Print
Senate Study Bill 1071 - IntroducedA Bill ForAn Act 1relating to consumer data protection, providing civil
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “De-identified data” means data that cannot reasonably
16be linked to an identified or identifiable natural person.
1711. “Fund” means the consumer education and litigation fund
18established pursuant to section 714.16C.
1912. “Health care provider” means any of the following:
20a. A general hospital, ambulatory surgical or treatment
21center, skilled nursing center, or assisted living center
22licensed or certified by the state.
23b. A psychiatric hospital licensed by the state.
24c. A hospital operated by the state.
25d. A hospital operated by the state board of regents.
26e. A person licensed to practice medicine or osteopathy in
27the state.
28f. A person licensed to furnish health care policies or
29plans in the state.
30g. A person licensed to practice dentistry in the state.
31h. “Health care provider” does not include a continuing care
32retirement community or any nursing facility of a religious
33body which depends upon prayer alone for healing.
3413. “Health Insurance Portability and Accountability Act”
35or “HIPAA” means the federal Health Insurance Portability and
-2-1Accountability Act of 1996, Pub.L. No.104-191, including
2amendments thereto and regulations promulgated thereunder.
314. “Health record” means any written, printed, or
4electronically recorded material maintained by a health care
5provider in the course of providing health services to an
6individual concerning the individual and the services provided,
7including related health information provided in confidence to
8a health care provider.
915. “Identified or identifiable natural person” means a
10person who can be readily identified, directly or indirectly.
1116. “Institution of higher education” means nonprofit
12private institutions of higher education and proprietary
13private institutions of higher education in the state,
14community colleges, and each associate-degree-granting and
15baccalaureate public institutions of higher education in the
16state.
1717. “Nonprofit organization” means any corporation organized
18under chapter 504, any organization exempt from taxation
19under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
20Internal Revenue Code, any organization exempt from taxation
21under section 501(c)(4) of the Internal Revenue Code that
22is established to detect or prevent insurance-related crime
23or fraud, and any subsidiaries and affiliates of entities
24organized pursuant to chapter 499.
2518. “Personal data” means any information that is linked or
26reasonably linkable to an identified or identifiable natural
27person. “Personal data” does not include de-identified or
28aggregate data or publicly available information.
2919. “Precise geolocation data” means information derived
30from technology, including but not limited to global
31positioning system level latitude and longitude coordinates or
32other mechanisms, that identifies the specific location of a
33natural person with precision and accuracy within a radius of
34one thousand seven hundred fifty feet. “Precise geolocation
35data” does not include the content of communications, or any
-3-1data generated by or connected to advanced utility metering
2infrastructure systems or equipment for use by a utility.
320. “Process” or “processing” means any operation or set
4of operations performed, whether by manual or automated means,
5on personal data or on sets of personal data, such as the
6collection, use, storage, disclosure, analysis, deletion, or
7modification of personal data.
821. “Processor” means a person that processes personal data
9on behalf of a controller.
1022. “Protected health information” means the same as
11protected health information established by HIPAA.
1223. “Pseudonymous data” means personal data that cannot
13be attributed to a specific natural person without the use
14of additional information, provided that such additional
15information is kept separately and is subject to appropriate
16technical and organizational measures to ensure that
17the personal data is not attributed to an identified or
18identifiable natural person.
1924. “Publicly available information” means information
20that is lawfully made available through federal, state, or
21local government records, or information that a business has
22reasonable basis to believe is lawfully made available to
23the general public through widely distributed media, by the
24consumer, or by a person to whom the consumer has disclosed the
25information, unless the consumer has restricted the information
26to a specific audience.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data when a
7consumer uses or directs a controller to intentionally disclose
8personal data or intentionally interact with one or more third
9parties.
10f. The disclosure or transfer of personal data to a third
11party as an asset that is part of a proposed or actual merger,
12acquisition, bankruptcy, or other transaction in which the
13third party assumes control of all or part of the controller’s
14assets.
1526. “Sensitive data” means a category of personal data that
16includes the following:
17a. Racial or ethnic origin, religious beliefs, mental or
18physical health diagnosis, sexual orientation, or citizenship
19or immigration status, except to the extent such data is used
20in order to avoid discrimination on the basis of a protected
21class that would violate a federal or state anti-discrimination
22law.
23b. Genetic or biometric data that is processed for the
24purpose of uniquely identifying a natural person.
25c. The personal data collected from a known child.
26d. Precise geolocation data.
2727. “State agency” means the same as defined in 129 IAC
2810.2(8B).
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to consumers who are residents of the state and that during a
25calendar year does either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derives over fifty percent
30of gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state; financial institutions,
33affiliates of financial institutions, or data subject to Tit.V
34of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801
35et seq.; covered entities or business associates governed by
-6-1the privacy, security, and breach notification rules issued by
2the Iowa department of health and human services; 45 C.F.R.
3pts.160 and 164 established pursuant to HIPAA; nonprofit
4organizations; or institutions of higher education.
53. The following information and data is exempt from this
6chapter:
7a. Protected health information under HIPAA.
8b. Health records.
9c. Patient identifying information for purposes of 42 U.S.C.
10§290dd-2.
11d. Identifiable private information for purposes of the
12federal policy for the protection of human subjects under 45
13C.F.R. pt.46.
14e. Identifiable private information that is otherwise
15information collected as part of human subjects research
16pursuant to the good clinical practice guidelines issued by
17the international council for harmonization of technical
18requirements for pharmaceuticals for human use.
19f. The protection of human subjects under 21 C.F.R. pts.6,
2050, and 56.
21g. Personal data used or shared in research conducted in
22accordance with the requirements set forth in this chapter, or
23other research conducted in accordance with applicable law.
24h. Information and documents created for purposes of the
25federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
26§11101 et seq.
27i. Patient safety work product for purposes of the federal
28Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
29et seq.
30j. Information derived from any of the health care-related
31information listed in this subsection that is de-identified in
32accordance with the requirements for de-identification pursuant
33to HIPAA.
34k. Information originating from, and intermingled to be
35indistinguishable with, or information treated in the same
-7-1manner as information exempt under this subsection that is
2maintained by a covered entity or business associate as defined
3by HIPAA or a program or a qualified service organization as
4defined by 42 U.S.C. §290dd-2.
5l. Information used only for public health activities and
6purposes as authorized by HIPAA.
7m. The collection, maintenance, disclosure, sale,
8communication, or use of any personal information bearing on a
9consumer’s credit worthiness, credit standing, credit capacity,
10character, general reputation, personal characteristics, or
11mode of living by a consumer reporting agency or furnisher that
12provides information for use in a consumer report, and by a
13user of a consumer report, but only to the extent that such
14activity is regulated by and authorized under the federal Fair
15Credit Reporting Act, 15 U.S.C. §1681 et seq.
16n. Personal data collected, processed, sold, or disclosed in
17compliance with the federal Driver’s Privacy Protection Act of
181994, 18 U.S.C. §2721 et seq.
19o. Personal data regulated by the federal Family Educational
20Rights and Privacy Act, 20 U.S.C. §1232 et seq.
21p. Personal data collected, processed, sold, or disclosed in
22compliance with the federal Farm Credit Act, 12 U.S.C. §2001
23et seq.
24q. Data processed or maintained as follows:
25(1) In the course of an individual applying to, employed
26by, or acting as an agent or independent contractor of a
27controller, processor, or third party, to the extent that the
28data is collected and used within the context of that role.
29(2) As the emergency contact information of an individual
30under this chapter used for emergency contact purposes.
31(3) That is necessary to retain to administer benefits
32for another individual relating to the individual under
33subparagraph (1) and used for the purposes of administering
34those benefits.
