Print
House File 2506 - ReprintedA Bill ForAn Act 1relating to consumer data protection, providing civil
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “De-identified data” means data that cannot reasonably
16be linked to an identified or identifiable natural person.
1711. “Fund” means the consumer education and litigation fund
18established pursuant to section 714.16C.
1912. “Health care provider” means any of the following:
20a. A general hospital, ambulatory surgical or treatment
21center, skilled nursing center, or assisted living center
22licensed or certified by the state.
23b. A psychiatric hospital licensed by the state.
24c. A hospital operated by the state.
25d. A hospital operated by the state board of regents.
26e. A person licensed to practice medicine or osteopathy in
27the state.
28f. A person licensed to furnish health care policies or
29plans in the state.
30g. A person licensed to practice dentistry in the state.
31h. “Health care provider” does not include a continuing care
32retirement community or any nursing facility of a religious
33body which depends upon prayer alone for healing.
3413. “Health Insurance Portability and Accountability
35Act” or “HIPAA” means the Health Insurance Portability and
-2-1Accountability Act of 1996, Pub.L. No.104-191, including
2amendments thereto and regulations promulgated thereunder.
314. “Health record” means any written, printed, or
4electronically recorded material maintained by a health care
5provider in the course of providing health services to an
6individual concerning the individual and the services provided,
7including related health information provided in confidence to
8a health care provider.
915. “Identified or identifiable natural person” means a
10person who can be readily identified, directly or indirectly.
1116. “Institution of higher education” means nonprofit
12private institutions of higher education and proprietary
13private institutions of higher education in the state,
14community colleges, and each associate-degree-granting and
15baccalaureate public institutions of higher education in the
16state.
1717. “Nonprofit organization” means any corporation organized
18under chapter 504, any organization exempt from taxation
19under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
20Internal Revenue Code, any organization exempt from taxation
21under section 501(c)(4) of the Internal Revenue Code that
22is established to detect or prevent insurance-related crime
23or fraud, and any subsidiaries and affiliates of entities
24organized pursuant to chapter 499.
2518. “Personal data” means any information that is linked or
26reasonably linkable to an identified or identifiable natural
27person. “Personal data” does not include de-identified or
28aggregate data or publicly available information.
2919. “Precise geolocation data” means information derived
30from technology, including but not limited to global
31positioning system level latitude and longitude coordinates or
32other mechanisms, that identifies the specific location of a
33natural person with precision and accuracy within a radius of
34one thousand seven hundred fifty feet. “Precise geolocation
35data” does not include the content of communications, or any
-3-1data generated by or connected to advanced utility metering
2infrastructure systems or equipment for use by a utility.
320. “Process” or “processing” means any operation or set
4of operations performed, whether by manual or automated means,
5on personal data or on sets of personal data, such as the
6collection, use, storage, disclosure, analysis, deletion, or
7modification of personal data.
821. “Processor” means a person that processes personal data
9on behalf of a controller.
1022. “Protected health information” means the same as
11protected health information established by HIPAA.
1223. “Pseudonymous data” means personal data that cannot
13be attributed to a specific natural person without the use
14of additional information, provided that such additional
15information is kept separately and is subject to appropriate
16technical and organizational measures to ensure that
17the personal data is not attributed to an identified or
18identifiable natural person.
1924. “Publicly available information” means information
20that is lawfully made available through federal, state, or
21local government records, or information that a business has
22reasonable basis to believe is lawfully made available to
23the general public through widely distributed media, by the
24consumer, or by a person to whom the consumer has disclosed the
25information, unless the consumer has restricted the information
26to a specific audience.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data when a
7consumer uses or directs a controller to intentionally disclose
8personal data or intentionally interact with one or more third
9parties.
10f. The disclosure or transfer of personal data to a third
11party as an asset that is part of a proposed or actual merger,
12acquisition, bankruptcy, or other transaction in which the
13third party assumes control of all or part of the controller’s
14assets.
1526. “Sensitive data” means a category of personal data that
16includes the following:
17a. Racial or ethnic origin, religious beliefs, mental or
18physical health diagnosis, sexual orientation, or citizenship
19or immigration status, except to the extent such data is used
20in order to avoid discrimination on the basis of a protected
21class that would violate a federal or state anti-discrimination
22law.
23b. Genetic or biometric data that is processed for the
24purpose of uniquely identifying a natural person.
25c. The personal data collected from a known child.
26d. Precise geolocation data.
2727. “State agency” means the same as defined in 129 IAC
2810.2(8B).
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to consumers who are residents of the state and that during a
25calendar year does either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derives over fifty percent
30of gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state; financial institutions,
33affiliates of financial institutions, or data subject to Tit.V
34of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801
35et seq.; covered entities or business associates governed by
-6-1the privacy, security, and breach notification rules issued by
2the Iowa department of human services and the Iowa department
3of public health; 45 C.F.R. pts.160 and 164 established
4pursuant to HIPAA; nonprofit organizations; or institutions of
5higher education.
63. The following information and data is exempt from this
7chapter:
8a. Protected health information under HIPAA.
9b. Health records.
10c. Patient identifying information for purposes of 42 U.S.C.
11§290dd-2.
12d. Identifiable private information for purposes of the
13federal policy for the protection of human subjects under 45
14C.F.R. pt.46.
15e. Identifiable private information that is otherwise
16information collected as part of human subjects research
17pursuant to the good clinical practice guidelines issued by
18the international council for harmonization of technical
19requirements for pharmaceuticals for human use.
20f. The protection of human subjects under 21 C.F.R. pts.6,
2150, and 56.
22g. Personal data used or shared in research conducted in
23accordance with the requirements set forth in this chapter, or
24other research conducted in accordance with applicable law.
25h. Information and documents created for purposes of the
26federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
27§11101 et seq.
28i. Patient safety work product for purposes of the federal
29Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
30et seq.
31j. Information derived from any of the health care-related
32information listed in this subsection that is de-identified in
33accordance with the requirements for de-identification pursuant
34to HIPAA.
35k. Information originating from, and intermingled to be
-7-1indistinguishable with, or information treated in the same
2manner as information exempt under this subsection that is
3maintained by a covered entity or business associate as defined
4by HIPAA or a program or a qualified service organization as
5defined by 42 U.S.C. §290dd-2.
