Print
Senate File 262 - IntroducedA Bill ForAn Act 1relating to consumer data protection, providing civil
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “De-identified data” means data that cannot reasonably
16be linked to an identified or identifiable natural person.
1711. “Fund” means the consumer education and litigation fund
18established pursuant to section 714.16C.
1912. “Health care provider” means any of the following:
20a. A general hospital, ambulatory surgical or treatment
21center, skilled nursing center, or assisted living center
22licensed or certified by the state.
23b. A psychiatric hospital licensed by the state.
24c. A hospital operated by the state.
25d. A hospital operated by the state board of regents.
26e. A person licensed to practice medicine or osteopathy in
27the state.
28f. A person licensed to furnish health care policies or
29plans in the state.
30g. A person licensed to practice dentistry in the state.
31h. “Health care provider” does not include a continuing care
32retirement community or any nursing facility of a religious
33body which depends upon prayer alone for healing.
3413. “Health Insurance Portability and Accountability Act”
35or “HIPAA” means the federal Health Insurance Portability and
-2-1Accountability Act of 1996, Pub.L. No.104-191, including
2amendments thereto and regulations promulgated thereunder.
314. “Health record” means any written, printed, or
4electronically recorded material maintained by a health care
5provider in the course of providing health services to an
6individual concerning the individual and the services provided,
7including related health information provided in confidence to
8a health care provider.
915. “Identified or identifiable natural person” means a
10person who can be readily identified, directly or indirectly.
1116. “Institution of higher education” means nonprofit
12private institutions of higher education and proprietary
13private institutions of higher education in the state,
14community colleges, and each associate-degree-granting and
15baccalaureate public institutions of higher education in the
16state.
1717. “Nonprofit organization” means any corporation organized
18under chapter 504, any organization exempt from taxation
19under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
20Internal Revenue Code, any organization exempt from taxation
21under section 501(c)(4) of the Internal Revenue Code that
22is established to detect or prevent insurance-related crime
23or fraud, and any subsidiaries and affiliates of entities
24organized pursuant to chapter 499.
2518. “Personal data” means any information that is linked or
26reasonably linkable to an identified or identifiable natural
27person. “Personal data” does not include de-identified or
28aggregate data or publicly available information.
2919. “Precise geolocation data” means information derived
30from technology, including but not limited to global
31positioning system level latitude and longitude coordinates or
32other mechanisms, that identifies the specific location of a
33natural person with precision and accuracy within a radius of
34one thousand seven hundred fifty feet. “Precise geolocation
35data” does not include the content of communications, or
-3-1any data generated by or connected to utility metering
2infrastructure systems or equipment for use by a utility.
320. “Process” or “processing” means any operation or set
4of operations performed, whether by manual or automated means,
5on personal data or on sets of personal data, such as the
6collection, use, storage, disclosure, analysis, deletion, or
7modification of personal data.
821. “Processor” means a person that processes personal data
9on behalf of a controller.
1022. “Protected health information” means the same as
11protected health information established by HIPAA.
1223. “Pseudonymous data” means personal data that cannot
13be attributed to a specific natural person without the use
14of additional information, provided that such additional
15information is kept separately and is subject to appropriate
16technical and organizational measures to ensure that
17the personal data is not attributed to an identified or
18identifiable natural person.
1924. “Publicly available information” means information
20that is lawfully made available through federal, state, or
21local government records, or information that a business has
22reasonable basis to believe is lawfully made available to
23the general public through widely distributed media, by the
24consumer, or by a person to whom the consumer has disclosed the
25information, unless the consumer has restricted the information
26to a specific audience.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data when a
7consumer uses or directs a controller to intentionally disclose
8personal data or intentionally interact with one or more third
9parties.
10f. The disclosure or transfer of personal data to a third
11party as an asset that is part of a proposed or actual merger,
12acquisition, bankruptcy, or other transaction in which the
13third party assumes control of all or part of the controller’s
14assets.
1526. “Sensitive data” means a category of personal data that
16includes the following:
17a. Racial or ethnic origin, religious beliefs, mental or
18physical health diagnosis, sexual orientation, or citizenship
19or immigration status, except to the extent such data is used
20in order to avoid discrimination on the basis of a protected
21class that would violate a federal or state anti-discrimination
22law.
23b. Genetic or biometric data that is processed for the
24purpose of uniquely identifying a natural person.
25c. The personal data collected from a known child.
26d. Precise geolocation data.
2727. “State agency” means the same as defined in 129 IAC
2810.2(8B).
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to consumers who are residents of the state and that during a
25calendar year does either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derives over fifty percent
30of gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state; financial institutions,
33affiliates of financial institutions, or data subject to Tit.V
34of the federal Gramm-Leach-Bliley Act of 1999, l5 U.S.C.§6801
35et seq.; persons who are subject to and comply with regulations
-6-1promulgated pursuant to Tit.II, subtit.F, of the federal
2Health Insurance Portability and Accountability Act of 1996,
3Pub.L.No.104-191, and Tit.XIII, subtit.D, of the federal
4Health Information Technology for Economic and Clinical Health
5Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations;
6or institutions of higher education.
73. The following information and data is exempt from this
8chapter:
9a. Protected health information under HIPAA.
10b. Health records.
11c. Patient identifying information for purposes of 42 U.S.C.
12§290dd-2.
13d. Identifiable private information for purposes of the
14federal policy for the protection of human subjects under 45
15C.F.R. pt.46.
16e. Identifiable private information that is otherwise
17information collected as part of human subjects research
18pursuant to the good clinical practice guidelines issued by
19the international council for harmonization of technical
20requirements for pharmaceuticals for human use.
21f. The protection of human subjects under 21 C.F.R. pts.6,
2250, and 56.
23g. Personal data used or shared in research conducted in
24accordance with the requirements set forth in this chapter, or
25other research conducted in accordance with applicable law.
26h. Information and documents created for purposes of the
27federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
28§11101 et seq.
29i. Patient safety work product for purposes of the federal
30Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
31et seq.
32j. Information derived from any of the health care-related
33information listed in this subsection that is de-identified in
34accordance with the requirements for de-identification pursuant
35to HIPAA.
-7- 1k. Information originating from, and intermingled to be
2indistinguishable with, or information treated in the same
3manner as information exempt under this subsection that is
4maintained by a covered entity or business associate as defined
5by HIPAA or a program or a qualified service organization as
6defined by 42 U.S.C. §290dd-2.
7l. Information used only for public health activities and
8purposes as authorized by HIPAA.
9m. The collection, maintenance, disclosure, sale,
10communication, or use of any personal information bearing on a
11consumer’s credit worthiness, credit standing, credit capacity,
12character, general reputation, personal characteristics, or
13mode of living by a consumer reporting agency or furnisher that
14provides information for use in a consumer report, and by a
15user of a consumer report, but only to the extent that such
16activity is regulated by and authorized under the federal Fair
17Credit Reporting Act, 15 U.S.C. §1681 et seq.
18n. Personal data collected, processed, sold, or disclosed in
19compliance with the federal Driver’s Privacy Protection Act of
201994, 18 U.S.C. §2721 et seq.
21o. Personal data regulated by the federal Family Educational
22Rights and Privacy Act, 20 U.S.C. §1232 et seq.
23p. Personal data collected, processed, sold, or disclosed in
24compliance with the federal Farm Credit Act, 12 U.S.C. §2001
25et seq.
26q. Data processed or maintained as follows:
27(1) In the course of an individual applying to, employed
28by, or acting as an agent or independent contractor of a
29controller, processor, or third party, to the extent that the
30data is collected and used within the context of that role.
31(2) As the emergency contact information of an individual
32under this chapter used for emergency contact purposes.
33(3) That is necessary to retain to administer benefits
34for another individual relating to the individual under
35subparagraph (1) and used for the purposes of administering
-8-1those benefits.
2r. Personal data used in accordance with the federal
3Children’s Online Privacy Protection Act, 15 U.S.C. §6501 –
46506, and its rules, regulations, and exceptions thereto.