35r. Personal data used in accordance with the federal
-8-1Children’s Online Privacy Protection Act, 15 U.S.C. §6501 –
26506, and its rules, regulations, and exceptions thereto.
3 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
41. A consumer may invoke the consumer rights authorized
5pursuant to this section at any time by submitting a request to
6the controller, through the means specified by the controller
7pursuant to section 715D.4, subsection 6, specifying the
8consumer rights the consumer wishes to invoke. A known child’s
9parent or legal guardian may invoke such consumer rights
10on behalf of the known child regarding processing personal
11data belonging to the child. A controller shall comply with
12an authenticated consumer request to exercise all of the
13following:
14a. To confirm whether a controller is processing the
15consumer’s personal data and to access such personal data.
16b. To delete personal data provided by the consumer.
17c. To obtain a copy of the consumer’s personal data, except
18as to personal data that is defined as “personal information”
19pursuant to section 715C.1 that is subject to security breach
20protection, that the consumer previously provided to the
21controller in a portable and, to the extent technically
22practicable, readily usable format that allows the consumer
23to transmit the data to another controller without hindrance,
24where the processing is carried out by automated means.
25d. To opt out of targeted advertising or the sale of
26personal data.
272. Except as otherwise provided in this chapter, a
28controller shall comply with a request by a consumer to
29exercise the consumer rights authorized pursuant to this
30section as follows:
31a. A controller shall respond to the consumer without undue
32delay, but in all cases within forty-five days of receipt
33of a request submitted pursuant to the methods described in
34this section. The response period may be extended once by
35forty-five additional days when reasonably necessary upon
-9-1considering the complexity and number of the consumer’s
2requests by informing the consumer of any such extension within
3the initial forty-five-day response period, together with the
4reason for the extension.
5b. If a controller declines to take action regarding the
6consumer’s request, the controller shall inform the consumer
7without undue delay of the justification for declining to take
8action, except in the case of a suspected fraudulent request,
9in which case the controller may state that the controller was
10unable to authenticate the request. The controller shall also
11provide instructions for appealing the decision pursuant to
12subsection 3.
13c. Information provided in response to a consumer request
14shall be provided by a controller free of charge, up to
15twice annually per consumer. If a request from a consumer
16is manifestly unfounded, excessive, repetitive, technically
17unfeasible, or the controller reasonably believes that the
18primary purpose of the request is not to exercise a consumer
19right, the controller may charge the consumer a reasonable fee
20to cover the administrative costs of complying with the request
21or decline to act on the request. The controller bears the
22burden of demonstrating the manifestly unfounded, excessive,
23repetitive, or technically unfeasible nature of the request.
24d. If a controller is unable to authenticate a request
25using commercially reasonable efforts, the controller shall
26not be required to comply with a request to initiate an action
27under this section and may request that the consumer provide
28additional information reasonably necessary to authenticate the
29consumer and the consumer’s request.
303. A controller shall establish a process for a consumer
31to appeal the controller’s refusal to take action on a request
32within a reasonable period of time after the consumer’s
33receipt of the decision pursuant to this section. The appeal
34process shall be conspicuously available and similar to the
35process for submitting requests to initiate action pursuant
-10-1to this section. Within sixty days of receipt of an appeal,
2a controller shall inform the consumer in writing of any
3action taken or not taken in response to the appeal, including
4a written explanation of the reasons for the decision. If
5the appeal is denied, the controller shall also provide the
6consumer with an online mechanism through which the consumer
7may contact the attorney general to submit a complaint.
8 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
91. A controller shall adopt and implement reasonable
10administrative, technical, and physical data security practices
11to protect the confidentiality, integrity, and accessibility
12of personal data. Such data security practices shall be
13appropriate to the volume and nature of the personal data
14at issue. A controller shall not process sensitive data
15concerning a consumer or a nonexempt purpose without the
16consumer having been presented with clear notice and an
17opportunity to opt out of such processing, or, in the case of
18the processing of sensitive data concerning a known child,
19without processing such data in accordance with the federal
20Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et
21seq.
222. A controller shall not process personal data in
23violation of state and federal laws that prohibit unlawful
24discrimination against a consumer. A controller shall not
25discriminate against a consumer for exercising any of the
26consumer rights contained in this chapter, including denying
27goods or services, charging different prices or rates for
28goods or services, or providing a different level of quality
29of goods and services to the consumer. However, nothing in
30this chapter shall be construed to require a controller to
31provide a product or service that requires the personal data
32of a consumer that the controller does not collect or maintain
33or to prohibit a controller from offering a different price,
34rate, level, quality, or selection of goods or services to a
35consumer, including offering goods or services for no fee,
-11-1if the consumer has exercised the consumer’s right to opt
2out pursuant to section 715D.3 or the offer is related to a
3consumer’s voluntary participation in a bona fide loyalty,
4rewards, premium features, discounts, or club card program.
53. Any provision of a contract or agreement that purports to
6waive or limit in any way consumer rights pursuant to section
7715D.3 shall be deemed contrary to public policy and shall be
8void and unenforceable.
94. A controller shall provide consumers with a reasonably
10accessible, clear, and meaningful privacy notice that includes
11the following:
12a. The categories of personal data processed by the
13controller.
14b. The purpose for processing personal data.
15c. How consumers may exercise their consumer rights pursuant
16to section 715D.3, including how a consumer may appeal a
17controller’s decision with regard to the consumer’s request.
18d. The categories of personal data that the controller
19shares with third parties, if any.
20e. The categories of third parties, if any, with whom the
21controller shares personal data.
225. If a controller sells a consumer’s personal data to third
23parties or engages in targeted advertising, the controller
24shall clearly and conspicuously disclose such activity, as well
25as the manner in which a consumer may exercise the right to opt
26out of such activity.
276. A controller shall establish, and shall describe in
28a privacy notice, secure and reliable means for consumers to
29submit a request to exercise their consumer rights under this
30chapter. Such means shall consider the ways in which consumers
31normally interact with the controller, the need for secure and
32reliable communication of such requests, and the ability of
33the controller to authenticate the identity of the consumer
34making the request. A controller shall not require a consumer
35to create a new account in order to exercise consumer rights
-12-1pursuant to section 715D.3, but may require a consumer to use
2an existing account.
3 Sec. 5. NEW SECTION. 715D.5 Processor duties.
41. A processor shall assist a controller in duties
5required under this chapter, taking into account the nature of
6processing and the information available to the processor by
7appropriate technical and organizational measures, insofar as
8is reasonably practicable, as follows:
9a. To fulfill the controller’s obligation to respond to
10consumer rights requests pursuant to section 715D.3.
11b. To meet the controller’s obligations in relation to the
12security of processing the personal data and in relation to the
13notification of a security breach of the processor pursuant to
14section 715C.2.
152. A contract between a controller and a processor shall
16govern the processor’s data processing procedures with respect
17to processing performed on behalf of the controller. The
18contract shall clearly set forth instructions for processing
19personal data, the nature and purpose of processing, the type
20of data subject to processing, the duration of processing, and
21the rights and duties of both parties. The contract shall also
22include requirements that the processor shall do all of the
23following:
24a. Ensure that each person processing personal data is
25subject to a duty of confidentiality with respect to the data.
26b. At the controller’s direction, delete or return all
27personal data to the controller as requested at the end of the
28provision of services, unless retention of the personal data
29is required by law.
30c. Upon the reasonable request of the controller, make
31available to the controller all information in the processor’s
32possession necessary to demonstrate the processor’s compliance
33with the obligations in this chapter.