6l. Information used only for public health activities and
7purposes as authorized by HIPAA.
8m. The collection, maintenance, disclosure, sale,
9communication, or use of any personal information bearing on a
10consumer’s credit worthiness, credit standing, credit capacity,
11character, general reputation, personal characteristics, or
12mode of living by a consumer reporting agency or furnisher that
13provides information for use in a consumer report, and by a
14user of a consumer report, but only to the extent that such
15activity is regulated by and authorized under the federal Fair
16Credit Reporting Act, 15 U.S.C. §1681 et seq.
17n. Personal data collected, processed, sold, or disclosed in
18compliance with the federal Driver’s Privacy Protection Act of
191994, 18 U.S.C. §2721 et seq.
20o. Personal data regulated by the federal Family Educational
21Rights and Privacy Act, 20 U.S.C. §1232 et seq.
22p. Personal data collected, processed, sold, or disclosed in
23compliance with the federal Farm Credit Act, 12 U.S.C., §2001
24et seq.
25q. Data processed or maintained as follows:
26(1) In the course of an individual applying to, employed
27by, or acting as an agent or independent contractor of a
28controller, processor, or third party, to the extent that the
29data is collected and used within the context of that role.
30(2) As the emergency contact information of an individual
31under this chapter used for emergency contact purposes.
32(3) That is necessary to retain to administer benefits
33for another individual relating to the individual under
34subparagraph (1) and used for the purposes of administering
35those benefits.
-8- 1r. Personal data used in accordance with the federal
2Children’s Online Privacy Protection Act, 15 U.S.C. §6501 -
36506, and its rules, regulations, and exceptions thereto.
4 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
51. A consumer may invoke the consumer rights authorized
6pursuant to this section at any time by submitting a request to
7the controller, through the means specified by the controller
8pursuant to section 715D.4, subsection 6, specifying the
9consumer rights the consumer wishes to invoke. A known child’s
10parent or legal guardian may invoke such consumer rights
11on behalf of the known child regarding processing personal
12data belonging to the child. A controller shall comply with
13an authenticated consumer request to exercise all of the
14following:
15a. To confirm whether a controller is processing the
16consumer’s personal data and to access such personal data.
17b. To delete personal data provided by the consumer.
18c. To obtain a copy of the consumer’s personal data, except
19as to personal data that is defined as “personal information”
20pursuant to section 715C.1 that is subject to security breach
21protection, that the consumer previously provided to the
22controller in a portable and, to the extent technically
23practicable, readily usable format that allows the consumer
24to transmit the data to another controller without hindrance,
25where the processing is carried out by automated means.
26d. To opt out of targeted advertising or the sale of
27personal data.
282. Except as otherwise provided in this chapter, a
29controller shall comply with a request by a consumer to
30exercise the consumer rights authorized pursuant to this
31section as follows:
32a. A controller shall respond to the consumer without undue
33delay, but in all cases within forty-five days of receipt
34of a request submitted pursuant to the methods described in
35this section. The response period may be extended once by
-9-1forty-five additional days when reasonably necessary upon
2considering the complexity and number of the consumer’s
3requests by informing the consumer of any such extension within
4the initial forty-five-day response period, together with the
5reason for the extension.
6b. If a controller declines to take action regarding the
7consumer’s request, the controller shall inform the consumer
8without undue delay of the justification for declining to take
9action, except in the case of a suspected fraudulent request,
10in which case the controller may state that the controller was
11unable to authenticate the request. The controller shall also
12provide instructions for appealing the decision pursuant to
13subsection 3.
14c. Information provided in response to a consumer request
15shall be provided by a controller free of charge, up to
16twice annually per consumer. If a request from a consumer
17is manifestly unfounded, excessive, repetitive, technically
18unfeasible, or the controller reasonably believes that the
19primary purpose of the request is not to exercise a consumer
20right, the controller may charge the consumer a reasonable fee
21to cover the administrative costs of complying with the request
22or decline to act on the request. The controller bears the
23burden of demonstrating the manifestly unfounded, excessive,
24repetitive, or technically unfeasible nature of the request.
25d. If a controller is unable to authenticate a request
26using commercially reasonable efforts, the controller shall
27not be required to comply with a request to initiate an action
28under this section and may request that the consumer provide
29additional information reasonably necessary to authenticate the
30consumer and the consumer’s request.
313. A controller shall establish a process for a consumer
32to appeal the controller’s refusal to take action on a request
33within a reasonable period of time after the consumer’s
34receipt of the decision pursuant to this section. The appeal
35process shall be conspicuously available and similar to the
-10-1process for submitting requests to initiate action pursuant
2to this section. Within sixty days of receipt of an appeal,
3a controller shall inform the consumer in writing of any
4action taken or not taken in response to the appeal, including
5a written explanation of the reasons for the decision. If
6the appeal is denied, the controller shall also provide the
7consumer with an online mechanism through which the consumer
8may contact the attorney general to submit a complaint.
9 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
101. A controller shall adopt and implement reasonable
11administrative, technical, and physical data security practices
12to protect the confidentiality, integrity, and accessibility
13of personal data. Such data security practices shall be
14appropriate to the volume and nature of the personal data
15at issue. A controller shall not process sensitive data
16concerning a consumer or a nonexempt purpose without the
17consumer having been presented with clear notice and an
18opportunity to opt out of such processing, or, in the case of
19the processing of sensitive data concerning a known child,
20without processing such data in accordance with the federal
21Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et
22seq.
232. A controller shall not process personal data in
24violation of state and federal laws that prohibit unlawful
25discrimination against a consumer. A controller shall not
26discriminate against a consumer for exercising any of the
27consumer rights contained in this chapter, including denying
28goods or services, charging different prices or rates for
29goods or services, or providing a different level of quality
30of goods and services to the consumer. However, nothing in
31this chapter shall be construed to require a controller to
32provide a product or service that requires the personal data
33of a consumer that the controller does not collect or maintain
34or to prohibit a controller from offering a different price,
35rate, level, quality, or selection of goods or services to a
-11-1consumer, including offering goods or services for no fee,
2if the consumer has exercised the consumer’s right to opt
3out pursuant to section 715D.3 or the offer is related to a
4consumer’s voluntary participation in a bona fide loyalty,
5rewards, premium features, discounts, or club card program.