5 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
61. A consumer may invoke the consumer rights authorized
7pursuant to this section at any time by submitting a request to
8the controller, through the means specified by the controller
9pursuant to section 715D.4, subsection 6, specifying the
10consumer rights the consumer wishes to invoke. A known child’s
11parent or legal guardian may invoke such consumer rights
12on behalf of the known child regarding processing personal
13data belonging to the child. A controller shall comply with
14an authenticated consumer request to exercise all of the
15following:
16a. To confirm whether a controller is processing the
17consumer’s personal data and to access such personal data.
18b. To delete personal data provided by the consumer.
19c. To obtain a copy of the consumer’s personal data, except
20as to personal data that is defined as “personal information”
21pursuant to section 715C.1 that is subject to security breach
22protection, that the consumer previously provided to the
23controller in a portable and, to the extent technically
24practicable, readily usable format that allows the consumer
25to transmit the data to another controller without hindrance,
26where the processing is carried out by automated means.
27d. To opt out of the sale of personal data.
282. Except as otherwise provided in this chapter, a
29controller shall comply with a request by a consumer to
30exercise the consumer rights authorized pursuant to this
31section as follows:
32a. A controller shall respond to the consumer without
33undue delay, but in all cases within ninety days of receipt
34of a request submitted pursuant to the methods described in
35this section. The response period may be extended once by
-9-1forty-five additional days when reasonably necessary upon
2considering the complexity and number of the consumer’s
3requests by informing the consumer of any such extension within
4the initial ninety-day response period, together with the
5reason for the extension.
6b. If a controller declines to take action regarding the
7consumer’s request, the controller shall inform the consumer
8without undue delay of the justification for declining to take
9action, except in the case of a suspected fraudulent request,
10in which case the controller may state that the controller was
11unable to authenticate the request. The controller shall also
12provide instructions for appealing the decision pursuant to
13subsection 3.
14c. Information provided in response to a consumer request
15shall be provided by a controller free of charge, up to
16twice annually per consumer. If a request from a consumer
17is manifestly unfounded, excessive, repetitive, technically
18unfeasible, or the controller reasonably believes that the
19primary purpose of the request is not to exercise a consumer
20right, the controller may charge the consumer a reasonable fee
21to cover the administrative costs of complying with the request
22or decline to act on the request. The controller bears the
23burden of demonstrating the manifestly unfounded, excessive,
24repetitive, or technically unfeasible nature of the request.
25d. If a controller is unable to authenticate a request
26using commercially reasonable efforts, the controller shall
27not be required to comply with a request to initiate an action
28under this section and may request that the consumer provide
29additional information reasonably necessary to authenticate the
30consumer and the consumer’s request.
313. A controller shall establish a process for a consumer
32to appeal the controller’s refusal to take action on a request
33within a reasonable period of time after the consumer’s
34receipt of the decision pursuant to this section. The appeal
35process shall be conspicuously available and similar to the
-10-1process for submitting requests to initiate action pursuant
2to this section. Within sixty days of receipt of an appeal,
3a controller shall inform the consumer in writing of any
4action taken or not taken in response to the appeal, including
5a written explanation of the reasons for the decision. If
6the appeal is denied, the controller shall also provide the
7consumer with an online mechanism through which the consumer
8may contact the attorney general to submit a complaint.
9 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
101. A controller shall adopt and implement reasonable
11administrative, technical, and physical data security practices
12to protect the confidentiality, integrity, and accessibility
13of personal data. Such data security practices shall be
14appropriate to the volume and nature of the personal data at
15issue.
162. A controller shall not process sensitive data collected
17from a consumer for a nonexempt purpose without the consumer
18having been presented with clear notice and an opportunity to
19opt out of such processing, or, in the case of the processing
20of sensitive data concerning a known child, without processing
21such data in accordance with the federal Children’s Online
22Privacy Protection Act, 15 U.S.C. §6501 et seq.
233. A controller shall not process personal data in
24violation of state and federal laws that prohibit unlawful
25discrimination against a consumer. A controller shall not
26discriminate against a consumer for exercising any of the
27consumer rights contained in this chapter, including denying
28goods or services, charging different prices or rates for
29goods or services, or providing a different level of quality
30of goods and services to the consumer. However, nothing in
31this chapter shall be construed to require a controller to
32provide a product or service that requires the personal data
33of a consumer that the controller does not collect or maintain
34or to prohibit a controller from offering a different price,
35rate, level, quality, or selection of goods or services to a
-11-1consumer, including offering goods or services for no fee,
2if the consumer has exercised the consumer’s right to opt
3out pursuant to section 715D.3 or the offer is related to a
4consumer’s voluntary participation in a bona fide loyalty,
5rewards, premium features, discounts, or club card program.
64. Any provision of a contract or agreement that purports to
7waive or limit in any way consumer rights pursuant to section
8715D.3 shall be deemed contrary to public policy and shall be
9void and unenforceable.
105. A controller shall provide consumers with a reasonably
11accessible, clear, and meaningful privacy notice that includes
12the following:
13a. The categories of personal data processed by the
14controller.
15b. The purpose for processing personal data.
16c. How consumers may exercise their consumer rights pursuant
17to section 715D.3, including how a consumer may appeal a
18controller’s decision with regard to the consumer’s request.
19d. The categories of personal data that the controller
20shares with third parties, if any.
21e. The categories of third parties, if any, with whom the
22controller shares personal data.
236. If a controller sells a consumer’s personal data to third
24parties or engages in targeted advertising, the controller
25shall clearly and conspicuously disclose such activity, as well
26as the manner in which a consumer may exercise the right to opt
27out of such activity.
287. A controller shall establish, and shall describe in
29a privacy notice, secure and reliable means for consumers to
30submit a request to exercise their consumer rights under this
31chapter. Such means shall consider the ways in which consumers
32normally interact with the controller, the need for secure and
33reliable communication of such requests, and the ability of
34the controller to authenticate the identity of the consumer
35making the request. A controller shall not require a consumer
-12-1to create a new account in order to exercise consumer rights
2pursuant to section 715D.3, but may require a consumer to use
3an existing account.
4 Sec. 5. NEW SECTION. 715D.5 Processor duties.
51. A processor shall assist a controller in duties
6required under this chapter, taking into account the nature of
7processing and the information available to the processor by
8appropriate technical and organizational measures, insofar as
9is reasonably practicable, as follows:
10a. To fulfill the controller’s obligation to respond to
11consumer rights requests pursuant to section 715D.3.
12b. To meet the controller’s obligations in relation to the
13security of processing the personal data and in relation to the
14notification of a security breach of the processor pursuant to
15section 715C.2.
162. A contract between a controller and a processor shall
17govern the processor’s data processing procedures with respect
18to processing performed on behalf of the controller. The
19contract shall clearly set forth instructions for processing
20personal data, the nature and purpose of processing, the type
21of data subject to processing, the duration of processing, and
22the rights and duties of both parties. The contract shall also
23include requirements that the processor shall do all of the
24following:
25a. Ensure that each person processing personal data is
26subject to a duty of confidentiality with respect to the data.
27b. At the controller’s direction, delete or return all
28personal data to the controller as requested at the end of the
29provision of services, unless retention of the personal data
30is required by law.
31c. Upon the reasonable request of the controller, make
32available to the controller all information in the processor’s
33possession necessary to demonstrate the processor’s compliance
34with the obligations in this chapter.
35d. Engage any subcontractor or agent pursuant to a written
-13-1contract in accordance with this section that requires the
2subcontractor to meet the duties of the processor with respect
3to the personal data.
43. Nothing in this section shall be construed to relieve a
5controller or a processor from imposed liabilities by virtue
6of the controller or processor’s role in the processing
7relationship as defined by this chapter.
84. Determining whether a person is acting as a controller or
9processor with respect to a specific processing of data is a
10fact-based determination that depends upon the context in which
11personal data is to be processed. A processor that continues
12to adhere to a controller’s instructions with respect to a
13specific processing of personal data remains a processor.
14 Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
151. Nothing in this chapter shall be construed to require the
16following:
17a. A controller or processor to re-identify de-identified
18data or pseudonymous data.
19b. Maintaining data in identifiable form.
20c. Collecting, obtaining, retaining, or accessing any
21data or technology, in order to be capable of associating an
22authenticated consumer request with personal data.