34d. Engage any subcontractor or agent pursuant to a written
35contract in accordance with this section that requires the
-13-1subcontractor to meet the duties of the processor with respect
2to the personal data.
33. Nothing in this section shall be construed to relieve a
4controller or a processor from imposed liabilities by virtue
5of the controller or processor’s role in the processing
6relationship as defined by this chapter.
74. Determining whether a person is acting as a controller or
8processor with respect to a specific processing of data is a
9fact-based determination that depends upon the context in which
10personal data is to be processed. A processor that continues
11to adhere to a controller’s instructions with respect to a
12specific processing of personal data remains a processor.
13 Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
141. Nothing in this chapter shall be construed to require the
15following:
16a. A controller or processor to re-identify de-identified
17data or pseudonymous data.
18b. Maintaining data in identifiable form.
19c. Collecting, obtaining, retaining, or accessing any
20data or technology, in order to be capable of associating an
21authenticated consumer request with personal data.
222. Nothing in this chapter shall be construed to require
23a controller or processor to comply with an authenticated
24consumer rights request, pursuant to section 715D.3, if all of
25the following apply:
26a. The controller is not reasonably capable of associating
27the request with the personal data or it would be unreasonably
28burdensome for the controller to associate the request with the
29personal data.
30b. The controller does not use the personal data to
31recognize or respond to the specific consumer who is the
32subject of the personal data, or associate the personal data
33with other personal data about the same specific consumer.
34c. The controller does not sell the personal data to any
35third party or otherwise voluntarily disclose the personal data
-14-1to any third party other than a processor, except as otherwise
2permitted in this chapter.
33. Consumer rights contained in sections 715D.3 and 715D.4
4shall not apply to pseudonymous data in cases where the
5controller is able to demonstrate any information necessary
6to identify the consumer is kept separately and is subject to
7appropriate technical and organizational measures to ensure
8that the personal data is not attributed to an identified or
9identifiable natural person.
104. Controllers that disclose pseudonymous data or de-
11identified data shall exercise reasonable oversight to monitor
12compliance with any contractual commitments to which the
13pseudonymous data or de-identified data is subject and shall
14take appropriate steps to address any breaches of those
15contractual commitments.
16 Sec. 7. NEW SECTION. 715D.7 Limitations.
171. Nothing in this chapter shall be construed to restrict a
18controller’s or processor’s ability to do the following:
19a. Comply with federal, state, or local laws, rules, or
20regulations.
21b. Comply with a civil, criminal, or regulatory inquiry,
22investigation, subpoena, or summons by federal, state, local,
23or other governmental authorities.
24c. Cooperate with law enforcement agencies concerning
25conduct or activity that the controller or processor reasonably
26and in good faith believes may violate federal, state, or local
27laws, rules, or regulations.
28d. Investigate, establish, exercise, prepare for, or defend
29legal claims.
30e. Provide a product or service specifically requested by a
31consumer or parent or guardian of a child, perform a contract
32to which the consumer or parent or guardian of a child is a
33party, including fulfilling the terms of a written warranty, or
34take steps at the request of the consumer or parent or guardian
35of a child prior to entering into a contract.
-15- 1f. Take immediate steps to protect an interest that is
2essential for the life or physical safety of the consumer or
3of another natural person, and where the processing cannot be
4manifestly based on another legal basis.
5g. Prevent, detect, protect against, or respond to security
6incidents, identity theft, fraud, harassment, malicious or
7deceptive activities, or any illegal activity.
8h. Preserve the integrity or security of systems.
9i. Investigate, report, or prosecute those responsible for
10any such action.
11j. Engage in public or peer-reviewed scientific or
12statistical research in the public interest that adheres to
13all other applicable ethics and privacy laws and is approved,
14monitored, and governed by an institutional review board, or
15similar independent oversight entities that determine the
16following:
17(1) If the deletion of the information is likely to provide
18substantial benefits that do not exclusively accrue to the
19controller.
20(2) The expected benefits of the research outweigh the
21privacy risks.
22(3) If the controller has implemented reasonable safeguards
23to mitigate privacy risks associated with research, including
24any risks associated with re-identification.
25k. Assist another controller, processor, or third party with
26any of the obligations under this subsection.
272. The obligations imposed on a controller or processor
28under this chapter shall not restrict a controller’s or
29processor’s ability to collect, use, or retain data as follows:
30a. To conduct internal research to develop, improve, or
31repair products, services, or technology.
32b. To effectuate a product recall.
33c. To identify and repair technical errors that impair
34existing or intended functionality.
35d. To perform internal operations that are reasonably
-16-1aligned with the expectations of the consumer or reasonably
2anticipated based on the consumer’s existing relationship with
3the controller or are otherwise compatible with processing
4data in furtherance of the provision of a product or service
5specifically requested by a consumer or parent or guardian of a
6child or the performance of a contract to which the consumer or
7parent or guardian of a child is a party.
83. The obligations imposed on controllers or processors
9under this chapter shall not apply where compliance by the
10controller or processor with this chapter would violate an
11evidentiary privilege under the laws of the state. Nothing
12in this chapter shall be construed to prevent a controller or
13processor from providing personal data concerning a consumer to
14a person covered by an evidentiary privilege under the laws of
15the state as part of a privileged communication.
164. A controller or processor that discloses personal data
17to a third-party controller or processor, in compliance with
18the requirements of this chapter, is not in violation of
19this chapter if the third-party controller or processor that
20receives and processes such personal data is in violation of
21this chapter, provided that, at the time of disclosing the
22personal data, the disclosing controller or processor did not
23have actual knowledge that the recipient intended to commit a
24violation. A third-party controller or processor receiving
25personal data from a controller or processor in compliance with
26the requirements of this chapter is likewise not in violation
27of this chapter for the offenses of the controller or processor
28from which it receives such personal data.
295. Nothing in this chapter shall be construed as an
30obligation imposed on a controller or a processor that
31adversely affects the privacy or other rights or freedoms
32of any persons, such as exercising the right of free speech
33pursuant to the first amendment to the United States
34Constitution, or applies to personal data by a person in the
35course of a purely personal or household activity.
-17- 16. Personal data processed by a controller pursuant to
2this section shall not be processed for any purpose other than
3those expressly listed in this section unless otherwise allowed
4by this chapter. Personal data processed by a controller
5pursuant to this section may be processed to the extent that
6such processing is as follows:
7a. Reasonably necessary and proportionate to the purposes
8listed in this section.
9b. Adequate, relevant, and limited to what is necessary
10in relation to the specific purposes listed in this section.
11Personal data collected, used, or retained pursuant to
12this section shall, where applicable, take into account
13the nature and purpose or purposes of such collection, use,
14or retention. Such data shall be subject to reasonable
15administrative, technical, and physical measures to protect the
16confidentiality, integrity, and accessibility of the personal
17data.
187. If a controller processes personal data pursuant to an
19exemption in this section, the controller bears the burden of
20demonstrating that such processing qualifies for the exemption
21and complies with the requirements in subsection 6.
228. Processing personal data for the purposes expressly
23identified in subsection 1 shall not in and of itself make an
24entity a controller with respect to such processing.
259. This chapter shall not require a controller, processor,
26third party, or consumer to disclose trade secrets.
27 Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
281. The attorney general shall have exclusive authority to
29enforce the provisions of this chapter. Whenever the attorney
30general has reasonable cause to believe that any person has
31engaged in, is engaging in, or is about to engage in any
32violation of this chapter, the attorney general is empowered to
33issue a civil investigative demand. The provisions of section
34685.6 shall apply to civil investigative demands issued under
35this chapter.