63. Any provision of a contract or agreement that purports to
7waive or limit in any way consumer rights pursuant to section
8715D.3 shall be deemed contrary to public policy and shall be
9void and unenforceable.
104. A controller shall provide consumers with a reasonably
11accessible, clear, and meaningful privacy notice that includes
12the following:
13a. The categories of personal data processed by the
14controller.
15b. The purpose for processing personal data.
16c. How consumers may exercise their consumer rights pursuant
17to section 715D.3, including how a consumer may appeal a
18controller’s decision with regard to the consumer’s request.
19d. The categories of personal data that the controller
20shares with third parties, if any.
21e. The categories of third parties, if any, with whom the
22controller shares personal data.
235. If a controller sells a consumer’s personal data to third
24parties or engages in targeted advertising, the controller
25shall clearly and conspicuously disclose such activity, as well
26as the manner in which a consumer may exercise the right to opt
27out of such activity.
286. A controller shall establish, and shall describe in
29a privacy notice, secure and reliable means for consumers to
30submit a request to exercise their consumer rights under this
31chapter. Such means shall consider the ways in which consumers
32normally interact with the controller, the need for secure and
33reliable communication of such requests, and the ability of
34the controller to authenticate the identity of the consumer
35making the request. A controller shall not require a consumer
-12-1to create a new account in order to exercise consumer rights
2pursuant to section 715D.3, but may require a consumer to use
3an existing account.
4 Sec. 5. NEW SECTION. 715D.5 Processor duties.
51. A processor shall assist a controller in duties
6required under this chapter, taking into account the nature of
7processing and the information available to the processor by
8appropriate technical and organizational measures, insofar as
9is reasonably practicable, as follows:
10a. To fulfill the controller’s obligation to respond to
11consumer rights requests pursuant to section 715D.3.
12b. To meet the controller’s obligations in relation to the
13security of processing the personal data and in relation to the
14notification of a security breach of the processor pursuant to
15section 715C.2.
162. A contract between a controller and a processor shall
17govern the processor’s data processing procedures with respect
18to processing performed on behalf of the controller. The
19contract shall clearly set forth instructions for processing
20personal data, the nature and purpose of processing, the type
21of data subject to processing, the duration of processing, and
22the rights and duties of both parties. The contract shall also
23include requirements that the processor shall do all of the
24following:
25a. Ensure that each person processing personal data is
26subject to a duty of confidentiality with respect to the data.
27b. At the controller’s direction, delete or return all
28personal data to the controller as requested at the end of the
29provision of services, unless retention of the personal data
30is required by law.
31c. Upon the reasonable request of the controller, make
32available to the controller all information in the processor’s
33possession necessary to demonstrate the processor’s compliance
34with the obligations in this chapter.
35d. Engage any subcontractor or agent pursuant to a written
-13-1contract in accordance with this section that requires the
2subcontractor to meet the duties of the processor with respect
3to the personal data.
43. Nothing in this section shall be construed to relieve a
5controller or a processor from imposed liabilities by virtue
6of the controller or processor’s role in the processing
7relationship as defined by this chapter.
84. Determining whether a person is acting as a controller or
9processor with respect to a specific processing of data is a
10fact-based determination that depends upon the context in which
11personal data is to be processed. A processor that continues
12to adhere to a controller’s instructions with respect to a
13specific processing of personal data remains a processor.
14 Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
151. Nothing in this chapter shall be construed to require the
16following:
17a. A controller or processor to re-identify de-identified
18data or pseudonymous data.
19b. Maintaining data in identifiable form.
20c. Collecting, obtaining, retaining, or accessing any
21data or technology, in order to be capable of associating an
22authenticated consumer request with personal data.
232. Nothing in this chapter shall be construed to require
24a controller or processor to comply with an authenticated
25consumer rights request, pursuant to section 715D.3, if all of
26the following apply:
27a. The controller is not reasonably capable of associating
28the request with the personal data or it would be unreasonably
29burdensome for the controller to associate the request with the
30personal data.
31b. The controller does not use the personal data to
32recognize or respond to the specific consumer who is the
33subject of the personal data, or associate the personal data
34with other personal data about the same specific consumer.
35c. The controller does not sell the personal data to any
-14-1third party or otherwise voluntarily disclose the personal data
2to any third party other than a processor, except as otherwise
3permitted in this chapter.
43. Consumer rights contained in sections 715D.3 and 715D.4
5shall not apply to pseudonymous data in cases where the
6controller is able to demonstrate any information necessary
7to identify the consumer is kept separately and is subject to
8appropriate technical and organizational measures to ensure
9that the personal data is not attributed to an identified or
10identifiable natural person.
114. Controllers that disclose pseudonymous data or de-
12identified data shall exercise reasonable oversight to monitor
13compliance with any contractual commitments to which the
14pseudonymous data or de-identified data is subject and shall
15take appropriate steps to address any breaches of those
16contractual commitments.
17 Sec. 7. NEW SECTION. 715D.7 Limitations.
181. Nothing in this chapter shall be construed to restrict a
19controller’s or processor’s ability to do the following:
20a. Comply with federal, state, or local laws, rules, or
21regulations.
22b. Comply with a civil, criminal, or regulatory inquiry,
23investigation, subpoena, or summons by federal, state, local,
24or other governmental authorities.
25c. Cooperate with law enforcement agencies concerning
26conduct or activity that the controller or processor reasonably
27and in good faith believes may violate federal, state, or local
28laws, rules, or regulations.
29d. Investigate, establish, exercise, prepare for, or defend
30legal claims.
31e. Provide a product or service specifically requested by a
32consumer or parent or guardian of a child, perform a contract
33to which the consumer or parent or guardian of a child is a
34party, including fulfilling the terms of a written warranty, or
35take steps at the request of the consumer or parent or guardian
-15-1of a child prior to entering into a contract.