232. Nothing in this chapter shall be construed to require
24a controller or processor to comply with an authenticated
25consumer rights request, pursuant to section 715D.3, if all of
26the following apply:
27a. The controller is not reasonably capable of associating
28the request with the personal data or it would be unreasonably
29burdensome for the controller to associate the request with the
30personal data.
31b. The controller does not use the personal data to
32recognize or respond to the specific consumer who is the
33subject of the personal data, or associate the personal data
34with other personal data about the same specific consumer.
35c. The controller does not sell the personal data to any
-14-1third party or otherwise voluntarily disclose the personal data
2to any third party other than a processor, except as otherwise
3permitted in this chapter.
43. Consumer rights contained in sections 715D.3 and 715D.4
5shall not apply to pseudonymous data in cases where the
6controller is able to demonstrate any information necessary
7to identify the consumer is kept separately and is subject to
8appropriate technical and organizational measures to ensure
9that the personal data is not attributed to an identified or
10identifiable natural person.
114. Controllers that disclose pseudonymous data or de-
12identified data shall exercise reasonable oversight to monitor
13compliance with any contractual commitments to which the
14pseudonymous data or de-identified data is subject and shall
15take appropriate steps to address any breaches of those
16contractual commitments.
17 Sec. 7. NEW SECTION. 715D.7 Limitations.
181. Nothing in this chapter shall be construed to restrict a
19controller’s or processor’s ability to do the following:
20a. Comply with federal, state, or local laws, rules, or
21regulations.
22b. Comply with a civil, criminal, or regulatory inquiry,
23investigation, subpoena, or summons by federal, state, local,
24or other governmental authorities.
25c. Cooperate with law enforcement agencies concerning
26conduct or activity that the controller or processor reasonably
27and in good faith believes may violate federal, state, or local
28laws, rules, or regulations.
29d. Investigate, establish, exercise, prepare for, or defend
30legal claims.
31e. Provide a product or service specifically requested by a
32consumer or parent or guardian of a child, perform a contract
33to which the consumer or parent or guardian of a child is a
34party, including fulfilling the terms of a written warranty, or
35take steps at the request of the consumer or parent or guardian
-15-1of a child prior to entering into a contract.
2f. Take immediate steps to protect an interest that is
3essential for the life or physical safety of the consumer or
4of another natural person, and where the processing cannot be
5manifestly based on another legal basis.
6g. Prevent, detect, protect against, or respond to security
7incidents, identity theft, fraud, harassment, malicious or
8deceptive activities, or any illegal activity.
9h. Preserve the integrity or security of systems.
10i. Investigate, report, or prosecute those responsible for
11any such action.
12j. Engage in public or peer-reviewed scientific or
13statistical research in the public interest that adheres to
14all other applicable ethics and privacy laws and is approved,
15monitored, and governed by an institutional review board, or
16similar independent oversight entities that determine the
17following:
18(1) If the deletion of the information is likely to provide
19substantial benefits that do not exclusively accrue to the
20controller.
21(2) The expected benefits of the research outweigh the
22privacy risks.
23(3) If the controller has implemented reasonable safeguards
24to mitigate privacy risks associated with research, including
25any risks associated with re-identification.
26k. Assist another controller, processor, or third party with
27any of the obligations under this subsection.
282. The obligations imposed on a controller or processor
29under this chapter shall not restrict a controller’s or
30processor’s ability to collect, use, or retain data as follows:
31a. To conduct internal research to develop, improve, or
32repair products, services, or technology.
33b. To effectuate a product recall.
34c. To identify and repair technical errors that impair
35existing or intended functionality.
-16- 1d. To perform internal operations that are reasonably
2aligned with the expectations of the consumer or reasonably
3anticipated based on the consumer’s existing relationship with
4the controller or are otherwise compatible with processing
5data in furtherance of the provision of a product or service
6specifically requested by a consumer or parent or guardian of a
7child or the performance of a contract to which the consumer or
8parent or guardian of a child is a party.
93. The obligations imposed on controllers or processors
10under this chapter shall not apply where compliance by the
11controller or processor with this chapter would violate an
12evidentiary privilege under the laws of the state. Nothing
13in this chapter shall be construed to prevent a controller or
14processor from providing personal data concerning a consumer to
15a person covered by an evidentiary privilege under the laws of
16the state as part of a privileged communication.
174. A controller or processor that discloses personal data
18to a third-party controller or processor, in compliance with
19the requirements of this chapter, is not in violation of
20this chapter if the third-party controller or processor that
21receives and processes such personal data is in violation of
22this chapter, provided that, at the time of disclosing the
23personal data, the disclosing controller or processor did not
24have actual knowledge that the recipient intended to commit a
25violation. A third-party controller or processor receiving
26personal data from a controller or processor in compliance with
27the requirements of this chapter is likewise not in violation
28of this chapter for the offenses of the controller or processor
29from which it receives such personal data.
305. Nothing in this chapter shall be construed as an
31obligation imposed on a controller or a processor that
32adversely affects the privacy or other rights or freedoms
33of any persons, such as exercising the right of free speech
34pursuant to the first amendment to the United States
35Constitution, or applies to personal data by a person in the
-17-1course of a purely personal or household activity.
26. Personal data processed by a controller pursuant to
3this section shall not be processed for any purpose other than
4those expressly listed in this section unless otherwise allowed
5by this chapter. Personal data processed by a controller
6pursuant to this section may be processed to the extent that
7such processing is as follows:
8a. Reasonably necessary and proportionate to the purposes
9listed in this section.
10b. Adequate, relevant, and limited to what is necessary
11in relation to the specific purposes listed in this section.
12Personal data collected, used, or retained pursuant to
13this section shall, where applicable, take into account
14the nature and purpose or purposes of such collection, use,
15or retention. Such data shall be subject to reasonable
16administrative, technical, and physical measures to protect the
17confidentiality, integrity, and accessibility of the personal
18data.
197. If a controller processes personal data pursuant to an
20exemption in this section, the controller bears the burden of
21demonstrating that such processing qualifies for the exemption
22and complies with the requirements in subsection 6.
238. Processing personal data for the purposes expressly
24identified in subsection 1 shall not in and of itself make an
25entity a controller with respect to such processing.
269. This chapter shall not require a controller, processor,
27third party, or consumer to disclose trade secrets.
28 Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
291. The attorney general shall have exclusive authority to
30enforce the provisions of this chapter. Whenever the attorney
31general has reasonable cause to believe that any person has
32engaged in, is engaging in, or is about to engage in any
33violation of this chapter, the attorney general is empowered to
34issue a civil investigative demand. The provisions of section
35685.6 shall apply to civil investigative demands issued under
-18-1this chapter.
22. Prior to initiating any action under this chapter,
3the attorney general shall provide a controller or processor
4ninety days’ written notice identifying the specific provisions
5of this chapter the attorney general alleges have been or
6are being violated. If within the ninety-day period, the
7controller or processor cures the noticed violation and
8provides the attorney general an express written statement that
9the alleged violations have been cured and that no further such
10violations shall occur, no action shall be initiated against
11the controller or processor.
123. If a controller or processor continues to violate this
13chapter following the cure period in subsection 2 or breaches
14an express written statement provided to the attorney general
15under that subsection, the attorney general may initiate an
16action in the name of the state and may seek an injunction to
17restrain any violations of this chapter and civil penalties of
18up to seven thousand five hundred dollars for each violation
19under this chapter. Any moneys collected under this section
20including civil penalties, costs, attorney fees, or amounts
21which are specifically directed shall be paid into the consumer
22education and litigation fund established under section
23714.16C.
244. Nothing in this chapter shall be construed as providing
25the basis for, or be subject to, a private right of action for
26violations of this chapter or under any other law.
27 Sec. 9. NEW SECTION. 715D.9 Preemption.
281. This chapter supersedes and preempts all rules,
29regulations, codes, ordinances, and other laws adopted by a
30city, county, municipality, or local agency regarding the
31processing of personal data by controllers or processors.
322. Any reference to federal, state, or local law or statute
33in this chapter shall be deemed to include any accompanying
34rules or regulations or exemptions thereto, or in the case of a
35federal agency, guidance issued by such agency thereto.