-18- 12. Prior to initiating any action under this chapter,
2the attorney general shall provide a controller or processor
3thirty days’ written notice identifying the specific provisions
4of this chapter the attorney general alleges have been or
5are being violated. If within the thirty-day period, the
6controller or processor cures the noticed violation and
7provides the attorney general an express written statement that
8the alleged violations have been cured and that no further such
9violations shall occur, no action shall be initiated against
10the controller or processor.
113. If a controller or processor continues to violate this
12chapter following the cure period in subsection 2 or breaches
13an express written statement provided to the attorney general
14under that subsection, the attorney general may initiate an
15action in the name of the state and may seek an injunction to
16restrain any violations of this chapter and civil penalties of
17up to seven thousand five hundred dollars for each violation
18under this chapter. Any moneys collected under this section
19including civil penalties, costs, attorney fees, or amounts
20which are specifically directed shall be paid into the consumer
21education and litigation fund established under section
22714.16C.
234. The attorney general may recover reasonable expenses
24incurred in investigating and preparing the case, including
25attorney fees, in any action initiated under this chapter.
265. Nothing in this chapter shall be construed as providing
27the basis for, or be subject to, a private right of action for
28violations of this chapter or under any other law.
29 Sec. 9. NEW SECTION. 715D.9 Preemption.
301. This chapter supersedes and preempts all rules,
31regulations, codes, ordinances, and other laws adopted by a
32city, county, municipality, or local agency regarding the
33processing of personal data by controllers or processors.
342. Any reference to federal, state, or local law or statute
35in this chapter shall be deemed to include any accompanying
-19-1rules or regulations or exemptions thereto, or in the case of a
2federal agency, guidance issued by such agency thereto.
3 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
42025.
5EXPLANATION
6The inclusion of this explanation does not constitute agreement with
7the explanation’s substance by the members of the general assembly.
8This bill relates to consumer data protection.
9The bill contains several definitions. The bill defines
10“controller” to mean a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data. The bill defines “identified or identifiable natural
13person” to mean a person who can be readily identified,
14directly or indirectly. The bill defines “personal data” to
15mean any information that is linked or reasonably linkable to
16an identified or identifiable natural person, but does not
17include de-identified data or publicly available information.
18The bill defines “process” or “processing” to mean any
19operation or set of operations performed, whether by manual or
20automated means, on personal data or on sets of personal data,
21such as the collection, use, storage, disclosure, analysis,
22deletion, or modification of personal data. The bill defines
23“processor” to mean a person that processes personal data
24on behalf of a controller. The bill defines “pseudonymous
25data” to mean personal data that cannot be attributed to
26a specific natural person without the use of additional
27information. The bill defines “publicly available information”
28to mean information that is lawfully made available to the
29general public through certain records or information that
30a business has reasonable basis to believe is lawfully made
31available under certain conditions. The bill defines “targeted
32advertising” to mean displaying advertisements to a consumer
33where the advertisement is selected based on personal data
34obtained from that consumer’s activities over time and across
35nonaffiliated websites or online applications to predict such
-20-1consumer’s preferences or interests, with exceptions. The bill
2defines “third party” to mean a natural or legal person, public
3authority, agency, or body other than the consumer, controller,
4processor, or an affiliate of the processor or the controller.
5The bill contains other defined terms.
6The bill provides that persons conducting business in
7the state or producing products or services targeted to
8Iowans that annually control or process personal data of
9over 99,999 consumers or control or process personal data of
1025,000 consumers with 50 percent of gross revenue derived
11from the sale of the personal data shall be subject to the
12provisions of the bill. The state and political subdivisions
13of the state, financial institutions or data subject to the
14federal Gramm-Leach-Bliley Act of 1999, certain organizations
15governed by rules by the department of health and human
16services, certain federal governance laws and the federal
17Health Insurance Portability and Accountability Act, nonprofit
18organizations, higher learning institutions, and certain
19protected information and personal data collected under state
20or federal laws are exempt from provisions in the bill.
21The bill provides consumers have personal data rights
22that may be invoked at any time. Consumers or the parent of
23a child may submit a request to a controller for a copy of
24the controller’s information relating to personal data. The
25controller shall comply with such requests to confirm or deny
26whether the controller is processing the personal data, to
27provide the consumer with a copy of their personal data, and to
28remove the consumer or child from personal data processing.
29The bill requires that controllers provide responses to
30defined personal data requests within 45 days of a consumer
31initiating a request. Responses to personal data requests
32shall be provided to a consumer free of charge up to twice per
33year except where requests are overly burdensome or manifestly
34unfounded. A business may extend the deadline for good cause,
35including complexity, once by up to 45 days after informing the
-21-1consumer of the reason for the extension. The bill provides
2that controllers are not required to comply with requests where
3a controller is unable through commercially reasonable efforts
4to verify the identity of the consumer submitting the request.
5The bill requires that controllers permit consumers to access
6an appeals process except in cases that are unable to be
7authenticated and provide consumers with information regarding
8the appeals process in situations where a consumer’s request
9is denied.
10The bill provides that controllers must disclose to the
11consumer the types of data being collected and obtain consent
12from the consumers regarding the collection of personal
13data and sensitive personal data processing. Controllers
14must securely store personal data of consumers through
15administrative, technical, and physical security practices.
16Controllers shall not discriminate against consumers that
17exercise consumer data rights as provided in the bill by
18denying a consumer goods or services, charging different
19prices, or providing lower quality goods with exceptions.
20Contract provisions that require consumers to waive rights
21defined by the bill will be considered void and unenforceable.
22The bill provides that controllers give consumers reasonably
23accessible and clear privacy notices that inform consumers of
24the information regarding personal data transfer and purposes
25and the methods for consumers to exercise rights. The bill
26provides that controllers selling personal data to third
27parties or using targeted advertising must clearly disclose
28such activity and the right for the consumer to opt out of
29such sales or use. The bill requires a controller to create a
30method for private and secure processing of consumer requests.
31The bill requires processors and the assigns or
32subcontractors of processors to assist controllers in complying
33with duties created by the bill.
34The bill includes personal data processing exemptions,
35including pseudonymous data and de-identified data as defined
-22-1by the bill. The bill identifies exceptions where controllers
2or processors are not required to comply with a consumer rights
3request pursuant to the bill. The bill requires controllers
4disclosing pseudonymous or de-identified data to exercise
5reasonable oversight of contractual commitments regarding such
6data.
7The bill provides that the bill shall not restrict
8controller or processor abilities to improve business or
9function. Controllers or processors sharing personal data with
10third parties are not liable for the noncompliance of third
11parties if the controller or processor did not have personal
12knowledge of the violation or intent to commit a violation,
13nor is a third party liable for violations of a controller
14or processor. The bill provides that if a controller seeks
15certain exemptions, the controller bears the burden of
16demonstrating that the controller qualifies for the exemption
17and the exemption complies with the requirements in the bill.
18The bill shall not require a business, consumer, or other
19party to disclose trade secrets.
20The bill provides that the attorney general shall
21investigate controllers and processors upon reasonable cause
22for violations of provisions of the bill. The attorney general
23shall provide 30 days’ notice to a controller or processor
24including the reason for which the entity is subject to an
25investigation and permit the entity to cure the defect prior
26to filing a civil action. A controller or processor found
27to be in violation of provisions of the bill is subject to a
28civil penalty of up to $7,500 per violation. Moneys collected
29by the attorney general under the bill shall be paid into the
30consumer education and litigation fund established under Code
31section 714.16C. The attorney general shall recover reasonable
32expenses for expenses related to the investigation.
33The bill provides that a rule, regulation, code, ordinance,
34or other law adopted regarding processing of personal data is
35preempted by the bill.