2f. Take immediate steps to protect an interest that is
3essential for the life or physical safety of the consumer or
4of another natural person, and where the processing cannot be
5manifestly based on another legal basis.
6g. Prevent, detect, protect against, or respond to security
7incidents, identity theft, fraud, harassment, malicious or
8deceptive activities, or any illegal activity.
9h. Preserve the integrity or security of systems.
10i. Investigate, report, or prosecute those responsible for
11any such action.
12j. Engage in public or peer-reviewed scientific or
13statistical research in the public interest that adheres to
14all other applicable ethics and privacy laws and is approved,
15monitored, and governed by an institutional review board, or
16similar independent oversight entities that determine the
17following:
18(1) If the deletion of the information is likely to provide
19substantial benefits that do not exclusively accrue to the
20controller.
21(2) The expected benefits of the research outweigh the
22privacy risks.
23(3) If the controller has implemented reasonable safeguards
24to mitigate privacy risks associated with research, including
25any risks associated with re-identification.
26k. Assist another controller, processor, or third party with
27any of the obligations under this subsection.
282. The obligations imposed on a controller or processor
29under this chapter shall not restrict a controller’s or
30processor’s ability to collect, use, or retain data as follows:
31a. To conduct internal research to develop, improve, or
32repair products, services, or technology.
33b. To effectuate a product recall.
34c. To identify and repair technical errors that impair
35existing or intended functionality.
-16- 1d. To perform internal operations that are reasonably
2aligned with the expectations of the consumer or reasonably
3anticipated based on the consumer’s existing relationship with
4the controller or are otherwise compatible with processing
5data in furtherance of the provision of a product or service
6specifically requested by a consumer or parent or guardian of a
7child or the performance of a contract to which the consumer or
8parent or guardian of a child is a party.
93. The obligations imposed on controllers or processors
10under this chapter shall not apply where compliance by the
11controller or processor with this chapter would violate an
12evidentiary privilege under the laws of the state. Nothing
13in this chapter shall be construed to prevent a controller or
14processor from providing personal data concerning a consumer to
15a person covered by an evidentiary privilege under the laws of
16the state as part of a privileged communication.
174. A controller or processor that discloses personal data
18to a third-party controller or processor, in compliance with
19the requirements of this chapter, is not in violation of
20this chapter if the third-party controller or processor that
21receives and processes such personal data is in violation of
22this chapter, provided that, at the time of disclosing the
23personal data, the disclosing controller or processor did not
24have actual knowledge that the recipient intended to commit a
25violation. A third-party controller or processor receiving
26personal data from a controller or processor in compliance with
27the requirements of this chapter is likewise not in violation
28of this chapter for the offenses of the controller or processor
29from which it receives such personal data.
305. Nothing in this chapter shall be construed as an
31obligation imposed on a controller or a processor that
32adversely affects the privacy or other rights or freedoms
33of any persons, such as exercising the right of free speech
34pursuant to the First Amendment to the United States
35Constitution, or applies to personal data by a person in the
-17-1course of a purely personal or household activity.
26. Personal data processed by a controller pursuant to
3this section shall not be processed for any purpose other than
4those expressly listed in this section unless otherwise allowed
5by this chapter. Personal data processed by a controller
6pursuant to this section may be processed to the extent that
7such processing is as follows:
8a. Reasonably necessary and proportionate to the purposes
9listed in this section.
10b. Adequate, relevant, and limited to what is necessary
11in relation to the specific purposes listed in this section.
12Personal data collected, used, or retained pursuant to
13this section shall, where applicable, take into account
14the nature and purpose or purposes of such collection, use,
15or retention. Such data shall be subject to reasonable
16administrative, technical, and physical measures to protect the
17confidentiality, integrity, and accessibility of the personal
18data.
197. If a controller processes personal data pursuant to an
20exemption in this section, the controller bears the burden of
21demonstrating that such processing qualifies for the exemption
22and complies with the requirements in subsection 6.
238. Processing personal data for the purposes expressly
24identified in subsection 1 shall not in and of itself make an
25entity a controller with respect to such processing.
269. This chapter shall not require a controller, processor,
27third party, or consumer to disclose trade secrets.
28 Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
291. The attorney general shall have exclusive authority to
30enforce the provisions of this chapter. Whenever the attorney
31general has reasonable cause to believe that any person has
32engaged in, is engaging in, or is about to engage in any
33violation of this chapter, the attorney general is empowered to
34issue a civil investigative demand. The provisions of section
35685.6 shall apply to civil investigative demands issued under
-18-1this chapter.
22. Prior to initiating any action under this chapter,
3the attorney general shall provide a controller or processor
4thirty days’ written notice identifying the specific provisions
5of this chapter the attorney general alleges have been or
6are being violated. If within the thirty-day period, the
7controller or processor cures the noticed violation and
8provides the attorney general an express written statement that
9the alleged violations have been cured and that no further such
10violations shall occur, no action shall be initiated against
11the controller or processor.
123. If a controller or processor continues to violate this
13chapter following the cure period in subsection 2 or breaches
14an express written statement provided to the attorney general
15under that subsection, the attorney general may initiate an
16action in the name of the state and may seek an injunction to
17restrain any violations of this chapter and civil penalties of
18up to seven thousand five hundred dollars for each violation
19under this chapter. Any moneys collected under this section
20including civil penalties, costs, attorney fees, or amounts
21which are specifically directed shall be paid into the consumer
22education and litigation fund established under section
23714.16C.
244. The attorney general may recover reasonable expenses
25incurred in investigating and preparing the case, including
26attorney fees, in any action initiated under this chapter.
275. Nothing in this chapter shall be construed as providing
28the basis for, or be subject to, a private right of action for
29violations of this chapter or under any other law.
30 Sec. 9. NEW SECTION. 715D.9 Preemption.
311. This chapter supersedes and preempts all rules,
32regulations, codes, ordinances, and other laws adopted by a
33city, county, municipality, or local agency regarding the
34processing of personal data by controllers or processors.
352. Any reference to federal, state, or local law or statute
-19-1in this chapter shall be deemed to include any accompanying
2rules or regulations or exemptions thereto, or in the case of a
3federal agency, guidance issued by such agency thereto.
