Print
Senate File 262 - EnrolledAn Actrelating to consumer data protection, providing civil
penalties, and including effective date provisions.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
Section 1. NEW SECTION. 715D.1 Definitions.
As used in this chapter, unless the context otherwise
requires:
1. “Affiliate” means a legal entity that controls, is
controlled by, or is under common control with another legal
entity or shares common branding with another legal entity.
For the purposes of this definition, “control” or “controlled”
means:
a. Ownership of, or the power to vote, more than fifty
percent of the outstanding shares of any class of voting
security of a company.
b. Control in any manner over the election of a majority of
the directors or of individuals exercising similar functions.
c. The power to exercise controlling influence over the
management of a company.
2. “Aggregate data” means information that relates to a
group or category of consumers, from which individual consumer
identities have been removed, that is not linked or reasonably
linkable to any consumer.
3. “Authenticate” means verifying through reasonable means
that a consumer, entitled to exercise their consumer rights in
section 715D.3, is the same consumer exercising such consumer
rights with respect to the personal data at issue.
4. “Biometric data” means data generated by automatic
measurements of an individual’s biological characteristics,
such as a fingerprint, voiceprint, eye retinas, irises, or
other unique biological patterns or characteristics that is
used to identify a specific individual. “Biometric data”
does not include a physical or digital photograph, a video or
audio recording or data generated therefrom, or information
collected, used, or stored for health care treatment, payment,
or operations under HIPAA.
5. “Child” means any natural person younger than thirteen
years of age.
6. “Consent” means a clear affirmative act signifying a
-1-consumer’s freely given, specific, informed, and unambiguous
agreement to process personal data relating to the consumer.
“Consent” may include a written statement, including a
statement written by electronic means, or any other unambiguous
affirmative action.
7. “Consumer” means a natural person who is a resident of
the state acting only in an individual or household context and
excluding a natural person acting in a commercial or employment
context.
8. “Controller” means a person that, alone or jointly with
others, determines the purpose and means of processing personal
data.
9. “Covered entity” means the same as “covered entity”
defined by HIPAA.
10. “De-identified data” means data that cannot reasonably
be linked to an identified or identifiable natural person.
11. “Fund” means the consumer education and litigation fund
established pursuant to section 714.16C.
12. “Health care provider” means any of the following:
a. A general hospital, ambulatory surgical or treatment
center, skilled nursing center, or assisted living center
licensed or certified by the state.
b. A psychiatric hospital licensed by the state.
c. A hospital operated by the state.
d. A hospital operated by the state board of regents.
e. A person licensed to practice medicine or osteopathy in
the state.
f. A person licensed to furnish health care policies or
plans in the state.
g. A person licensed to practice dentistry in the state.
h. “Health care provider” does not include a continuing care
retirement community or any nursing facility of a religious
body which depends upon prayer alone for healing.
13. “Health Insurance Portability and Accountability Act”
or “HIPAA” means the federal Health Insurance Portability and
-2-Accountability Act of 1996, Pub.L. No.104-191, including
amendments thereto and regulations promulgated thereunder.
14. “Health record” means any written, printed, or
electronically recorded material maintained by a health care
provider in the course of providing health services to an
individual concerning the individual and the services provided,
including related health information provided in confidence to
a health care provider.
15. “Identified or identifiable natural person” means a
person who can be readily identified, directly or indirectly.
16. “Institution of higher education” means nonprofit
private institutions of higher education and proprietary
private institutions of higher education in the state,
community colleges, and each associate-degree-granting and
baccalaureate public institutions of higher education in the
state.
17. “Nonprofit organization” means any corporation organized
under chapter 504, any organization exempt from taxation
under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
Internal Revenue Code, any organization exempt from taxation
under section 501(c)(4) of the Internal Revenue Code that
is established to detect or prevent insurance-related crime
or fraud, and any subsidiaries and affiliates of entities
organized pursuant to chapter 499.