-23- 1The bill takes effect January 1, 2025.
-24-es/rn
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “De-identified data” means data that cannot reasonably
16be linked to an identified or identifiable natural person.
1711. “Fund” means the consumer education and litigation fund
18established pursuant to section 714.16C.
1912. “Health care provider” means any of the following:
20a. A general hospital, ambulatory surgical or treatment
21center, skilled nursing center, or assisted living center
22licensed or certified by the state.
23b. A psychiatric hospital licensed by the state.
24c. A hospital operated by the state.
25d. A hospital operated by the state board of regents.
26e. A person licensed to practice medicine or osteopathy in
27the state.
28f. A person licensed to furnish health care policies or
29plans in the state.
30g. A person licensed to practice dentistry in the state.
31h. “Health care provider” does not include a continuing care
32retirement community or any nursing facility of a religious
33body which depends upon prayer alone for healing.
3413. “Health Insurance Portability and Accountability Act”
35or “HIPAA” means the federal Health Insurance Portability and
-2-1Accountability Act of 1996, Pub.L. No.104-191, including
2amendments thereto and regulations promulgated thereunder.
314. “Health record” means any written, printed, or
4electronically recorded material maintained by a health care
5provider in the course of providing health services to an
6individual concerning the individual and the services provided,
7including related health information provided in confidence to
8a health care provider.
915. “Identified or identifiable natural person” means a
10person who can be readily identified, directly or indirectly.
1116. “Institution of higher education” means nonprofit
12private institutions of higher education and proprietary
13private institutions of higher education in the state,
14community colleges, and each associate-degree-granting and
15baccalaureate public institutions of higher education in the
16state.
1717. “Nonprofit organization” means any corporation organized
18under chapter 504, any organization exempt from taxation
19under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
20Internal Revenue Code, any organization exempt from taxation
21under section 501(c)(4) of the Internal Revenue Code that
22is established to detect or prevent insurance-related crime
23or fraud, and any subsidiaries and affiliates of entities
24organized pursuant to chapter 499.
2518. “Personal data” means any information that is linked or
26reasonably linkable to an identified or identifiable natural
27person. “Personal data” does not include de-identified or
28aggregate data or publicly available information.
2919. “Precise geolocation data” means information derived
30from technology, including but not limited to global
31positioning system level latitude and longitude coordinates or
32other mechanisms, that identifies the specific location of a
33natural person with precision and accuracy within a radius of
34one thousand seven hundred fifty feet. “Precise geolocation
35data” does not include the content of communications, or any
-3-1data generated by or connected to advanced utility metering
2infrastructure systems or equipment for use by a utility.
320. “Process” or “processing” means any operation or set
4of operations performed, whether by manual or automated means,
5on personal data or on sets of personal data, such as the
6collection, use, storage, disclosure, analysis, deletion, or
7modification of personal data.
821. “Processor” means a person that processes personal data
9on behalf of a controller.
1022. “Protected health information” means the same as
11protected health information established by HIPAA.
1223. “Pseudonymous data” means personal data that cannot
13be attributed to a specific natural person without the use
14of additional information, provided that such additional
15information is kept separately and is subject to appropriate
16technical and organizational measures to ensure that
17the personal data is not attributed to an identified or
18identifiable natural person.
1924. “Publicly available information” means information
20that is lawfully made available through federal, state, or
21local government records, or information that a business has
22reasonable basis to believe is lawfully made available to
23the general public through widely distributed media, by the
24consumer, or by a person to whom the consumer has disclosed the
25information, unless the consumer has restricted the information
26to a specific audience.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data when a
7consumer uses or directs a controller to intentionally disclose
8personal data or intentionally interact with one or more third
9parties.
10f. The disclosure or transfer of personal data to a third
11party as an asset that is part of a proposed or actual merger,
12acquisition, bankruptcy, or other transaction in which the
13third party assumes control of all or part of the controller’s
14assets.
1526. “Sensitive data” means a category of personal data that
16includes the following:
17a. Racial or ethnic origin, religious beliefs, mental or
18physical health diagnosis, sexual orientation, or citizenship
19or immigration status, except to the extent such data is used
20in order to avoid discrimination on the basis of a protected
21class that would violate a federal or state anti-discrimination
22law.
23b. Genetic or biometric data that is processed for the
24purpose of uniquely identifying a natural person.
25c. The personal data collected from a known child.
26d. Precise geolocation data.
2727. “State agency” means the same as defined in 129 IAC
2810.2(8B).
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to consumers who are residents of the state and that during a
25calendar year does either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derives over fifty percent
30of gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state; financial institutions,
33affiliates of financial institutions, or data subject to Tit.V
34of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801
35et seq.; covered entities or business associates governed by
-6-1the privacy, security, and breach notification rules issued by
2the Iowa department of health and human services; 45 C.F.R.
3pts.160 and 164 established pursuant to HIPAA; nonprofit
4organizations; or institutions of higher education.
53. The following information and data is exempt from this
6chapter:
7a. Protected health information under HIPAA.
8b. Health records.
9c. Patient identifying information for purposes of 42 U.S.C.
10§290dd-2.
11d. Identifiable private information for purposes of the
12federal policy for the protection of human subjects under 45
13C.F.R. pt.46.
14e. Identifiable private information that is otherwise
15information collected as part of human subjects research
16pursuant to the good clinical practice guidelines issued by
17the international council for harmonization of technical
18requirements for pharmaceuticals for human use.
19f. The protection of human subjects under 21 C.F.R. pts.6,
2050, and 56.
21g. Personal data used or shared in research conducted in
22accordance with the requirements set forth in this chapter, or
23other research conducted in accordance with applicable law.
24h. Information and documents created for purposes of the
25federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
26§11101 et seq.
27i. Patient safety work product for purposes of the federal
28Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
29et seq.
30j. Information derived from any of the health care-related
31information listed in this subsection that is de-identified in
32accordance with the requirements for de-identification pursuant
33to HIPAA.
34k. Information originating from, and intermingled to be
35indistinguishable with, or information treated in the same
-7-1manner as information exempt under this subsection that is
2maintained by a covered entity or business associate as defined
3by HIPAA or a program or a qualified service organization as
4defined by 42 U.S.C. §290dd-2.
5l. Information used only for public health activities and
6purposes as authorized by HIPAA.
7m. The collection, maintenance, disclosure, sale,
8communication, or use of any personal information bearing on a
9consumer’s credit worthiness, credit standing, credit capacity,
10character, general reputation, personal characteristics, or
11mode of living by a consumer reporting agency or furnisher that
12provides information for use in a consumer report, and by a
13user of a consumer report, but only to the extent that such
14activity is regulated by and authorized under the federal Fair
15Credit Reporting Act, 15 U.S.C. §1681 et seq.
16n. Personal data collected, processed, sold, or disclosed in
17compliance with the federal Driver’s Privacy Protection Act of
181994, 18 U.S.C. §2721 et seq.
19o. Personal data regulated by the federal Family Educational
20Rights and Privacy Act, 20 U.S.C. §1232 et seq.
21p. Personal data collected, processed, sold, or disclosed in
22compliance with the federal Farm Credit Act, 12 U.S.C. §2001
23et seq.
24q. Data processed or maintained as follows:
25(1) In the course of an individual applying to, employed
26by, or acting as an agent or independent contractor of a
27controller, processor, or third party, to the extent that the
28data is collected and used within the context of that role.
29(2) As the emergency contact information of an individual
30under this chapter used for emergency contact purposes.
31(3) That is necessary to retain to administer benefits
32for another individual relating to the individual under
33subparagraph (1) and used for the purposes of administering
34those benefits.