-19-1 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
22025.
3EXPLANATION
4The inclusion of this explanation does not constitute agreement with
5the explanation’s substance by the members of the general assembly.
6This bill relates to consumer data protection.
7The bill contains several definitions. The bill defines
8“controller” to mean a person that, alone or jointly with
9others, determines the purpose and means of processing personal
10data. The bill defines “identified or identifiable natural
11person” to mean a person who can be readily identified,
12directly or indirectly. The bill defines “personal data” to
13mean any information that is linked or reasonably linkable to
14an identified or identifiable natural person, but does not
15include de-identified data or publicly available information.
16The bill defines “process” or “processing” to mean any
17operation or set of operations performed, whether by manual or
18automated means, on personal data or on sets of personal data,
19such as the collection, use, storage, disclosure, analysis,
20deletion, or modification of personal data. The bill defines
21“processor” to mean a person that processes personal data
22on behalf of a controller. The bill defines “pseudonymous
23data” to mean personal data that cannot be attributed to
24a specific natural person without the use of additional
25information. The bill defines “publicly available information”
26to mean information that is lawfully made available to the
27general public through certain records or information that
28a business has reasonable basis to believe is lawfully made
29available under certain conditions. The bill defines “targeted
30advertising” to mean displaying advertisements to a consumer
31where the advertisement is selected based on personal data
32obtained from that consumer’s activities over time and across
33nonaffiliated websites or online applications to predict such
34consumer’s preferences or interests, with exceptions. The bill
35defines “third party” to mean a natural or legal person, public
-20-1authority, agency, or body other than the consumer, controller,
2processor, or an affiliate of the processor or the controller.
3The bill contains other defined terms.
4The bill provides that persons conducting business in
5the state or producing products or services targeted to
6Iowans that annually control or process personal data of
7over 99,999 consumers or control or process personal data of
825,000 consumers with 50 percent of gross revenue derived
9from the sale of the personal data shall be subject to the
10provisions of the bill. The state and political subdivisions
11of the state, financial institutions or data subject to the
12federal Gramm-Leach-Bliley Act of 1999, certain organizations
13governed by rules by the department of health and human
14services, certain federal governance laws and the federal
15Health Insurance Portability and Accountability Act, nonprofit
16organizations, higher learning institutions, and certain
17protected information and personal data collected under state
18or federal laws are exempt from provisions in the bill.
19The bill provides consumers have personal data rights
20that may be invoked at any time. Consumers or the parent of
21a child may submit a request to a controller for a copy of
22the controller’s information relating to personal data. The
23controller shall comply with such requests to confirm or deny
24whether the controller is processing the personal data, to
25provide the consumer with a copy of their personal data, and to
26remove the consumer or child from personal data processing.
27The bill requires that controllers provide responses to
28defined personal data requests within 90 days of a consumer
29initiating a request. Responses to personal data requests
30shall be provided to a consumer free of charge up to twice per
31year except where requests are overly burdensome or manifestly
32unfounded. A business may extend the deadline for good cause,
33including complexity, once by up to 45 days after informing the
34consumer of the reason for the extension. The bill provides
35that controllers are not required to comply with requests where
-21-1a controller is unable through commercially reasonable efforts
2to verify the identity of the consumer submitting the request.
3The bill requires that controllers permit consumers to access
4an appeals process except in cases that are unable to be
5authenticated and provide consumers with information regarding
6the appeals process in situations where a consumer’s request
7is denied.
8The bill provides that controllers must disclose to the
9consumer the types of data being collected and obtain consent
10from the consumers regarding the collection of personal
11data and sensitive personal data processing. Controllers
12must securely store personal data of consumers through
13administrative, technical, and physical security practices.
14Controllers shall not discriminate against consumers that
15exercise consumer data rights as provided in the bill by
16denying a consumer goods or services, charging different
17prices, or providing lower quality goods with exceptions.
18Contract provisions that require consumers to waive rights
19defined by the bill will be considered void and unenforceable.
20The bill provides that controllers give consumers reasonably
21accessible and clear privacy notices that inform consumers of
22the information regarding personal data transfer and purposes
23and the methods for consumers to exercise rights. The bill
24provides that controllers selling personal data to third
25parties or using targeted advertising must clearly disclose
26such activity and the right for the consumer to opt out of
27such sales or use. The bill requires a controller to create a
28method for private and secure processing of consumer requests.
29The bill requires processors and the assigns or
30subcontractors of processors to assist controllers in complying
31with duties created by the bill.
32The bill includes personal data processing exemptions,
33including pseudonymous data and de-identified data as defined
34by the bill. The bill identifies exceptions where controllers
35or processors are not required to comply with a consumer rights
-22-1request pursuant to the bill. The bill requires controllers
2disclosing pseudonymous or de-identified data to exercise
3reasonable oversight of contractual commitments regarding such
4data.
5The bill provides that the bill shall not restrict
6controller or processor abilities to improve business or
7function. Controllers or processors sharing personal data with
8third parties are not liable for the noncompliance of third
9parties if the controller or processor did not have personal
10knowledge of the violation or intent to commit a violation,
11nor is a third party liable for violations of a controller
12or processor. The bill provides that if a controller seeks
13certain exemptions, the controller bears the burden of
14demonstrating that the controller qualifies for the exemption
15and the exemption complies with the requirements in the bill.
16The bill shall not require a business, consumer, or other
17party to disclose trade secrets.
18The bill provides that the attorney general shall
19investigate controllers and processors upon reasonable cause
20for violations of provisions of the bill. The attorney general
21shall provide 90 days’ notice to a controller or processor
22including the reason for which the entity is subject to an
23investigation and permit the entity to cure the defect prior
24to filing a civil action. A controller or processor found to
25be in violation of provisions of the bill is subject to a civil
26penalty of up to $7,500 per violation. Moneys collected by the
27attorney general under the bill shall be paid into the consumer
28education and litigation fund established under Code section
29714.16C.
30The bill provides that a rule, regulation, code, ordinance,
31or other law adopted regarding processing of personal data is
32preempted by the bill.
33The bill takes effect January 1, 2025.
-23-es/rn
2penalties, and including effective date provisions.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. NEW SECTION. 715D.1 Definitions.
2As used in this chapter, unless the context otherwise
3requires:
41. “Affiliate” means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity or shares common branding with another legal entity.
7For the purposes of this definition, “control” or “controlled”
8means:
9a. Ownership of, or the power to vote, more than fifty
10percent of the outstanding shares of any class of voting
11security of a company.
12b. Control in any manner over the election of a majority of
13the directors or of individuals exercising similar functions.
14c. The power to exercise controlling influence over the
15management of a company.
162. “Aggregate data” means information that relates to a
17group or category of consumers, from which individual consumer
18identities have been removed, that is not linked or reasonably
19linkable to any consumer.
203. “Authenticate” means verifying through reasonable means
21that a consumer, entitled to exercise their consumer rights in
22section 715D.3, is the same consumer exercising such consumer
23rights with respect to the personal data at issue.
244. “Biometric data” means data generated by automatic
25measurements of an individual’s biological characteristics,
26such as a fingerprint, voiceprint, eye retinas, irises, or
27other unique biological patterns or characteristics that is
28used to identify a specific individual. “Biometric data”
29does not include a physical or digital photograph, a video or
30audio recording or data generated therefrom, or information
31collected, used, or stored for health care treatment, payment,
32or operations under HIPAA.
335. “Child” means any natural person younger than thirteen
34years of age.
356. “Consent” means a clear affirmative act signifying a
-1-1consumer’s freely given, specific, informed, and unambiguous
2agreement to process personal data relating to the consumer.
3“Consent” may include a written statement, including a
4statement written by electronic means, or any other unambiguous
5affirmative action.
67. “Consumer” means a natural person who is a resident of
7the state acting only in an individual or household context and
8excluding a natural person acting in a commercial or employment
9context.
108. “Controller” means a person that, alone or jointly with
11others, determines the purpose and means of processing personal
12data.
139. “Covered entity” means the same as “covered entity”
14defined by HIPAA.
1510. “De-identified data” means data that cannot reasonably
16be linked to an identified or identifiable natural person.