18. “Personal data” means any information that is linked or
reasonably linkable to an identified or identifiable natural
person. “Personal data” does not include de-identified or
aggregate data or publicly available information.
19. “Precise geolocation data” means information derived
from technology, including but not limited to global
positioning system level latitude and longitude coordinates or
other mechanisms, that identifies the specific location of a
natural person with precision and accuracy within a radius of
one thousand seven hundred fifty feet. “Precise geolocation
data” does not include the content of communications, or
-3-any data generated by or connected to utility metering
infrastructure systems or equipment for use by a utility.
20. “Process” or “processing” means any operation or set
of operations performed, whether by manual or automated means,
on personal data or on sets of personal data, such as the
collection, use, storage, disclosure, analysis, deletion, or
modification of personal data.
21. “Processor” means a person that processes personal data
on behalf of a controller.
22. “Protected health information” means the same as
protected health information established by HIPAA.
23. “Pseudonymous data” means personal data that cannot
be attributed to a specific natural person without the use
of additional information, provided that such additional
information is kept separately and is subject to appropriate
technical and organizational measures to ensure that
the personal data is not attributed to an identified or
identifiable natural person.
24. “Publicly available information” means information
that is lawfully made available through federal, state, or
local government records, or information that a business has
reasonable basis to believe is lawfully made available to
the general public through widely distributed media, by the
consumer, or by a person to whom the consumer has disclosed the
information, unless the consumer has restricted the information
to a specific audience.
25. “Sale of personal data” means the exchange of personal
data for monetary consideration by the controller to a third
party. “Sale of personal data” does not include:
a. The disclosure of personal data to a processor that
processes the personal data on behalf of the controller.
b. The disclosure of personal data to a third party for
purposes of providing a product or service requested by the
consumer or a parent of a child.
c. The disclosure or transfer of personal data to an
-4-affiliate of the controller.
d. The disclosure of information that the consumer
intentionally made available to the general public via a
channel of mass media and did not restrict to a specific
audience.
e. The disclosure or transfer of personal data when a
consumer uses or directs a controller to intentionally disclose
personal data or intentionally interact with one or more third
parties.
f. The disclosure or transfer of personal data to a third
party as an asset that is part of a proposed or actual merger,
acquisition, bankruptcy, or other transaction in which the
third party assumes control of all or part of the controller’s
assets.
26. “Sensitive data” means a category of personal data that
includes the following:
a. Racial or ethnic origin, religious beliefs, mental or
physical health diagnosis, sexual orientation, or citizenship
or immigration status, except to the extent such data is used
in order to avoid discrimination on the basis of a protected
class that would violate a federal or state anti-discrimination
law.
b. Genetic or biometric data that is processed for the
purpose of uniquely identifying a natural person.
c. The personal data collected from a known child.
d. Precise geolocation data.
27. “State agency” means the same as defined in 129 IAC
10.2(8B).
28. “Targeted advertising” means displaying advertisements
to a consumer where the advertisement is selected based on
personal data obtained from that consumer’s activities over
time and across nonaffiliated websites or online applications
to predict such consumer’s preferences or interests. “Targeted
advertising” does not include the following:
a. Advertisements based on activities within a controller’s
-5-own or affiliated websites or online applications.
b. Advertisements based on the context of a consumer’s
current search query, visit to a website, or online
application.
c. Advertisements directed to a consumer in response to the
consumer’s request for information or feedback.
d. Processing personal data solely for measuring or
reporting advertising performance, reach, or frequency.
29. “Third party” means a natural or legal person, public
authority, agency, or body other than the consumer, controller,
processor, or an affiliate of the processor or the controller.
30. “Trade secret” means information, including but not
limited to a formula, pattern, compilation, program, device,
method, technique, or process, that consists of the following:
a. Information that derives independent economic value,
actual or potential, from not being generally known to, and not
being readily ascertainable by proper means by, other persons
who can obtain economic value from its disclosure or use.
b. Information that is the subject of efforts that are
reasonable under the circumstances to maintain its secrecy.
Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
1. This chapter applies to a person conducting business in
the state or producing products or services that are targeted
to consumers who are residents of the state and that during a
calendar year does either of the following:
a. Controls or processes personal data of at least one
hundred thousand consumers.
b. Controls or processes personal data of at least
twenty-five thousand consumers and derives over fifty percent
of gross revenue from the sale of personal data.
2. This chapter shall not apply to the state or any
political subdivision of the state; financial institutions,
affiliates of financial institutions, or data subject to Tit.V
of the federal Gramm-Leach-Bliley Act of 1999, l5 U.S.C.§6801
et seq.; persons who are subject to and comply with regulations
-6-promulgated pursuant to Tit.II, subtit.F, of the federal
Health Insurance Portability and Accountability Act of 1996,
Pub.L.No.104-191, and Tit.XIII, subtit.D, of the federal
Health Information Technology for Economic and Clinical Health
Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations;
or institutions of higher education.
3. The following information and data is exempt from this
chapter:
a. Protected health information under HIPAA.
b. Health records.
c. Patient identifying information for purposes of 42 U.S.C.
§290dd-2.
d. Identifiable private information for purposes of the
federal policy for the protection of human subjects under 45
C.F.R. pt.46.
e. Identifiable private information that is otherwise
information collected as part of human subjects research
pursuant to the good clinical practice guidelines issued by
the international council for harmonization of technical
requirements for pharmaceuticals for human use.
f. The protection of human subjects under 21 C.F.R. pts.6,
50, and 56.
g. Personal data used or shared in research conducted in
accordance with the requirements set forth in this chapter, or
other research conducted in accordance with applicable law.
h. Information and documents created for purposes of the
federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
§11101 et seq.
i. Patient safety work product for purposes of the federal
Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
et seq.
j. Information derived from any of the health care-related
information listed in this subsection that is de-identified in
accordance with the requirements for de-identification pursuant
to HIPAA.
-7- k. Information originating from, and intermingled to be
indistinguishable with, or information treated in the same
manner as information exempt under this subsection that is
maintained by a covered entity or business associate as defined
by HIPAA or a program or a qualified service organization as
defined by 42 U.S.C. §290dd-2.
l. Information used only for public health activities and
purposes as authorized by HIPAA.
m. The collection, maintenance, disclosure, sale,
communication, or use of any personal information bearing on a
consumer’s credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or
mode of living by a consumer reporting agency or furnisher that
provides information for use in a consumer report, and by a
user of a consumer report, but only to the extent that such
activity is regulated by and authorized under the federal Fair
Credit Reporting Act, 15 U.S.C. §1681 et seq.
n. Personal data collected, processed, sold, or disclosed in
compliance with the federal Driver’s Privacy Protection Act of
1994, 18 U.S.C. §2721 et seq.
o. Personal data regulated by the federal Family Educational
Rights and Privacy Act, 20 U.S.C. §1232 et seq.
p. Personal data collected, processed, sold, or disclosed in
compliance with the federal Farm Credit Act, 12 U.S.C. §2001
et seq.
q. Data processed or maintained as follows:
(1) In the course of an individual applying to, employed
by, or acting as an agent or independent contractor of a
controller, processor, or third party, to the extent that the
data is collected and used within the context of that role.
(2) As the emergency contact information of an individual
under this chapter used for emergency contact purposes.
(3) That is necessary to retain to administer benefits
for another individual relating to the individual under
subparagraph (1) and used for the purposes of administering
-8-those benefits.
r. Personal data used in accordance with the federal
Children’s Online Privacy Protection Act, 15 U.S.C. §6501 –
6506, and its rules, regulations, and exceptions thereto.
Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
1. A consumer may invoke the consumer rights authorized
pursuant to this section at any time by submitting a request to
the controller, through the means specified by the controller
pursuant to section 715D.4, subsection 6, specifying the
consumer rights the consumer wishes to invoke. A known child’s
parent or legal guardian may invoke such consumer rights
on behalf of the known child regarding processing personal
data belonging to the child. A controller shall comply with
an authenticated consumer request to exercise all of the
following:
a. To confirm whether a controller is processing the
consumer’s personal data and to access such personal data.
b. To delete personal data provided by the consumer.
c. To obtain a copy of the consumer’s personal data, except
as to personal data that is defined as “personal information”
pursuant to section 715C.1 that is subject to security breach
protection, that the consumer previously provided to the
controller in a portable and, to the extent technically
practicable, readily usable format that allows the consumer
to transmit the data to another controller without hindrance,
where the processing is carried out by automated means.
d. To opt out of the sale of personal data.
2. Except as otherwise provided in this chapter, a
controller shall comply with a request by a consumer to
exercise the consumer rights authorized pursuant to this
section as follows:
a. A controller shall respond to the consumer without
undue delay, but in all cases within ninety days of receipt
of a request submitted pursuant to the methods described in
this section. The response period may be extended once by
-9-forty-five additional days when reasonably necessary upon
considering the complexity and number of the consumer’s
requests by informing the consumer of any such extension within
the initial ninety-day response period, together with the
reason for the extension.
b. If a controller declines to take action regarding the
consumer’s request, the controller shall inform the consumer
without undue delay of the justification for declining to take
action, except in the case of a suspected fraudulent request,
in which case the controller may state that the controller was
unable to authenticate the request. The controller shall also
provide instructions for appealing the decision pursuant to
subsection 3.
c. Information provided in response to a consumer request
shall be provided by a controller free of charge, up to
twice annually per consumer. If a request from a consumer
is manifestly unfounded, excessive, repetitive, technically
unfeasible, or the controller reasonably believes that the
primary purpose of the request is not to exercise a consumer
right, the controller may charge the consumer a reasonable fee
to cover the administrative costs of complying with the request
or decline to act on the request. The controller bears the
burden of demonstrating the manifestly unfounded, excessive,
repetitive, or technically unfeasible nature of the request.
d. If a controller is unable to authenticate a request
using commercially reasonable efforts, the controller shall
not be required to comply with a request to initiate an action
under this section and may request that the consumer provide
additional information reasonably necessary to authenticate the
consumer and the consumer’s request.
3. A controller shall establish a process for a consumer
to appeal the controller’s refusal to take action on a request
within a reasonable period of time after the consumer’s
receipt of the decision pursuant to this section. The appeal
process shall be conspicuously available and similar to the
-10-process for submitting requests to initiate action pursuant
to this section. Within sixty days of receipt of an appeal,
a controller shall inform the consumer in writing of any
action taken or not taken in response to the appeal, including
a written explanation of the reasons for the decision. If
the appeal is denied, the controller shall also provide the
consumer with an online mechanism through which the consumer
may contact the attorney general to submit a complaint.
Sec. 4. NEW SECTION. 715D.4 Data controller duties.
1. A controller shall adopt and implement reasonable
administrative, technical, and physical data security practices
to protect the confidentiality, integrity, and accessibility
of personal data. Such data security practices shall be
appropriate to the volume and nature of the personal data at
issue.
2. A controller shall not process sensitive data collected
from a consumer for a nonexempt purpose without the consumer
having been presented with clear notice and an opportunity to
opt out of such processing, or, in the case of the processing
of sensitive data concerning a known child, without processing
such data in accordance with the federal Children’s Online
Privacy Protection Act, 15 U.S.C. §6501 et seq.