35r. Personal data used in accordance with the federal
-8-1Children’s Online Privacy Protection Act, 15 U.S.C. §6501 –
26506, and its rules, regulations, and exceptions thereto.
3 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
41. A consumer may invoke the consumer rights authorized
5pursuant to this section at any time by submitting a request to
6the controller, through the means specified by the controller
7pursuant to section 715D.4, subsection 6, specifying the
8consumer rights the consumer wishes to invoke. A known child’s
9parent or legal guardian may invoke such consumer rights
10on behalf of the known child regarding processing personal
11data belonging to the child. A controller shall comply with
12an authenticated consumer request to exercise all of the
13following:
14a. To confirm whether a controller is processing the
15consumer’s personal data and to access such personal data.
16b. To delete personal data provided by the consumer.
17c. To obtain a copy of the consumer’s personal data, except
18as to personal data that is defined as “personal information”
19pursuant to section 715C.1 that is subject to security breach
20protection, that the consumer previously provided to the
21controller in a portable and, to the extent technically
22practicable, readily usable format that allows the consumer
23to transmit the data to another controller without hindrance,
24where the processing is carried out by automated means.
25d. To opt out of targeted advertising or the sale of
26personal data.
272. Except as otherwise provided in this chapter, a
28controller shall comply with a request by a consumer to
29exercise the consumer rights authorized pursuant to this
30section as follows:
31a. A controller shall respond to the consumer without undue
32delay, but in all cases within forty-five days of receipt
33of a request submitted pursuant to the methods described in
34this section. The response period may be extended once by
35forty-five additional days when reasonably necessary upon
-9-1considering the complexity and number of the consumer’s
2requests by informing the consumer of any such extension within
3the initial forty-five-day response period, together with the
4reason for the extension.
5b. If a controller declines to take action regarding the
6consumer’s request, the controller shall inform the consumer
7without undue delay of the justification for declining to take
8action, except in the case of a suspected fraudulent request,
9in which case the controller may state that the controller was
10unable to authenticate the request. The controller shall also
11provide instructions for appealing the decision pursuant to
12subsection 3.
13c. Information provided in response to a consumer request
14shall be provided by a controller free of charge, up to
15twice annually per consumer. If a request from a consumer
16is manifestly unfounded, excessive, repetitive, technically
17unfeasible, or the controller reasonably believes that the
18primary purpose of the request is not to exercise a consumer
19right, the controller may charge the consumer a reasonable fee
20to cover the administrative costs of complying with the request
21or decline to act on the request. The controller bears the
22burden of demonstrating the manifestly unfounded, excessive,
23repetitive, or technically unfeasible nature of the request.
24d. If a controller is unable to authenticate a request
25using commercially reasonable efforts, the controller shall
26not be required to comply with a request to initiate an action
27under this section and may request that the consumer provide
28additional information reasonably necessary to authenticate the
29consumer and the consumer’s request.
303. A controller shall establish a process for a consumer
31to appeal the controller’s refusal to take action on a request
32within a reasonable period of time after the consumer’s
33receipt of the decision pursuant to this section. The appeal
34process shall be conspicuously available and similar to the
35process for submitting requests to initiate action pursuant
-10-1to this section. Within sixty days of receipt of an appeal,
2a controller shall inform the consumer in writing of any
3action taken or not taken in response to the appeal, including
4a written explanation of the reasons for the decision. If
5the appeal is denied, the controller shall also provide the
6consumer with an online mechanism through which the consumer
7may contact the attorney general to submit a complaint.
8 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
91. A controller shall adopt and implement reasonable
10administrative, technical, and physical data security practices
11to protect the confidentiality, integrity, and accessibility
12of personal data. Such data security practices shall be
13appropriate to the volume and nature of the personal data
14at issue. A controller shall not process sensitive data
15concerning a consumer or a nonexempt purpose without the
16consumer having been presented with clear notice and an
17opportunity to opt out of such processing, or, in the case of
18the processing of sensitive data concerning a known child,
19without processing such data in accordance with the federal
20Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et
21seq.
222. A controller shall not process personal data in
23violation of state and federal laws that prohibit unlawful
24discrimination against a consumer. A controller shall not
25discriminate against a consumer for exercising any of the
26consumer rights contained in this chapter, including denying
27goods or services, charging different prices or rates for
28goods or services, or providing a different level of quality
29of goods and services to the consumer. However, nothing in
30this chapter shall be construed to require a controller to
31provide a product or service that requires the personal data
32of a consumer that the controller does not collect or maintain
33or to prohibit a controller from offering a different price,
34rate, level, quality, or selection of goods or services to a
35consumer, including offering goods or services for no fee,
-11-1if the consumer has exercised the consumer’s right to opt
2out pursuant to section 715D.3 or the offer is related to a
3consumer’s voluntary participation in a bona fide loyalty,
4rewards, premium features, discounts, or club card program.
53. Any provision of a contract or agreement that purports to
6waive or limit in any way consumer rights pursuant to section
7715D.3 shall be deemed contrary to public policy and shall be
8void and unenforceable.
94. A controller shall provide consumers with a reasonably
10accessible, clear, and meaningful privacy notice that includes
11the following:
12a. The categories of personal data processed by the
13controller.
14b. The purpose for processing personal data.
15c. How consumers may exercise their consumer rights pursuant
16to section 715D.3, including how a consumer may appeal a
17controller’s decision with regard to the consumer’s request.
18d. The categories of personal data that the controller
19shares with third parties, if any.
20e. The categories of third parties, if any, with whom the
21controller shares personal data.
225. If a controller sells a consumer’s personal data to third
23parties or engages in targeted advertising, the controller
24shall clearly and conspicuously disclose such activity, as well
25as the manner in which a consumer may exercise the right to opt
26out of such activity.
276. A controller shall establish, and shall describe in
28a privacy notice, secure and reliable means for consumers to
29submit a request to exercise their consumer rights under this
30chapter. Such means shall consider the ways in which consumers
31normally interact with the controller, the need for secure and
32reliable communication of such requests, and the ability of
33the controller to authenticate the identity of the consumer
34making the request. A controller shall not require a consumer
35to create a new account in order to exercise consumer rights
-12-1pursuant to section 715D.3, but may require a consumer to use
2an existing account.
3 Sec. 5. NEW SECTION. 715D.5 Processor duties.
41. A processor shall assist a controller in duties
5required under this chapter, taking into account the nature of
6processing and the information available to the processor by
7appropriate technical and organizational measures, insofar as
8is reasonably practicable, as follows:
9a. To fulfill the controller’s obligation to respond to
10consumer rights requests pursuant to section 715D.3.
11b. To meet the controller’s obligations in relation to the
12security of processing the personal data and in relation to the
13notification of a security breach of the processor pursuant to
14section 715C.2.
152. A contract between a controller and a processor shall
16govern the processor’s data processing procedures with respect
17to processing performed on behalf of the controller. The
18contract shall clearly set forth instructions for processing
19personal data, the nature and purpose of processing, the type
20of data subject to processing, the duration of processing, and
21the rights and duties of both parties. The contract shall also
22include requirements that the processor shall do all of the
23following:
24a. Ensure that each person processing personal data is
25subject to a duty of confidentiality with respect to the data.
26b. At the controller’s direction, delete or return all
27personal data to the controller as requested at the end of the
28provision of services, unless retention of the personal data
29is required by law.
30c. Upon the reasonable request of the controller, make
31available to the controller all information in the processor’s
32possession necessary to demonstrate the processor’s compliance
33with the obligations in this chapter.
34d. Engage any subcontractor or agent pursuant to a written
35contract in accordance with this section that requires the
-13-1subcontractor to meet the duties of the processor with respect
2to the personal data.