4 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
52024.
es/rn/md
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “De-identified data” means data that cannot reasonably
16be linked to an identified or identifiable natural person.
1711. “Fund” means the consumer education and litigation fund
18established pursuant to section 714.16C.
1912. “Health care provider” means any of the following:
20a. A general hospital, ambulatory surgical or treatment
21center, skilled nursing center, or assisted living center
22licensed or certified by the state.
23b. A psychiatric hospital licensed by the state.
24c. A hospital operated by the state.
25d. A hospital operated by the state board of regents.
26e. A person licensed to practice medicine or osteopathy in
27the state.
28f. A person licensed to furnish health care policies or
29plans in the state.
30g. A person licensed to practice dentistry in the state.
31h. “Health care provider” does not include a continuing care
32retirement community or any nursing facility of a religious
33body which depends upon prayer alone for healing.
3413. “Health Insurance Portability and Accountability
35Act” or “HIPAA” means the Health Insurance Portability and
-2-1Accountability Act of 1996, Pub.L. No.104-191, including
2amendments thereto and regulations promulgated thereunder.
314. “Health record” means any written, printed, or
4electronically recorded material maintained by a health care
5provider in the course of providing health services to an
6individual concerning the individual and the services provided,
7including related health information provided in confidence to
8a health care provider.
915. “Identified or identifiable natural person” means a
10person who can be readily identified, directly or indirectly.
1116. “Institution of higher education” means nonprofit
12private institutions of higher education and proprietary
13private institutions of higher education in the state,
14community colleges, and each associate-degree-granting and
15baccalaureate public institutions of higher education in the
16state.
1717. “Nonprofit organization” means any corporation organized
18under chapter 504, any organization exempt from taxation
19under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
20Internal Revenue Code, any organization exempt from taxation
21under section 501(c)(4) of the Internal Revenue Code that
22is established to detect or prevent insurance-related crime
23or fraud, and any subsidiaries and affiliates of entities
24organized pursuant to chapter 499.
2518. “Personal data” means any information that is linked or
26reasonably linkable to an identified or identifiable natural
27person. “Personal data” does not include de-identified or
28aggregate data or publicly available information.
2919. “Precise geolocation data” means information derived
30from technology, including but not limited to global
31positioning system level latitude and longitude coordinates or
32other mechanisms, that identifies the specific location of a
33natural person with precision and accuracy within a radius of
34one thousand seven hundred fifty feet. “Precise geolocation
35data” does not include the content of communications, or any
-3-1data generated by or connected to advanced utility metering
2infrastructure systems or equipment for use by a utility.
320. “Process” or “processing” means any operation or set
4of operations performed, whether by manual or automated means,
5on personal data or on sets of personal data, such as the
6collection, use, storage, disclosure, analysis, deletion, or
7modification of personal data.
821. “Processor” means a person that processes personal data
9on behalf of a controller.
1022. “Protected health information” means the same as
11protected health information established by HIPAA.
1223. “Pseudonymous data” means personal data that cannot
13be attributed to a specific natural person without the use
14of additional information, provided that such additional
15information is kept separately and is subject to appropriate
16technical and organizational measures to ensure that
17the personal data is not attributed to an identified or
18identifiable natural person.
1924. “Publicly available information” means information
20that is lawfully made available through federal, state, or
21local government records, or information that a business has
22reasonable basis to believe is lawfully made available to
23the general public through widely distributed media, by the
24consumer, or by a person to whom the consumer has disclosed the
25information, unless the consumer has restricted the information
26to a specific audience.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data when a
7consumer uses or directs a controller to intentionally disclose
8personal data or intentionally interact with one or more third
9parties.
10f. The disclosure or transfer of personal data to a third
11party as an asset that is part of a proposed or actual merger,
12acquisition, bankruptcy, or other transaction in which the
13third party assumes control of all or part of the controller’s
14assets.
1526. “Sensitive data” means a category of personal data that
16includes the following:
17a. Racial or ethnic origin, religious beliefs, mental or
18physical health diagnosis, sexual orientation, or citizenship
19or immigration status, except to the extent such data is used
20in order to avoid discrimination on the basis of a protected
21class that would violate a federal or state anti-discrimination
22law.
23b. Genetic or biometric data that is processed for the
24purpose of uniquely identifying a natural person.
25c. The personal data collected from a known child.
26d. Precise geolocation data.
2727. “State agency” means the same as defined in 129 IAC
2810.2(8B).
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to consumers who are residents of the state and that during a
25calendar year does either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derives over fifty percent
30of gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state; financial institutions,
33affiliates of financial institutions, or data subject to Tit.V
34of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801
35et seq.; covered entities or business associates governed by
-6-1the privacy, security, and breach notification rules issued by
2the Iowa department of human services and the Iowa department
3of public health; 45 C.F.R. pts.160 and 164 established
4pursuant to HIPAA; nonprofit organizations; or institutions of
5higher education.
63. The following information and data is exempt from this
7chapter:
8a. Protected health information under HIPAA.
9b. Health records.
10c. Patient identifying information for purposes of 42 U.S.C.
11§290dd-2.
12d. Identifiable private information for purposes of the
13federal policy for the protection of human subjects under 45
14C.F.R. pt.46.
15e. Identifiable private information that is otherwise
16information collected as part of human subjects research
17pursuant to the good clinical practice guidelines issued by
18the international council for harmonization of technical
19requirements for pharmaceuticals for human use.
20f. The protection of human subjects under 21 C.F.R. pts.6,
2150, and 56.
22g. Personal data used or shared in research conducted in
23accordance with the requirements set forth in this chapter, or
24other research conducted in accordance with applicable law.
25h. Information and documents created for purposes of the
26federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
27§11101 et seq.
28i. Patient safety work product for purposes of the federal
29Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
30et seq.
31j. Information derived from any of the health care-related
32information listed in this subsection that is de-identified in
33accordance with the requirements for de-identification pursuant
34to HIPAA.
35k. Information originating from, and intermingled to be
-7-1indistinguishable with, or information treated in the same
2manner as information exempt under this subsection that is
3maintained by a covered entity or business associate as defined
4by HIPAA or a program or a qualified service organization as
5defined by 42 U.S.C. §290dd-2.