1711. “Fund” means the consumer education and litigation fund
18established pursuant to section 714.16C.
1912. “Health care provider” means any of the following:
20a. A general hospital, ambulatory surgical or treatment
21center, skilled nursing center, or assisted living center
22licensed or certified by the state.
23b. A psychiatric hospital licensed by the state.
24c. A hospital operated by the state.
25d. A hospital operated by the state board of regents.
26e. A person licensed to practice medicine or osteopathy in
27the state.
28f. A person licensed to furnish health care policies or
29plans in the state.
30g. A person licensed to practice dentistry in the state.
31h. “Health care provider” does not include a continuing care
32retirement community or any nursing facility of a religious
33body which depends upon prayer alone for healing.
3413. “Health Insurance Portability and Accountability Act”
35or “HIPAA” means the federal Health Insurance Portability and
-2-1Accountability Act of 1996, Pub.L. No.104-191, including
2amendments thereto and regulations promulgated thereunder.
314. “Health record” means any written, printed, or
4electronically recorded material maintained by a health care
5provider in the course of providing health services to an
6individual concerning the individual and the services provided,
7including related health information provided in confidence to
8a health care provider.
915. “Identified or identifiable natural person” means a
10person who can be readily identified, directly or indirectly.
1116. “Institution of higher education” means nonprofit
12private institutions of higher education and proprietary
13private institutions of higher education in the state,
14community colleges, and each associate-degree-granting and
15baccalaureate public institutions of higher education in the
16state.
1717. “Nonprofit organization” means any corporation organized
18under chapter 504, any organization exempt from taxation
19under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
20Internal Revenue Code, any organization exempt from taxation
21under section 501(c)(4) of the Internal Revenue Code that
22is established to detect or prevent insurance-related crime
23or fraud, and any subsidiaries and affiliates of entities
24organized pursuant to chapter 499.
2518. “Personal data” means any information that is linked or
26reasonably linkable to an identified or identifiable natural
27person. “Personal data” does not include de-identified or
28aggregate data or publicly available information.
2919. “Precise geolocation data” means information derived
30from technology, including but not limited to global
31positioning system level latitude and longitude coordinates or
32other mechanisms, that identifies the specific location of a
33natural person with precision and accuracy within a radius of
34one thousand seven hundred fifty feet. “Precise geolocation
35data” does not include the content of communications, or
-3-1any data generated by or connected to utility metering
2infrastructure systems or equipment for use by a utility.
320. “Process” or “processing” means any operation or set
4of operations performed, whether by manual or automated means,
5on personal data or on sets of personal data, such as the
6collection, use, storage, disclosure, analysis, deletion, or
7modification of personal data.
821. “Processor” means a person that processes personal data
9on behalf of a controller.
1022. “Protected health information” means the same as
11protected health information established by HIPAA.
1223. “Pseudonymous data” means personal data that cannot
13be attributed to a specific natural person without the use
14of additional information, provided that such additional
15information is kept separately and is subject to appropriate
16technical and organizational measures to ensure that
17the personal data is not attributed to an identified or
18identifiable natural person.
1924. “Publicly available information” means information
20that is lawfully made available through federal, state, or
21local government records, or information that a business has
22reasonable basis to believe is lawfully made available to
23the general public through widely distributed media, by the
24consumer, or by a person to whom the consumer has disclosed the
25information, unless the consumer has restricted the information
26to a specific audience.
2725. “Sale of personal data” means the exchange of personal
28data for monetary consideration by the controller to a third
29party. “Sale of personal data” does not include:
30a. The disclosure of personal data to a processor that
31processes the personal data on behalf of the controller.
32b. The disclosure of personal data to a third party for
33purposes of providing a product or service requested by the
34consumer or a parent of a child.
35c. The disclosure or transfer of personal data to an
-4-1affiliate of the controller.
2d. The disclosure of information that the consumer
3intentionally made available to the general public via a
4channel of mass media and did not restrict to a specific
5audience.
6e. The disclosure or transfer of personal data when a
7consumer uses or directs a controller to intentionally disclose
8personal data or intentionally interact with one or more third
9parties.
10f. The disclosure or transfer of personal data to a third
11party as an asset that is part of a proposed or actual merger,
12acquisition, bankruptcy, or other transaction in which the
13third party assumes control of all or part of the controller’s
14assets.
1526. “Sensitive data” means a category of personal data that
16includes the following:
17a. Racial or ethnic origin, religious beliefs, mental or
18physical health diagnosis, sexual orientation, or citizenship
19or immigration status, except to the extent such data is used
20in order to avoid discrimination on the basis of a protected
21class that would violate a federal or state anti-discrimination
22law.
23b. Genetic or biometric data that is processed for the
24purpose of uniquely identifying a natural person.
25c. The personal data collected from a known child.
26d. Precise geolocation data.
2727. “State agency” means the same as defined in 129 IAC
2810.2(8B).
2928. “Targeted advertising” means displaying advertisements
30to a consumer where the advertisement is selected based on
31personal data obtained from that consumer’s activities over
32time and across nonaffiliated websites or online applications
33to predict such consumer’s preferences or interests. “Targeted
34advertising” does not include the following:
35a. Advertisements based on activities within a controller’s
-5-1own or affiliated websites or online applications.
2b. Advertisements based on the context of a consumer’s
3current search query, visit to a website, or online
4application.
5c. Advertisements directed to a consumer in response to the
6consumer’s request for information or feedback.
7d. Processing personal data solely for measuring or
8reporting advertising performance, reach, or frequency.
929. “Third party” means a natural or legal person, public
10authority, agency, or body other than the consumer, controller,
11processor, or an affiliate of the processor or the controller.
1230. “Trade secret” means information, including but not
13limited to a formula, pattern, compilation, program, device,
14method, technique, or process, that consists of the following:
15a. Information that derives independent economic value,
16actual or potential, from not being generally known to, and not
17being readily ascertainable by proper means by, other persons
18who can obtain economic value from its disclosure or use.
19b. Information that is the subject of efforts that are
20reasonable under the circumstances to maintain its secrecy.
21 Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
221. This chapter applies to a person conducting business in
23the state or producing products or services that are targeted
24to consumers who are residents of the state and that during a
25calendar year does either of the following:
26a. Controls or processes personal data of at least one
27hundred thousand consumers.
28b. Controls or processes personal data of at least
29twenty-five thousand consumers and derives over fifty percent
30of gross revenue from the sale of personal data.
312. This chapter shall not apply to the state or any
32political subdivision of the state; financial institutions,
33affiliates of financial institutions, or data subject to Tit.V
34of the federal Gramm-Leach-Bliley Act of 1999, l5 U.S.C.§6801
35et seq.; persons who are subject to and comply with regulations
-6-1promulgated pursuant to Tit.II, subtit.F, of the federal
2Health Insurance Portability and Accountability Act of 1996,
3Pub.L.No.104-191, and Tit.XIII, subtit.D, of the federal
4Health Information Technology for Economic and Clinical Health
5Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations;
6or institutions of higher education.
73. The following information and data is exempt from this
8chapter:
9a. Protected health information under HIPAA.
10b. Health records.
11c. Patient identifying information for purposes of 42 U.S.C.
12§290dd-2.
13d. Identifiable private information for purposes of the
14federal policy for the protection of human subjects under 45
15C.F.R. pt.46.
16e. Identifiable private information that is otherwise
17information collected as part of human subjects research
18pursuant to the good clinical practice guidelines issued by
19the international council for harmonization of technical
20requirements for pharmaceuticals for human use.
21f. The protection of human subjects under 21 C.F.R. pts.6,
2250, and 56.
23g. Personal data used or shared in research conducted in
24accordance with the requirements set forth in this chapter, or
25other research conducted in accordance with applicable law.
26h. Information and documents created for purposes of the
27federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
28§11101 et seq.
29i. Patient safety work product for purposes of the federal
30Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
31et seq.
32j. Information derived from any of the health care-related
33information listed in this subsection that is de-identified in
34accordance with the requirements for de-identification pursuant
35to HIPAA.