33. Nothing in this section shall be construed to relieve a
4controller or a processor from imposed liabilities by virtue
5of the controller or processor’s role in the processing
6relationship as defined by this chapter.
74. Determining whether a person is acting as a controller or
8processor with respect to a specific processing of data is a
9fact-based determination that depends upon the context in which
10personal data is to be processed. A processor that continues
11to adhere to a controller’s instructions with respect to a
12specific processing of personal data remains a processor.
13 Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
141. Nothing in this chapter shall be construed to require the
15following:
16a. A controller or processor to re-identify de-identified
17data or pseudonymous data.
18b. Maintaining data in identifiable form.
19c. Collecting, obtaining, retaining, or accessing any
20data or technology, in order to be capable of associating an
21authenticated consumer request with personal data.
222. Nothing in this chapter shall be construed to require
23a controller or processor to comply with an authenticated
24consumer rights request, pursuant to section 715D.3, if all of
25the following apply:
26a. The controller is not reasonably capable of associating
27the request with the personal data or it would be unreasonably
28burdensome for the controller to associate the request with the
29personal data.
30b. The controller does not use the personal data to
31recognize or respond to the specific consumer who is the
32subject of the personal data, or associate the personal data
33with other personal data about the same specific consumer.
34c. The controller does not sell the personal data to any
35third party or otherwise voluntarily disclose the personal data
-14-1to any third party other than a processor, except as otherwise
2permitted in this chapter.
33. Consumer rights contained in sections 715D.3 and 715D.4
4shall not apply to pseudonymous data in cases where the
5controller is able to demonstrate any information necessary
6to identify the consumer is kept separately and is subject to
7appropriate technical and organizational measures to ensure
8that the personal data is not attributed to an identified or
9identifiable natural person.
104. Controllers that disclose pseudonymous data or de-
11identified data shall exercise reasonable oversight to monitor
12compliance with any contractual commitments to which the
13pseudonymous data or de-identified data is subject and shall
14take appropriate steps to address any breaches of those
15contractual commitments.
16 Sec. 7. NEW SECTION. 715D.7 Limitations.
171. Nothing in this chapter shall be construed to restrict a
18controller’s or processor’s ability to do the following:
19a. Comply with federal, state, or local laws, rules, or
20regulations.
21b. Comply with a civil, criminal, or regulatory inquiry,
22investigation, subpoena, or summons by federal, state, local,
23or other governmental authorities.
24c. Cooperate with law enforcement agencies concerning
25conduct or activity that the controller or processor reasonably
26and in good faith believes may violate federal, state, or local
27laws, rules, or regulations.
28d. Investigate, establish, exercise, prepare for, or defend
29legal claims.
30e. Provide a product or service specifically requested by a
31consumer or parent or guardian of a child, perform a contract
32to which the consumer or parent or guardian of a child is a
33party, including fulfilling the terms of a written warranty, or
34take steps at the request of the consumer or parent or guardian
35of a child prior to entering into a contract.
-15- 1f. Take immediate steps to protect an interest that is
2essential for the life or physical safety of the consumer or
3of another natural person, and where the processing cannot be
4manifestly based on another legal basis.
5g. Prevent, detect, protect against, or respond to security
6incidents, identity theft, fraud, harassment, malicious or
7deceptive activities, or any illegal activity.
8h. Preserve the integrity or security of systems.
9i. Investigate, report, or prosecute those responsible for
10any such action.
11j. Engage in public or peer-reviewed scientific or
12statistical research in the public interest that adheres to
13all other applicable ethics and privacy laws and is approved,
14monitored, and governed by an institutional review board, or
15similar independent oversight entities that determine the
16following:
17(1) If the deletion of the information is likely to provide
18substantial benefits that do not exclusively accrue to the
19controller.
20(2) The expected benefits of the research outweigh the
21privacy risks.
22(3) If the controller has implemented reasonable safeguards
23to mitigate privacy risks associated with research, including
24any risks associated with re-identification.
25k. Assist another controller, processor, or third party with
26any of the obligations under this subsection.
272. The obligations imposed on a controller or processor
28under this chapter shall not restrict a controller’s or
29processor’s ability to collect, use, or retain data as follows:
30a. To conduct internal research to develop, improve, or
31repair products, services, or technology.
32b. To effectuate a product recall.
33c. To identify and repair technical errors that impair
34existing or intended functionality.
35d. To perform internal operations that are reasonably
-16-1aligned with the expectations of the consumer or reasonably
2anticipated based on the consumer’s existing relationship with
3the controller or are otherwise compatible with processing
4data in furtherance of the provision of a product or service
5specifically requested by a consumer or parent or guardian of a
6child or the performance of a contract to which the consumer or
7parent or guardian of a child is a party.
83. The obligations imposed on controllers or processors
9under this chapter shall not apply where compliance by the
10controller or processor with this chapter would violate an
11evidentiary privilege under the laws of the state. Nothing
12in this chapter shall be construed to prevent a controller or
13processor from providing personal data concerning a consumer to
14a person covered by an evidentiary privilege under the laws of
15the state as part of a privileged communication.
164. A controller or processor that discloses personal data
17to a third-party controller or processor, in compliance with
18the requirements of this chapter, is not in violation of
19this chapter if the third-party controller or processor that
20receives and processes such personal data is in violation of
21this chapter, provided that, at the time of disclosing the
22personal data, the disclosing controller or processor did not
23have actual knowledge that the recipient intended to commit a
24violation. A third-party controller or processor receiving
25personal data from a controller or processor in compliance with
26the requirements of this chapter is likewise not in violation
27of this chapter for the offenses of the controller or processor
28from which it receives such personal data.
295. Nothing in this chapter shall be construed as an
30obligation imposed on a controller or a processor that
31adversely affects the privacy or other rights or freedoms
32of any persons, such as exercising the right of free speech
33pursuant to the first amendment to the United States
34Constitution, or applies to personal data by a person in the
35course of a purely personal or household activity.
-17- 16. Personal data processed by a controller pursuant to
2this section shall not be processed for any purpose other than
3those expressly listed in this section unless otherwise allowed
4by this chapter. Personal data processed by a controller
5pursuant to this section may be processed to the extent that
6such processing is as follows:
7a. Reasonably necessary and proportionate to the purposes
8listed in this section.
9b. Adequate, relevant, and limited to what is necessary
10in relation to the specific purposes listed in this section.
11Personal data collected, used, or retained pursuant to
12this section shall, where applicable, take into account
13the nature and purpose or purposes of such collection, use,
14or retention. Such data shall be subject to reasonable
15administrative, technical, and physical measures to protect the
16confidentiality, integrity, and accessibility of the personal
17data.
187. If a controller processes personal data pursuant to an
19exemption in this section, the controller bears the burden of
20demonstrating that such processing qualifies for the exemption
21and complies with the requirements in subsection 6.
228. Processing personal data for the purposes expressly
23identified in subsection 1 shall not in and of itself make an
24entity a controller with respect to such processing.
259. This chapter shall not require a controller, processor,
26third party, or consumer to disclose trade secrets.
27 Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
281. The attorney general shall have exclusive authority to
29enforce the provisions of this chapter. Whenever the attorney
30general has reasonable cause to believe that any person has
31engaged in, is engaging in, or is about to engage in any
32violation of this chapter, the attorney general is empowered to
33issue a civil investigative demand. The provisions of section
34685.6 shall apply to civil investigative demands issued under
35this chapter.