6l. Information used only for public health activities and
7purposes as authorized by HIPAA.
8m. The collection, maintenance, disclosure, sale,
9communication, or use of any personal information bearing on a
10consumer’s credit worthiness, credit standing, credit capacity,
11character, general reputation, personal characteristics, or
12mode of living by a consumer reporting agency or furnisher that
13provides information for use in a consumer report, and by a
14user of a consumer report, but only to the extent that such
15activity is regulated by and authorized under the federal Fair
16Credit Reporting Act, 15 U.S.C. §1681 et seq.
17n. Personal data collected, processed, sold, or disclosed in
18compliance with the federal Driver’s Privacy Protection Act of
191994, 18 U.S.C. §2721 et seq.
20o. Personal data regulated by the federal Family Educational
21Rights and Privacy Act, 20 U.S.C. §1232 et seq.
22p. Personal data collected, processed, sold, or disclosed in
23compliance with the federal Farm Credit Act, 12 U.S.C., §2001
24et seq.
25q. Data processed or maintained as follows:
26(1) In the course of an individual applying to, employed
27by, or acting as an agent or independent contractor of a
28controller, processor, or third party, to the extent that the
29data is collected and used within the context of that role.
30(2) As the emergency contact information of an individual
31under this chapter used for emergency contact purposes.
32(3) That is necessary to retain to administer benefits
33for another individual relating to the individual under
34subparagraph (1) and used for the purposes of administering
35those benefits.
-8- 1r. Personal data used in accordance with the federal
2Children’s Online Privacy Protection Act, 15 U.S.C. §6501 -
36506, and its rules, regulations, and exceptions thereto.
4 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
51. A consumer may invoke the consumer rights authorized
6pursuant to this section at any time by submitting a request to
7the controller, through the means specified by the controller
8pursuant to section 715D.4, subsection 6, specifying the
9consumer rights the consumer wishes to invoke. A known child’s
10parent or legal guardian may invoke such consumer rights
11on behalf of the known child regarding processing personal
12data belonging to the child. A controller shall comply with
13an authenticated consumer request to exercise all of the
14following:
15a. To confirm whether a controller is processing the
16consumer’s personal data and to access such personal data.
17b. To delete personal data provided by the consumer.
18c. To obtain a copy of the consumer’s personal data, except
19as to personal data that is defined as “personal information”
20pursuant to section 715C.1 that is subject to security breach
21protection, that the consumer previously provided to the
22controller in a portable and, to the extent technically
23practicable, readily usable format that allows the consumer
24to transmit the data to another controller without hindrance,
25where the processing is carried out by automated means.
26d. To opt out of targeted advertising or the sale of
27personal data.
282. Except as otherwise provided in this chapter, a
29controller shall comply with a request by a consumer to
30exercise the consumer rights authorized pursuant to this
31section as follows:
32a. A controller shall respond to the consumer without undue
33delay, but in all cases within forty-five days of receipt
34of a request submitted pursuant to the methods described in
35this section. The response period may be extended once by
-9-1forty-five additional days when reasonably necessary upon
2considering the complexity and number of the consumer’s
3requests by informing the consumer of any such extension within
4the initial forty-five-day response period, together with the
5reason for the extension.
6b. If a controller declines to take action regarding the
7consumer’s request, the controller shall inform the consumer
8without undue delay of the justification for declining to take
9action, except in the case of a suspected fraudulent request,
10in which case the controller may state that the controller was
11unable to authenticate the request. The controller shall also
12provide instructions for appealing the decision pursuant to
13subsection 3.
14c. Information provided in response to a consumer request
15shall be provided by a controller free of charge, up to
16twice annually per consumer. If a request from a consumer
17is manifestly unfounded, excessive, repetitive, technically
18unfeasible, or the controller reasonably believes that the
19primary purpose of the request is not to exercise a consumer
20right, the controller may charge the consumer a reasonable fee
21to cover the administrative costs of complying with the request
22or decline to act on the request. The controller bears the
23burden of demonstrating the manifestly unfounded, excessive,
24repetitive, or technically unfeasible nature of the request.
25d. If a controller is unable to authenticate a request
26using commercially reasonable efforts, the controller shall
27not be required to comply with a request to initiate an action
28under this section and may request that the consumer provide
29additional information reasonably necessary to authenticate the
30consumer and the consumer’s request.
313. A controller shall establish a process for a consumer
32to appeal the controller’s refusal to take action on a request
33within a reasonable period of time after the consumer’s
34receipt of the decision pursuant to this section. The appeal
35process shall be conspicuously available and similar to the
-10-1process for submitting requests to initiate action pursuant
2to this section. Within sixty days of receipt of an appeal,
3a controller shall inform the consumer in writing of any
4action taken or not taken in response to the appeal, including
5a written explanation of the reasons for the decision. If
6the appeal is denied, the controller shall also provide the
7consumer with an online mechanism through which the consumer
8may contact the attorney general to submit a complaint.
9 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
101. A controller shall adopt and implement reasonable
11administrative, technical, and physical data security practices
12to protect the confidentiality, integrity, and accessibility
13of personal data. Such data security practices shall be
14appropriate to the volume and nature of the personal data
15at issue. A controller shall not process sensitive data
16concerning a consumer or a nonexempt purpose without the
17consumer having been presented with clear notice and an
18opportunity to opt out of such processing, or, in the case of
19the processing of sensitive data concerning a known child,
20without processing such data in accordance with the federal
21Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et
22seq.
232. A controller shall not process personal data in
24violation of state and federal laws that prohibit unlawful
25discrimination against a consumer. A controller shall not
26discriminate against a consumer for exercising any of the
27consumer rights contained in this chapter, including denying
28goods or services, charging different prices or rates for
29goods or services, or providing a different level of quality
30of goods and services to the consumer. However, nothing in
31this chapter shall be construed to require a controller to
32provide a product or service that requires the personal data
33of a consumer that the controller does not collect or maintain
34or to prohibit a controller from offering a different price,
35rate, level, quality, or selection of goods or services to a
-11-1consumer, including offering goods or services for no fee,
2if the consumer has exercised the consumer’s right to opt
3out pursuant to section 715D.3 or the offer is related to a
4consumer’s voluntary participation in a bona fide loyalty,
5rewards, premium features, discounts, or club card program.