3. A controller shall not process personal data in
violation of state and federal laws that prohibit unlawful
discrimination against a consumer. A controller shall not
discriminate against a consumer for exercising any of the
consumer rights contained in this chapter, including denying
goods or services, charging different prices or rates for
goods or services, or providing a different level of quality
of goods and services to the consumer. However, nothing in
this chapter shall be construed to require a controller to
provide a product or service that requires the personal data
of a consumer that the controller does not collect or maintain
or to prohibit a controller from offering a different price,
rate, level, quality, or selection of goods or services to a
-11-consumer, including offering goods or services for no fee,
if the consumer has exercised the consumer’s right to opt
out pursuant to section 715D.3 or the offer is related to a
consumer’s voluntary participation in a bona fide loyalty,
rewards, premium features, discounts, or club card program.
4. Any provision of a contract or agreement that purports to
waive or limit in any way consumer rights pursuant to section
715D.3 shall be deemed contrary to public policy and shall be
void and unenforceable.
5. A controller shall provide consumers with a reasonably
accessible, clear, and meaningful privacy notice that includes
the following:
a. The categories of personal data processed by the
controller.
b. The purpose for processing personal data.
c. How consumers may exercise their consumer rights pursuant
to section 715D.3, including how a consumer may appeal a
controller’s decision with regard to the consumer’s request.
d. The categories of personal data that the controller
shares with third parties, if any.
e. The categories of third parties, if any, with whom the
controller shares personal data.
6. If a controller sells a consumer’s personal data to third
parties or engages in targeted advertising, the controller
shall clearly and conspicuously disclose such activity, as well
as the manner in which a consumer may exercise the right to opt
out of such activity.
7. A controller shall establish, and shall describe in
a privacy notice, secure and reliable means for consumers to
submit a request to exercise their consumer rights under this
chapter. Such means shall consider the ways in which consumers
normally interact with the controller, the need for secure and
reliable communication of such requests, and the ability of
the controller to authenticate the identity of the consumer
making the request. A controller shall not require a consumer
-12-to create a new account in order to exercise consumer rights
pursuant to section 715D.3, but may require a consumer to use
an existing account.
Sec. 5. NEW SECTION. 715D.5 Processor duties.
1. A processor shall assist a controller in duties
required under this chapter, taking into account the nature of
processing and the information available to the processor by
appropriate technical and organizational measures, insofar as
is reasonably practicable, as follows:
a. To fulfill the controller’s obligation to respond to
consumer rights requests pursuant to section 715D.3.
b. To meet the controller’s obligations in relation to the
security of processing the personal data and in relation to the
notification of a security breach of the processor pursuant to
section 715C.2.
2. A contract between a controller and a processor shall
govern the processor’s data processing procedures with respect
to processing performed on behalf of the controller. The
contract shall clearly set forth instructions for processing
personal data, the nature and purpose of processing, the type
of data subject to processing, the duration of processing, and
the rights and duties of both parties. The contract shall also
include requirements that the processor shall do all of the
following:
a. Ensure that each person processing personal data is
subject to a duty of confidentiality with respect to the data.
b. At the controller’s direction, delete or return all
personal data to the controller as requested at the end of the
provision of services, unless retention of the personal data
is required by law.
c. Upon the reasonable request of the controller, make
available to the controller all information in the processor’s
possession necessary to demonstrate the processor’s compliance
with the obligations in this chapter.
d. Engage any subcontractor or agent pursuant to a written
-13-contract in accordance with this section that requires the
subcontractor to meet the duties of the processor with respect
to the personal data.
3. Nothing in this section shall be construed to relieve a
controller or a processor from imposed liabilities by virtue
of the controller or processor’s role in the processing
relationship as defined by this chapter.
4. Determining whether a person is acting as a controller or
processor with respect to a specific processing of data is a
fact-based determination that depends upon the context in which
personal data is to be processed. A processor that continues
to adhere to a controller’s instructions with respect to a
specific processing of personal data remains a processor.
Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
1. Nothing in this chapter shall be construed to require the
following:
a. A controller or processor to re-identify de-identified
data or pseudonymous data.
b. Maintaining data in identifiable form.
c. Collecting, obtaining, retaining, or accessing any
data or technology, in order to be capable of associating an
authenticated consumer request with personal data.