-18- 12. Prior to initiating any action under this chapter,
2the attorney general shall provide a controller or processor
3thirty days’ written notice identifying the specific provisions
4of this chapter the attorney general alleges have been or
5are being violated. If within the thirty-day period, the
6controller or processor cures the noticed violation and
7provides the attorney general an express written statement that
8the alleged violations have been cured and that no further such
9violations shall occur, no action shall be initiated against
10the controller or processor.
113. If a controller or processor continues to violate this
12chapter following the cure period in subsection 2 or breaches
13an express written statement provided to the attorney general
14under that subsection, the attorney general may initiate an
15action in the name of the state and may seek an injunction to
16restrain any violations of this chapter and civil penalties of
17up to seven thousand five hundred dollars for each violation
18under this chapter. Any moneys collected under this section
19including civil penalties, costs, attorney fees, or amounts
20which are specifically directed shall be paid into the consumer
21education and litigation fund established under section
22714.16C.
234. The attorney general may recover reasonable expenses
24incurred in investigating and preparing the case, including
25attorney fees, in any action initiated under this chapter.
265. Nothing in this chapter shall be construed as providing
27the basis for, or be subject to, a private right of action for
28violations of this chapter or under any other law.
29 Sec. 9. NEW SECTION. 715D.9 Preemption.
301. This chapter supersedes and preempts all rules,
31regulations, codes, ordinances, and other laws adopted by a
32city, county, municipality, or local agency regarding the
33processing of personal data by controllers or processors.
342. Any reference to federal, state, or local law or statute
35in this chapter shall be deemed to include any accompanying
-19-1rules or regulations or exemptions thereto, or in the case of a
2federal agency, guidance issued by such agency thereto.
3 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
42025.
5EXPLANATION
6The inclusion of this explanation does not constitute agreement with
7the explanation’s substance by the members of the general assembly.
8This bill relates to consumer data protection.
9The bill contains several definitions. The bill defines
10“controller” to mean a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data. The bill defines “identified or identifiable natural
13person” to mean a person who can be readily identified,
14directly or indirectly. The bill defines “personal data” to
15mean any information that is linked or reasonably linkable to
16an identified or identifiable natural person, but does not
17include de-identified data or publicly available information.
18The bill defines “process” or “processing” to mean any
19operation or set of operations performed, whether by manual or
20automated means, on personal data or on sets of personal data,
21such as the collection, use, storage, disclosure, analysis,
22deletion, or modification of personal data. The bill defines
23“processor” to mean a person that processes personal data
24on behalf of a controller. The bill defines “pseudonymous
25data” to mean personal data that cannot be attributed to
26a specific natural person without the use of additional
27information. The bill defines “publicly available information”
28to mean information that is lawfully made available to the
29general public through certain records or information that
30a business has reasonable basis to believe is lawfully made
31available under certain conditions. The bill defines “targeted
32advertising” to mean displaying advertisements to a consumer
33where the advertisement is selected based on personal data
34obtained from that consumer’s activities over time and across
35nonaffiliated websites or online applications to predict such
-20-1consumer’s preferences or interests, with exceptions. The bill
2defines “third party” to mean a natural or legal person, public
3authority, agency, or body other than the consumer, controller,
4processor, or an affiliate of the processor or the controller.
5The bill contains other defined terms.
6The bill provides that persons conducting business in
7the state or producing products or services targeted to
8Iowans that annually control or process personal data of
9over 99,999 consumers or control or process personal data of
1025,000 consumers with 50 percent of gross revenue derived
11from the sale of the personal data shall be subject to the
12provisions of the bill. The state and political subdivisions
13of the state, financial institutions or data subject to the
14federal Gramm-Leach-Bliley Act of 1999, certain organizations
15governed by rules by the department of health and human
16services, certain federal governance laws and the federal
17Health Insurance Portability and Accountability Act, nonprofit
18organizations, higher learning institutions, and certain
19protected information and personal data collected under state
20or federal laws are exempt from provisions in the bill.
21The bill provides consumers have personal data rights
22that may be invoked at any time. Consumers or the parent of
23a child may submit a request to a controller for a copy of
24the controller’s information relating to personal data. The
25controller shall comply with such requests to confirm or deny
26whether the controller is processing the personal data, to
27provide the consumer with a copy of their personal data, and to
28remove the consumer or child from personal data processing.
29The bill requires that controllers provide responses to
30defined personal data requests within 45 days of a consumer
31initiating a request. Responses to personal data requests
32shall be provided to a consumer free of charge up to twice per
33year except where requests are overly burdensome or manifestly
34unfounded. A business may extend the deadline for good cause,
35including complexity, once by up to 45 days after informing the
-21-1consumer of the reason for the extension. The bill provides
2that controllers are not required to comply with requests where
3a controller is unable through commercially reasonable efforts
4to verify the identity of the consumer submitting the request.
5The bill requires that controllers permit consumers to access
6an appeals process except in cases that are unable to be
7authenticated and provide consumers with information regarding
8the appeals process in situations where a consumer’s request
9is denied.
10The bill provides that controllers must disclose to the
11consumer the types of data being collected and obtain consent
12from the consumers regarding the collection of personal
13data and sensitive personal data processing. Controllers
14must securely store personal data of consumers through
15administrative, technical, and physical security practices.
16Controllers shall not discriminate against consumers that
17exercise consumer data rights as provided in the bill by
18denying a consumer goods or services, charging different
19prices, or providing lower quality goods with exceptions.
20Contract provisions that require consumers to waive rights
21defined by the bill will be considered void and unenforceable.
22The bill provides that controllers give consumers reasonably
23accessible and clear privacy notices that inform consumers of
24the information regarding personal data transfer and purposes
25and the methods for consumers to exercise rights. The bill
26provides that controllers selling personal data to third
27parties or using targeted advertising must clearly disclose
28such activity and the right for the consumer to opt out of
29such sales or use. The bill requires a controller to create a
30method for private and secure processing of consumer requests.
31The bill requires processors and the assigns or
32subcontractors of processors to assist controllers in complying
33with duties created by the bill.
34The bill includes personal data processing exemptions,
35including pseudonymous data and de-identified data as defined
-22-1by the bill. The bill identifies exceptions where controllers
2or processors are not required to comply with a consumer rights
3request pursuant to the bill. The bill requires controllers
4disclosing pseudonymous or de-identified data to exercise
5reasonable oversight of contractual commitments regarding such
6data.
7The bill provides that the bill shall not restrict
8controller or processor abilities to improve business or
9function. Controllers or processors sharing personal data with
10third parties are not liable for the noncompliance of third
11parties if the controller or processor did not have personal
12knowledge of the violation or intent to commit a violation,
13nor is a third party liable for violations of a controller
14or processor. The bill provides that if a controller seeks
15certain exemptions, the controller bears the burden of
16demonstrating that the controller qualifies for the exemption
17and the exemption complies with the requirements in the bill.
18The bill shall not require a business, consumer, or other
19party to disclose trade secrets.
20The bill provides that the attorney general shall
21investigate controllers and processors upon reasonable cause
22for violations of provisions of the bill. The attorney general
23shall provide 30 days’ notice to a controller or processor
24including the reason for which the entity is subject to an
25investigation and permit the entity to cure the defect prior
26to filing a civil action. A controller or processor found
27to be in violation of provisions of the bill is subject to a
28civil penalty of up to $7,500 per violation. Moneys collected
29by the attorney general under the bill shall be paid into the
30consumer education and litigation fund established under Code
31section 714.16C. The attorney general shall recover reasonable
32expenses for expenses related to the investigation.
33The bill provides that a rule, regulation, code, ordinance,
34or other law adopted regarding processing of personal data is
35preempted by the bill.
-23- 1The bill takes effect January 1, 2025.
-24-es/rn