63. Any provision of a contract or agreement that purports to
7waive or limit in any way consumer rights pursuant to section
8715D.3 shall be deemed contrary to public policy and shall be
9void and unenforceable.
104. A controller shall provide consumers with a reasonably
11accessible, clear, and meaningful privacy notice that includes
12the following:
13a. The categories of personal data processed by the
14controller.
15b. The purpose for processing personal data.
16c. How consumers may exercise their consumer rights pursuant
17to section 715D.3, including how a consumer may appeal a
18controller’s decision with regard to the consumer’s request.
19d. The categories of personal data that the controller
20shares with third parties, if any.
21e. The categories of third parties, if any, with whom the
22controller shares personal data.
235. If a controller sells a consumer’s personal data to third
24parties or engages in targeted advertising, the controller
25shall clearly and conspicuously disclose such activity, as well
26as the manner in which a consumer may exercise the right to opt
27out of such activity.
286. A controller shall establish, and shall describe in
29a privacy notice, secure and reliable means for consumers to
30submit a request to exercise their consumer rights under this
31chapter. Such means shall consider the ways in which consumers
32normally interact with the controller, the need for secure and
33reliable communication of such requests, and the ability of
34the controller to authenticate the identity of the consumer
35making the request. A controller shall not require a consumer
-12-1to create a new account in order to exercise consumer rights
2pursuant to section 715D.3, but may require a consumer to use
3an existing account.
4 Sec. 5. NEW SECTION. 715D.5 Processor duties.
51. A processor shall assist a controller in duties
6required under this chapter, taking into account the nature of
7processing and the information available to the processor by
8appropriate technical and organizational measures, insofar as
9is reasonably practicable, as follows:
10a. To fulfill the controller’s obligation to respond to
11consumer rights requests pursuant to section 715D.3.
12b. To meet the controller’s obligations in relation to the
13security of processing the personal data and in relation to the
14notification of a security breach of the processor pursuant to
15section 715C.2.
162. A contract between a controller and a processor shall
17govern the processor’s data processing procedures with respect
18to processing performed on behalf of the controller. The
19contract shall clearly set forth instructions for processing
20personal data, the nature and purpose of processing, the type
21of data subject to processing, the duration of processing, and
22the rights and duties of both parties. The contract shall also
23include requirements that the processor shall do all of the
24following:
25a. Ensure that each person processing personal data is
26subject to a duty of confidentiality with respect to the data.
27b. At the controller’s direction, delete or return all
28personal data to the controller as requested at the end of the
29provision of services, unless retention of the personal data
30is required by law.
31c. Upon the reasonable request of the controller, make
32available to the controller all information in the processor’s
33possession necessary to demonstrate the processor’s compliance
34with the obligations in this chapter.
35d. Engage any subcontractor or agent pursuant to a written
-13-1contract in accordance with this section that requires the
2subcontractor to meet the duties of the processor with respect
3to the personal data.
43. Nothing in this section shall be construed to relieve a
5controller or a processor from imposed liabilities by virtue
6of the controller or processor’s role in the processing
7relationship as defined by this chapter.
84. Determining whether a person is acting as a controller or
9processor with respect to a specific processing of data is a
10fact-based determination that depends upon the context in which
11personal data is to be processed. A processor that continues
12to adhere to a controller’s instructions with respect to a
13specific processing of personal data remains a processor.
14 Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
151. Nothing in this chapter shall be construed to require the
16following:
17a. A controller or processor to re-identify de-identified
18data or pseudonymous data.
19b. Maintaining data in identifiable form.
20c. Collecting, obtaining, retaining, or accessing any
21data or technology, in order to be capable of associating an
22authenticated consumer request with personal data.
232. Nothing in this chapter shall be construed to require
24a controller or processor to comply with an authenticated
25consumer rights request, pursuant to section 715D.3, if all of
26the following apply:
27a. The controller is not reasonably capable of associating
28the request with the personal data or it would be unreasonably
29burdensome for the controller to associate the request with the
30personal data.
31b. The controller does not use the personal data to
32recognize or respond to the specific consumer who is the
33subject of the personal data, or associate the personal data
34with other personal data about the same specific consumer.
35c. The controller does not sell the personal data to any
-14-1third party or otherwise voluntarily disclose the personal data
2to any third party other than a processor, except as otherwise
3permitted in this chapter.
43. Consumer rights contained in sections 715D.3 and 715D.4
5shall not apply to pseudonymous data in cases where the
6controller is able to demonstrate any information necessary
7to identify the consumer is kept separately and is subject to
8appropriate technical and organizational measures to ensure
9that the personal data is not attributed to an identified or
10identifiable natural person.
114. Controllers that disclose pseudonymous data or de-
12identified data shall exercise reasonable oversight to monitor
13compliance with any contractual commitments to which the
14pseudonymous data or de-identified data is subject and shall
15take appropriate steps to address any breaches of those
16contractual commitments.
17 Sec. 7. NEW SECTION. 715D.7 Limitations.
181. Nothing in this chapter shall be construed to restrict a
19controller’s or processor’s ability to do the following:
20a. Comply with federal, state, or local laws, rules, or
21regulations.
22b. Comply with a civil, criminal, or regulatory inquiry,
23investigation, subpoena, or summons by federal, state, local,
24or other governmental authorities.
25c. Cooperate with law enforcement agencies concerning
26conduct or activity that the controller or processor reasonably
27and in good faith believes may violate federal, state, or local
28laws, rules, or regulations.
29d. Investigate, establish, exercise, prepare for, or defend
30legal claims.
31e. Provide a product or service specifically requested by a
32consumer or parent or guardian of a child, perform a contract
33to which the consumer or parent or guardian of a child is a
34party, including fulfilling the terms of a written warranty, or
35take steps at the request of the consumer or parent or guardian
-15-1of a child prior to entering into a contract.
2f. Take immediate steps to protect an interest that is
3essential for the life or physical safety of the consumer or
4of another natural person, and where the processing cannot be
5manifestly based on another legal basis.