-7- 1k. Information originating from, and intermingled to be
2indistinguishable with, or information treated in the same
3manner as information exempt under this subsection that is
4maintained by a covered entity or business associate as defined
5by HIPAA or a program or a qualified service organization as
6defined by 42 U.S.C. §290dd-2.
7l. Information used only for public health activities and
8purposes as authorized by HIPAA.
9m. The collection, maintenance, disclosure, sale,
10communication, or use of any personal information bearing on a
11consumer’s credit worthiness, credit standing, credit capacity,
12character, general reputation, personal characteristics, or
13mode of living by a consumer reporting agency or furnisher that
14provides information for use in a consumer report, and by a
15user of a consumer report, but only to the extent that such
16activity is regulated by and authorized under the federal Fair
17Credit Reporting Act, 15 U.S.C. §1681 et seq.
18n. Personal data collected, processed, sold, or disclosed in
19compliance with the federal Driver’s Privacy Protection Act of
201994, 18 U.S.C. §2721 et seq.
21o. Personal data regulated by the federal Family Educational
22Rights and Privacy Act, 20 U.S.C. §1232 et seq.
23p. Personal data collected, processed, sold, or disclosed in
24compliance with the federal Farm Credit Act, 12 U.S.C. §2001
25et seq.
26q. Data processed or maintained as follows:
27(1) In the course of an individual applying to, employed
28by, or acting as an agent or independent contractor of a
29controller, processor, or third party, to the extent that the
30data is collected and used within the context of that role.
31(2) As the emergency contact information of an individual
32under this chapter used for emergency contact purposes.
33(3) That is necessary to retain to administer benefits
34for another individual relating to the individual under
35subparagraph (1) and used for the purposes of administering
-8-1those benefits.
2r. Personal data used in accordance with the federal
3Children’s Online Privacy Protection Act, 15 U.S.C. §6501 –
46506, and its rules, regulations, and exceptions thereto.
5 Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
61. A consumer may invoke the consumer rights authorized
7pursuant to this section at any time by submitting a request to
8the controller, through the means specified by the controller
9pursuant to section 715D.4, subsection 6, specifying the
10consumer rights the consumer wishes to invoke. A known child’s
11parent or legal guardian may invoke such consumer rights
12on behalf of the known child regarding processing personal
13data belonging to the child. A controller shall comply with
14an authenticated consumer request to exercise all of the
15following:
16a. To confirm whether a controller is processing the
17consumer’s personal data and to access such personal data.
18b. To delete personal data provided by the consumer.
19c. To obtain a copy of the consumer’s personal data, except
20as to personal data that is defined as “personal information”
21pursuant to section 715C.1 that is subject to security breach
22protection, that the consumer previously provided to the
23controller in a portable and, to the extent technically
24practicable, readily usable format that allows the consumer
25to transmit the data to another controller without hindrance,
26where the processing is carried out by automated means.
27d. To opt out of the sale of personal data.
282. Except as otherwise provided in this chapter, a
29controller shall comply with a request by a consumer to
30exercise the consumer rights authorized pursuant to this
31section as follows:
32a. A controller shall respond to the consumer without
33undue delay, but in all cases within ninety days of receipt
34of a request submitted pursuant to the methods described in
35this section. The response period may be extended once by
-9-1forty-five additional days when reasonably necessary upon
2considering the complexity and number of the consumer’s
3requests by informing the consumer of any such extension within
4the initial ninety-day response period, together with the
5reason for the extension.
6b. If a controller declines to take action regarding the
7consumer’s request, the controller shall inform the consumer
8without undue delay of the justification for declining to take
9action, except in the case of a suspected fraudulent request,
10in which case the controller may state that the controller was
11unable to authenticate the request. The controller shall also
12provide instructions for appealing the decision pursuant to
13subsection 3.
14c. Information provided in response to a consumer request
15shall be provided by a controller free of charge, up to
16twice annually per consumer. If a request from a consumer
17is manifestly unfounded, excessive, repetitive, technically
18unfeasible, or the controller reasonably believes that the
19primary purpose of the request is not to exercise a consumer
20right, the controller may charge the consumer a reasonable fee
21to cover the administrative costs of complying with the request
22or decline to act on the request. The controller bears the
23burden of demonstrating the manifestly unfounded, excessive,
24repetitive, or technically unfeasible nature of the request.
25d. If a controller is unable to authenticate a request
26using commercially reasonable efforts, the controller shall
27not be required to comply with a request to initiate an action
28under this section and may request that the consumer provide
29additional information reasonably necessary to authenticate the
30consumer and the consumer’s request.
313. A controller shall establish a process for a consumer
32to appeal the controller’s refusal to take action on a request
33within a reasonable period of time after the consumer’s
34receipt of the decision pursuant to this section. The appeal
35process shall be conspicuously available and similar to the
-10-1process for submitting requests to initiate action pursuant
2to this section. Within sixty days of receipt of an appeal,
3a controller shall inform the consumer in writing of any
4action taken or not taken in response to the appeal, including
5a written explanation of the reasons for the decision. If
6the appeal is denied, the controller shall also provide the
7consumer with an online mechanism through which the consumer
8may contact the attorney general to submit a complaint.
9 Sec. 4. NEW SECTION. 715D.4 Data controller duties.
101. A controller shall adopt and implement reasonable
11administrative, technical, and physical data security practices
12to protect the confidentiality, integrity, and accessibility
13of personal data. Such data security practices shall be
14appropriate to the volume and nature of the personal data at
15issue.
162. A controller shall not process sensitive data collected
17from a consumer for a nonexempt purpose without the consumer
18having been presented with clear notice and an opportunity to
19opt out of such processing, or, in the case of the processing
20of sensitive data concerning a known child, without processing
21such data in accordance with the federal Children’s Online
22Privacy Protection Act, 15 U.S.C. §6501 et seq.
233. A controller shall not process personal data in
24violation of state and federal laws that prohibit unlawful
25discrimination against a consumer. A controller shall not
26discriminate against a consumer for exercising any of the
27consumer rights contained in this chapter, including denying
28goods or services, charging different prices or rates for
29goods or services, or providing a different level of quality
30of goods and services to the consumer. However, nothing in
31this chapter shall be construed to require a controller to
32provide a product or service that requires the personal data
33of a consumer that the controller does not collect or maintain
34or to prohibit a controller from offering a different price,
35rate, level, quality, or selection of goods or services to a
-11-1consumer, including offering goods or services for no fee,
2if the consumer has exercised the consumer’s right to opt
3out pursuant to section 715D.3 or the offer is related to a
4consumer’s voluntary participation in a bona fide loyalty,
5rewards, premium features, discounts, or club card program.
64. Any provision of a contract or agreement that purports to
7waive or limit in any way consumer rights pursuant to section
8715D.3 shall be deemed contrary to public policy and shall be
9void and unenforceable.
105. A controller shall provide consumers with a reasonably
11accessible, clear, and meaningful privacy notice that includes
12the following:
13a. The categories of personal data processed by the
14controller.
15b. The purpose for processing personal data.
16c. How consumers may exercise their consumer rights pursuant
17to section 715D.3, including how a consumer may appeal a
18controller’s decision with regard to the consumer’s request.
19d. The categories of personal data that the controller
20shares with third parties, if any.
21e. The categories of third parties, if any, with whom the
22controller shares personal data.
236. If a controller sells a consumer’s personal data to third
24parties or engages in targeted advertising, the controller
25shall clearly and conspicuously disclose such activity, as well
26as the manner in which a consumer may exercise the right to opt
27out of such activity.
287. A controller shall establish, and shall describe in
29a privacy notice, secure and reliable means for consumers to
30submit a request to exercise their consumer rights under this
31chapter. Such means shall consider the ways in which consumers
32normally interact with the controller, the need for secure and
33reliable communication of such requests, and the ability of
34the controller to authenticate the identity of the consumer
35making the request. A controller shall not require a consumer
-12-1to create a new account in order to exercise consumer rights
2pursuant to section 715D.3, but may require a consumer to use
3an existing account.
4 Sec. 5. NEW SECTION. 715D.5 Processor duties.
51. A processor shall assist a controller in duties
6required under this chapter, taking into account the nature of
7processing and the information available to the processor by
8appropriate technical and organizational measures, insofar as
9is reasonably practicable, as follows:
10a. To fulfill the controller’s obligation to respond to
11consumer rights requests pursuant to section 715D.3.
