicly available information”
30to mean information that is lawfully made available to the
31general public through certain records or information that
32a business has reasonable basis to believe is lawfully made
33available under certain conditions. The bill defines “targeted
34advertising” to mean displaying advertisements to a consumer
35where the advertisement is selected based on personal data
-22-1obtained from that consumer’s activities over time and across
2nonaffiliated websites or online applications to predict such
3consumer’s preferences or interests, with exceptions. The bill
4defines “third party” to mean a natural or legal person, public
5authority, agency, or body other than the consumer, controller,
6processor, or an affiliate of the processor or the controller.
7The bill contains other defined terms.
8The bill provides that persons conducting business in
9the state or producing products or services targeted to
10Iowans that annually control or process personal data of
11over 99,999 consumers or control or process personal data of
1225,000 consumers with 50 percent of gross revenue derived
13from the sale of the personal data shall be subject to the
14provisions of the bill. The state and political subdivisions
15of the state, financial institutions or data subject to the
16Gramm-Leach-Bliley Act of 1999, certain organizations governed
17by rules by the department of human services, the department
18of health, certain federal governance laws and the federal
19Health Insurance Portability and Accountability Act, nonprofit
20organizations, higher learning institutions, and certain
21protected information and personal data collected under state
22or federal laws are exempt from provisions in the bill.
23The bill provides consumers have personal data rights
24that may be invoked at any time. Consumers or the parent of
25a child may submit a request to a controller for a copy of
26the controller’s information relating to personal data. The
27controller shall comply with such requests to confirm or deny
28whether the controller is processing the personal data, to
29delete or correct inaccuracies in personal data, to provide the
30consumer with a copy of their personal data, and to remove the
31consumer or child from personal data processing.
32The bill requires that controllers provide responses to
33defined personal data requests within 45 days of a consumer
34initiating a request. Responses to personal data requests
35shall be provided to a consumer free of charge up to twice per
-23-1year except where requests are overly burdensome or manifestly
2unfounded. A business may extend the deadline for good cause,
3including complexity, once by up to 45 days after informing the
4consumer of the reason for the extension. The bill provides
5that controllers are not required to comply with requests where
6a controller is unable through commercially reasonable efforts
7to verify the identity of the consumer submitting the request.
8The bill requires that controllers permit consumers to access
9an appeals process and provide consumers with information
10regarding the appeals process in situations where a consumer’s
11request is denied.
12The bill provides that controllers shall limit the
13collection of personal data to the extent reasonably necessary.
14Controllers must disclose to the consumer the types of data
15being collected and obtain consent from the consumers regarding
16the collection of personal data and sensitive personal data
17processing. Controllers must securely store personal data
18of consumers through administrative, technical, and physical
19security practices. Controllers shall not discriminate against
20consumers that exercise consumer data rights as provided in
21the bill by denying a consumer goods or services, charging
22different prices, or providing lower quality goods with
23exceptions. Contract provisions that require consumers to
24waive rights defined by the bill will be considered void and
25unenforceable.
26The bill provides that controllers give consumers reasonably
27accessible and clear privacy notices that inform consumers of
28the information regarding personal data transfer and purposes
29and the methods for consumers to exercise rights. The bill
30provides that controllers selling personal data to third
31parties or using targeted advertising must clearly disclose
32such activity and the right for the consumer to opt out of
33such sales or use. The bill requires a controller to create a
34method for private and secure processing of consumer requests.
35The bill requires processors and the assigns or
-24-1subcontractors of processors to assist controllers in complying
2with duties created by the bill.
3The bill requires controllers to conduct assessments of
4processing activities regarding certain personal data. Data
5protection assessments shall consider benefits and risks
6regarding personal data processing to the controller, consumer,
7public, and other stakeholders among other factors identified
8by the bill. The bill provides that the attorney general may
9request an investigation and require that a controller disclose
10relevant data protection assessment information and analyze
11the provided information for compliance with duties described
12by the bill. Other data protection assessments a controller
13has conducted may suffice for purposes of the bill if the
14assessments are reasonably similar.
15The bill includes personal data processing exemptions,
16including pseudonymous data and de-identified data as defined
17by the bill. The bill requires that controllers in possession
18of de-identified data take measures to ensure that the data
19remains de-identified, publicly commit to a de-identified
20maintenance process, and require agents and assigns to adhere
21to provisions of the bill. The bill identifies exceptions
22where controllers or processors are not required to comply
23with a consumer rights request pursuant to the bill. The bill
24requires controllers disclosing pseudonymous or de-identified
25data to exercise reasonable oversight of contractual
26commitments regarding such data.
27The bill provides that the bill shall not restrict
28controller or processor abilities to improve business or
29function. Controllers or processors sharing personal data with
30third parties are not liable for the noncompliance of third
31parties if the controller or processor did not have personal
32knowledge of the violation or intent to commit a violation,
33nor is a third party liable for violations of a controller
34or processor. The bill provides that if a controller seeks
35certain exemptions, the controller bears the burden of
-25-1demonstrating that the controller qualifies for the exemption
2and the exemption complies with the requirements in the bill.
3The bill shall not require a business, consumer, or other
4party to disclose trade secrets.
5The bill provides that the attorney general shall
6investigate controllers and processors upon reasonable cause
7for violations of provisions of the bill. The attorney general
8shall provide 30 days’ notice to a controller or processor
9including the reason for which the entity is subject to an
10investigation and permit the entity to cure the defect prior
11to filing a civil action. A controller or processor found
12to be in violation of provisions of the bill is subject to a
13civil penalty of up to $7,500 per violation. Moneys collected
14by the attorney general under the bill shall be paid into the
15consumer education and litigation fund established under Code
16section 714.16C. The attorney general shall recover reasonable
17expenses for expenses related to the investigation.
18The bill takes effect January 1, 2024.
-26-es/rn