6g. Prevent, detect, protect against, or respond to security
7incidents, identity theft, fraud, harassment, malicious or
8deceptive activities, or any illegal activity.
9h. Preserve the integrity or security of systems.
10i. Investigate, report, or prosecute those responsible for
11any such action.
12j. Engage in public or peer-reviewed scientific or
13statistical research in the public interest that adheres to
14all other applicable ethics and privacy laws and is approved,
15monitored, and governed by an institutional review board, or
16similar independent oversight entities that determine the
17following:
18(1) If the deletion of the information is likely to provide
19substantial benefits that do not exclusively accrue to the
20controller.
21(2) The expected benefits of the research outweigh the
22privacy risks.
23(3) If the controller has implemented reasonable safeguards
24to mitigate privacy risks associated with research, including
25any risks associated with re-identification.
26k. Assist another controller, processor, or third party with
27any of the obligations under this subsection.
282. The obligations imposed on a controller or processor
29under this chapter shall not restrict a controller’s or
30processor’s ability to collect, use, or retain data as follows:
31a. To conduct internal research to develop, improve, or
32repair products, services, or technology.
33b. To effectuate a product recall.
34c. To identify and repair technical errors that impair
35existing or intended functionality.
-16- 1d. To perform internal operations that are reasonably
2aligned with the expectations of the consumer or reasonably
3anticipated based on the consumer’s existing relationship with
4the controller or are otherwise compatible with processing
5data in furtherance of the provision of a product or service
6specifically requested by a consumer or parent or guardian of a
7child or the performance of a contract to which the consumer or
8parent or guardian of a child is a party.
93. The obligations imposed on controllers or processors
10under this chapter shall not apply where compliance by the
11controller or processor with this chapter would violate an
12evidentiary privilege under the laws of the state. Nothing
13in this chapter shall be construed to prevent a controller or
14processor from providing personal data concerning a consumer to
15a person covered by an evidentiary privilege under the laws of
16the state as part of a privileged communication.
174. A controller or processor that discloses personal data
18to a third-party controller or processor, in compliance with
19the requirements of this chapter, is not in violation of
20this chapter if the third-party controller or processor that
21receives and processes such personal data is in violation of
22this chapter, provided that, at the time of disclosing the
23personal data, the disclosing controller or processor did not
24have actual knowledge that the recipient intended to commit a
25violation. A third-party controller or processor receiving
26personal data from a controller or processor in compliance with
27the requirements of this chapter is likewise not in violation
28of this chapter for the offenses of the controller or processor
29from which it receives such personal data.
305. Nothing in this chapter shall be construed as an
31obligation imposed on a controller or a processor that
32adversely affects the privacy or other rights or freedoms
33of any persons, such as exercising the right of free speech
34pursuant to the First Amendment to the United States
35Constitution, or applies to personal data by a person in the
-17-1course of a purely personal or household activity.
26. Personal data processed by a controller pursuant to
3this section shall not be processed for any purpose other than
4those expressly listed in this section unless otherwise allowed
5by this chapter. Personal data processed by a controller
6pursuant to this section may be processed to the extent that
7such processing is as follows:
8a. Reasonably necessary and proportionate to the purposes
9listed in this section.
10b. Adequate, relevant, and limited to what is necessary
11in relation to the specific purposes listed in this section.
12Personal data collected, used, or retained pursuant to
13this section shall, where applicable, take into account
14the nature and purpose or purposes of such collection, use,
15or retention. Such data shall be subject to reasonable
16administrative, technical, and physical measures to protect the
17confidentiality, integrity, and accessibility of the personal
18data.
197. If a controller processes personal data pursuant to an
20exemption in this section, the controller bears the burden of
21demonstrating that such processing qualifies for the exemption
22and complies with the requirements in subsection 6.
238. Processing personal data for the purposes expressly
24identified in subsection 1 shall not in and of itself make an
25entity a controller with respect to such processing.
269. This chapter shall not require a controller, processor,
27third party, or consumer to disclose trade secrets.
28 Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
291. The attorney general shall have exclusive authority to
30enforce the provisions of this chapter. Whenever the attorney
31general has reasonable cause to believe that any person has
32engaged in, is engaging in, or is about to engage in any
33violation of this chapter, the attorney general is empowered to
34issue a civil investigative demand. The provisions of section
35685.6 shall apply to civil investigative demands issued under
-18-1this chapter.
22. Prior to initiating any action under this chapter,
3the attorney general shall provide a controller or processor
4thirty days’ written notice identifying the specific provisions
5of this chapter the attorney general alleges have been or
6are being violated. If within the thirty-day period, the
7controller or processor cures the noticed violation and
8provides the attorney general an express written statement that
9the alleged violations have been cured and that no further such
10violations shall occur, no action shall be initiated against
11the controller or processor.
123. If a controller or processor continues to violate this
13chapter following the cure period in subsection 2 or breaches
14an express written statement provided to the attorney general
15under that subsection, the attorney general may initiate an
16action in the name of the state and may seek an injunction to
17restrain any violations of this chapter and civil penalties of
18up to seven thousand five hundred dollars for each violation
19under this chapter. Any moneys collected under this section
20including civil penalties, costs, attorney fees, or amounts
21which are specifically directed shall be paid into the consumer
22education and litigation fund established under section
23714.16C.
244. The attorney general may recover reasonable expenses
25incurred in investigating and preparing the case, including
26attorney fees, in any action initiated under this chapter.
275. Nothing in this chapter shall be construed as providing
28the basis for, or be subject to, a private right of action for
29violations of this chapter or under any other law.
30 Sec. 9. NEW SECTION. 715D.9 Preemption.
311. This chapter supersedes and preempts all rules,
32regulations, codes, ordinances, and other laws adopted by a
33city, county, municipality, or local agency regarding the
34processing of personal data by controllers or processors.
352. Any reference to federal, state, or local law or statute
-19-1in this chapter shall be deemed to include any accompanying
2rules or regulations or exemptions thereto, or in the case of a
3federal agency, guidance issued by such agency thereto.
4 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
52024.
es/rn/md