12b. To meet the controller’s obligations in relation to the
13security of processing the personal data and in relation to the
14notification of a security breach of the processor pursuant to
15section 715C.2.
162. A contract between a controller and a processor shall
17govern the processor’s data processing procedures with respect
18to processing performed on behalf of the controller. The
19contract shall clearly set forth instructions for processing
20personal data, the nature and purpose of processing, the type
21of data subject to processing, the duration of processing, and
22the rights and duties of both parties. The contract shall also
23include requirements that the processor shall do all of the
24following:
25a. Ensure that each person processing personal data is
26subject to a duty of confidentiality with respect to the data.
27b. At the controller’s direction, delete or return all
28personal data to the controller as requested at the end of the
29provision of services, unless retention of the personal data
30is required by law.
31c. Upon the reasonable request of the controller, make
32available to the controller all information in the processor’s
33possession necessary to demonstrate the processor’s compliance
34with the obligations in this chapter.
35d. Engage any subcontractor or agent pursuant to a written
-13-1contract in accordance with this section that requires the
2subcontractor to meet the duties of the processor with respect
3to the personal data.
43. Nothing in this section shall be construed to relieve a
5controller or a processor from imposed liabilities by virtue
6of the controller or processor’s role in the processing
7relationship as defined by this chapter.
84. Determining whether a person is acting as a controller or
9processor with respect to a specific processing of data is a
10fact-based determination that depends upon the context in which
11personal data is to be processed. A processor that continues
12to adhere to a controller’s instructions with respect to a
13specific processing of personal data remains a processor.
14 Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
151. Nothing in this chapter shall be construed to require the
16following:
17a. A controller or processor to re-identify de-identified
18data or pseudonymous data.
19b. Maintaining data in identifiable form.
20c. Collecting, obtaining, retaining, or accessing any
21data or technology, in order to be capable of associating an
22authenticated consumer request with personal data.
232. Nothing in this chapter shall be construed to require
24a controller or processor to comply with an authenticated
25consumer rights request, pursuant to section 715D.3, if all of
26the following apply:
27a. The controller is not reasonably capable of associating
28the request with the personal data or it would be unreasonably
29burdensome for the controller to associate the request with the
30personal data.
31b. The controller does not use the personal data to
32recognize or respond to the specific consumer who is the
33subject of the personal data, or associate the personal data
34with other personal data about the same specific consumer.
35c. The controller does not sell the personal data to any
-14-1third party or otherwise voluntarily disclose the personal data
2to any third party other than a processor, except as otherwise
3permitted in this chapter.
43. Consumer rights contained in sections 715D.3 and 715D.4
5shall not apply to pseudonymous data in cases where the
6controller is able to demonstrate any information necessary
7to identify the consumer is kept separately and is subject to
8appropriate technical and organizational measures to ensure
9that the personal data is not attributed to an identified or
10identifiable natural person.
114. Controllers that disclose pseudonymous data or de-
12identified data shall exercise reasonable oversight to monitor
13compliance with any contractual commitments to which the
14pseudonymous data or de-identified data is subject and shall
15take appropriate steps to address any breaches of those
16contractual commitments.
17 Sec. 7. NEW SECTION. 715D.7 Limitations.
181. Nothing in this chapter shall be construed to restrict a
19controller’s or processor’s ability to do the following:
20a. Comply with federal, state, or local laws, rules, or
21regulations.
22b. Comply with a civil, criminal, or regulatory inquiry,
23investigation, subpoena, or summons by federal, state, local,
24or other governmental authorities.
25c. Cooperate with law enforcement agencies concerning
26conduct or activity that the controller or processor reasonably
27and in good faith believes may violate federal, state, or local
28laws, rules, or regulations.
29d. Investigate, establish, exercise, prepare for, or defend
30legal claims.
31e. Provide a product or service specifically requested by a
32consumer or parent or guardian of a child, perform a contract
33to which the consumer or parent or guardian of a child is a
34party, including fulfilling the terms of a written warranty, or
35take steps at the request of the consumer or parent or guardian
-15-1of a child prior to entering into a contract.
2f. Take immediate steps to protect an interest that is
3essential for the life or physical safety of the consumer or
4of another natural person, and where the processing cannot be
5manifestly based on another legal basis.
6g. Prevent, detect, protect against, or respond to security
7incidents, identity theft, fraud, harassment, malicious or
8deceptive activities, or any illegal activity.
9h. Preserve the integrity or security of systems.
10i. Investigate, report, or prosecute those responsible for
11any such action.
12j. Engage in public or peer-reviewed scientific or
13statistical research in the public interest that adheres to
14all other applicable ethics and privacy laws and is approved,
15monitored, and governed by an institutional review board, or
16similar independent oversight entities that determine the
17following:
18(1) If the deletion of the information is likely to provide
19substantial benefits that do not exclusively accrue to the
20controller.
21(2) The expected benefits of the research outweigh the
22privacy risks.
23(3) If the controller has implemented reasonable safeguards
24to mitigate privacy risks associated with research, including
25any risks associated with re-identification.
26k. Assist another controller, processor, or third party with
27any of the obligations under this subsection.
282. The obligations imposed on a controller or processor
29under this chapter shall not restrict a controller’s or
30processor’s ability to collect, use, or retain data as follows:
31a. To conduct internal research to develop, improve, or
32repair products, services, or technology.
33b. To effectuate a product recall.
34c. To identify and repair technical errors that impair
35existing or intended functionality.
-16- 1d. To perform internal operations that are reasonably
2aligned with the expectations of the consumer or reasonably
3anticipated based on the consumer’s existing relationship with
4the controller or are otherwise compatible with processing
5data in furtherance of the provision of a product or service
6specifically requested by a consumer or parent or guardian of a
7child or the performance of a contract to which the consumer or
8parent or guardian of a child is a party.
93. The obligations imposed on controllers or processors
10under this chapter shall not apply where compliance by the
11controller or processor with this chapter would violate an
12evidentiary privilege under the laws of the state. Nothing
13in this chapter shall be construed to prevent a controller or
14processor from providing personal data concerning a consumer to
15a person covered by an evidentiary privilege under the laws of
16the state as part of a privileged communication.
174. A controller or processor that discloses personal data
18to a third-party controller or processor, in compliance with
19the requirements of this chapter, is not in violation of
20this chapter if the third-party controller or processor that
21receives and processes such personal data is in violation of
22this chapter, provided that, at the time of disclosing the
23personal data, the disclosing controller or processor did not
24have actual knowledge that the recipient intended to commit a
25violation. A third-party controller or processor receiving
26personal data from a controller or processor in compliance with
27the requirements of this chapter is likewise not in violation
28of this chapter for the offenses of the controller or processor
29from which it receives such personal data.
305. Nothing in this chapter shall be construed as an
31obligation imposed on a controller or a processor that
32adversely affects the privacy or other rights or freedoms
33of any persons, such as exercising the right of free speech
34pursuant to the first amendment to the United States
35Constitution, or applies to personal data by a person in the
-17-1course of a purely personal or household activity.
26. Personal data processed by a controller pursuant to
3this section shall not be processed for any purpose other than
4those expressly listed in this section unless otherwise allowed
5by this chapter. Personal data processed by a controller
6pursuant to this section may be processed to the extent that
7such processing is as follows:
8a. Reasonably necessary and proportionate to the purposes
9listed in this section.
10b. Adequate, relevant, and limited to what is necessary
11in relation to the specific purposes listed in this section.
12Personal data collected, used, or retained pursuant to
13this section shall, where applicable, take into account
14the nature and purpose or purposes of such collection, use,
15or retention. Such data shall be subject to reasonable
16administrative, technical, and physical measures to protect the
17confidentiality, integrity, and accessibility of the personal
18data.
197. If a controller processes personal data pursuant to an
20exemption in this section, the controller bears the burden of
21demonstrating that such processing qualifies for the exemption
22and complies with the requirements in subsection 6.
238. Processing personal data for the purposes expressly
24identified in subsection 1 shall not in and of itself make an
25entity a controller with respect to such processing.
269. This chapter shall not require a controller, processor,
27third party, or consumer to disclose trade secrets.
28 Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
291. The attorney general shall have exclusive authority to
30enforce the provisions of this chapter. Whenever the attorney
31general has reasonable cause to believe that any person has
32engaged in, is engaging in, or is about to engage in any
33violation of this chapter, the attorney general is empowered to
34issue a civil investigative demand. The provisions of section
35685.6 shall apply to civil investigative demands issued under
-18-1this chapter.
22. Prior to initiating any action under this chapter,
3the attorney general shall provide a controller or processor
4ninety days’ written notice identifying the specific provisions
5of this chapter the attorney general alleges have been or
6are being violated. If within the ninety-day period, the
7controller or processor cures the noticed violation and
8provides the attorney general an express written statement that
9the alleged violations have been cured and that no further such
10violations shall occur, no action shall be initiated against
11the controller or processor.
123. If a controller or processor continues to violate this
13chapter following the cure period in subsection 2 or breaches
14an express written statement provided to the attorney general
15under that subsection, the attorney general may initiate an
16action in the name of the state and may seek an injunction to
17restrain any violations of this chapter and civil penalties of
18up to seven thousand five hundred dollars for each violation
19under this chapter. Any moneys collected under this section
20including civil penalties, costs, attorney fees, or amounts
21which are specifically directed shall be paid into the consumer
22education and litigation fund established under section
23714.16C.
244. Nothing in this chapter shall be construed as providing
25the basis for, or be subject to, a private right of action for
26violations of this chapter or under any other law.
27 Sec. 9. NEW SECTION. 715D.9 Preemption.
281. This chapter supersedes and preempts all rules,
29regulations, codes, ordinances, and other laws adopted by a
30city, county, municipality, or local agency regarding the
31processing of personal data by controllers or processors.
322. Any reference to federal, state, or local law or statute
33in this chapter shall be deemed to include any accompanying
34rules or regulations or exemptions thereto, or in the case of a
35federal agency, guidance issued by such agency thereto.
-19-1 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
22025.
3EXPLANATION
4The inclusion of this explanation does not constitute agreement with
5the explanation’s substance by the members of the general assembly.
6This bill relates to consumer data protection.
7The bill contains several definitions. The bill defines
8“controller” to mean a person that, alone or jointly with
9others, determines the purpose and means of processing personal
10data. The bill defines “identified or identifiable natural
11person” to mean a person who can be readily identified,
12directly or indirectly. The bill defines “personal data” to
13mean any information that is linked or reasonably linkable to
14an identified or identifiable natural person, but does not
15include de-identified data or publicly available information.
16The bill defines “process” or “processing” to mean any
17operation or set of operations performed, whether by manual or
18automated means, on personal data or on sets of personal data,
19such as the collection, use, storage, disclosure, analysis,
20deletion, or modification of personal data. The bill defines
21“processor” to mean a person that processes personal data
22on behalf of a controller. The bill defines “pseudonymous
23data” to mean personal data that cannot be attributed to
24a specific natural person without the use of additional
25information. The bill defines “publicly available information”
26to mean information that is lawfully made available to the
27general public through certain records or information that
28a business has reasonable basis to believe is lawfully made
29available under certain conditions. The bill defines “targeted
30advertising” to mean displaying advertisements to a consumer
31where the advertisement is selected based on personal data
32obtained from that consumer’s activities over time and across
33nonaffiliated websites or online applications to predict such
34consumer’s preferences or interests, with exceptions. The bill
35defines “third party” to mean a natural or legal person, public
-20-1authority, agency, or body other than the consumer, controller,
2processor, or an affiliate of the processor or the controller.
3The bill contains other defined terms.
4The bill provides that persons conducting business in
5the state or producing products or services targeted to
6Iowans that annually control or process personal data of
7over 99,999 consumers or control or process personal data of
825,000 consumers with 50 percent of gross revenue derived
9from the sale of the personal data shall be subject to the
10provisions of the bill. The state and political subdivisions
11of the state, financial institutions or data subject to the
12federal Gramm-Leach-Bliley Act of 1999, certain organizations
13governed by rules by the department of health and human
14services, certain federal governance laws and the federal
15Health Insurance Portability and Accountability Act, nonprofit
16organizations, higher learning institutions, and certain
17protected information and personal data collected under state
18or federal laws are exempt from provisions in the bill.
19The bill provides consumers have personal data rights
20that may be invoked at any time. Consumers or the parent of
21a child may submit a request to a controller for a copy of
22the controller’s information relating to personal data. The
23controller shall comply with such requests to confirm or deny
24whether the controller is processing the personal data, to
25provide the consumer with a copy of their personal data, and to
26remove the consumer or child from personal data processing.
27The bill requires that controllers provide responses to
28defined personal data requests within 90 days of a consumer
29initiating a request. Responses to personal data requests
30shall be provided to a consumer free of charge up to twice per
31year except where requests are overly burdensome or manifestly
32unfounded. A business may extend the deadline for good cause,
33including complexity, once by up to 45 days after informing the
34consumer of the reason for the extension. The bill provides
35that controllers are not required to comply with requests where
-21-1a controller is unable through commercially reasonable efforts
2to verify the identity of the consumer submitting the request.
3The bill requires that controllers permit consumers to access
4an appeals process except in cases that are unable to be
5authenticated and provide consumers with information regarding
6the appeals process in situations where a consumer’s request
7is denied.
8The bill provides that controllers must disclose to the
9consumer the types of data being collected and obtain consent
10from the consumers regarding the collection of personal
11data and sensitive personal data processing. Controllers
12must securely store personal data of consumers through
13administrative, technical, and physical security practices.
14Controllers shall not discriminate against consumers that
15exercise consumer data rights as provided in the bill by
16denying a consumer goods or services, charging different
17prices, or providing lower quality goods with exceptions.
18Contract provisions that require consumers to waive rights
19defined by the bill will be considered void and unenforceable.
20The bill provides that controllers give consumers reasonably
21accessible and clear privacy notices that inform consumers of
22the information regarding personal data transfer and purposes
23and the methods for consumers to exercise rights. The bill
24provides that controllers selling personal data to third
25parties or using targeted advertising must clearly disclose
26such activity and the right for the consumer to opt out of
27such sales or use. The bill requires a controller to create a
28method for private and secure processing of consumer requests.
29The bill requires processors and the assigns or
30subcontractors of processors to assist controllers in complying
31with duties created by the bill.
32The bill includes personal data processing exemptions,
33including pseudonymous data and de-identified data as defined
34by the bill. The bill identifies exceptions where controllers
35or processors are not required to comply with a consumer rights
-22-1request pursuant to the bill. The bill requires controllers
2disclosing pseudonymous or de-identified data to exercise
3reasonable oversight of contractual commitments regarding such
4data.
5The bill provides that the bill shall not restrict
6controller or processor abilities to improve business or
7function. Controllers or processors sharing personal data with
8third parties are not liable for the noncompliance of third
9parties if the controller or processor did not have personal
10knowledge of the violation or intent to commit a violation,
11nor is a third party liable for violations of a controller
12or processor. The bill provides that if a controller seeks
13certain exemptions, the controller bears the burden of
14demonstrating that the controller qualifies for the exemption
15and the exemption complies with the requirements in the bill.
16The bill shall not require a business, consumer, or other
17party to disclose trade secrets.
18The bill provides that the attorney general shall
19investigate controllers and processors upon reasonable cause
20for violations of provisions of the bill. The attorney general
21shall provide 90 days’ notice to a controller or processor
22including the reason for which the entity is subject to an
23investigation and permit the entity to cure the defect prior
24to filing a civil action. A controller or processor found to
25be in violation of provisions of the bill is subject to a civil
26penalty of up to $7,500 per violation. Moneys collected by the
27attorney general under the bill shall be paid into the consumer
28education and litigation fund established under Code section
29714.16C.
30The bill provides that a rule, regulation, code, ordinance,
31or other law adopted regarding processing of personal data is
32preempted by the bill.
33The bill takes effect January 1, 2025.
-23-es/rn