2. Nothing in this chapter shall be construed to require
a controller or processor to comply with an authenticated
consumer rights request, pursuant to section 715D.3, if all of
the following apply:
a. The controller is not reasonably capable of associating
the request with the personal data or it would be unreasonably
burdensome for the controller to associate the request with the
personal data.
b. The controller does not use the personal data to
recognize or respond to the specific consumer who is the
subject of the personal data, or associate the personal data
with other personal data about the same specific consumer.
c. The controller does not sell the personal data to any
-14-third party or otherwise voluntarily disclose the personal data
to any third party other than a processor, except as otherwise
permitted in this chapter.
3. Consumer rights contained in sections 715D.3 and 715D.4
shall not apply to pseudonymous data in cases where the
controller is able to demonstrate any information necessary
to identify the consumer is kept separately and is subject to
appropriate technical and organizational measures to ensure
that the personal data is not attributed to an identified or
identifiable natural person.
4. Controllers that disclose pseudonymous data or
de-identified data shall exercise reasonable oversight to
monitor compliance with any contractual commitments to which
the pseudonymous data or de-identified data is subject and
shall take appropriate steps to address any breaches of those
contractual commitments.
Sec. 7. NEW SECTION. 715D.7 Limitations.
1. Nothing in this chapter shall be construed to restrict a
controller’s or processor’s ability to do the following:
a. Comply with federal, state, or local laws, rules, or
regulations.
b. Comply with a civil, criminal, or regulatory inquiry,
investigation, subpoena, or summons by federal, state, local,
or other governmental authorities.
c. Cooperate with law enforcement agencies concerning
conduct or activity that the controller or processor reasonably
and in good faith believes may violate federal, state, or local
laws, rules, or regulations.
d. Investigate, establish, exercise, prepare for, or defend
legal claims.
e. Provide a product or service specifically requested by a
consumer or parent or guardian of a child, perform a contract
to which the consumer or parent or guardian of a child is a
party, including fulfilling the terms of a written warranty, or
take steps at the request of the consumer or parent or guardian
-15-of a child prior to entering into a contract.
f. Take immediate steps to protect an interest that is
essential for the life or physical safety of the consumer or
of another natural person, and where the processing cannot be
manifestly based on another legal basis.
g. Prevent, detect, protect against, or respond to security
incidents, identity theft, fraud, harassment, malicious or
deceptive activities, or any illegal activity.
h. Preserve the integrity or security of systems.
i. Investigate, report, or prosecute those responsible for
any such action.
j. Engage in public or peer-reviewed scientific or
statistical research in the public interest that adheres to
all other applicable ethics and privacy laws and is approved,
monitored, and governed by an institutional review board, or
similar independent oversight entities that determine the
following:
(1) If the deletion of the information is likely to provide
substantial benefits that do not exclusively accrue to the
controller.
(2) The expected benefits of the research outweigh the
privacy risks.
(3) If the controller has implemented reasonable safeguards
to mitigate privacy risks associated with research, including
any risks associated with re-identification.
k. Assist another controller, processor, or third party with
any of the obligations under this subsection.
2. The obligations imposed on a controller or processor
under this chapter shall not restrict a controller’s or
processor’s ability to collect, use, or retain data as follows:
a. To conduct internal research to develop, improve, or
repair products, services, or technology.
b. To effectuate a product recall.
c. To identify and repair technical errors that impair
existing or intended functionality.
-16- d. To perform internal operations that are reasonably
aligned with the expectations of the consumer or reasonably
anticipated based on the consumer’s existing relationship with
the controller or are otherwise compatible with processing
data in furtherance of the provision of a product or service
specifically requested by a consumer or parent or guardian of a
child or the performance of a contract to which the consumer or
parent or guardian of a child is a party.
3. The obligations imposed on controllers or processors
under this chapter shall not apply where compliance by the
controller or processor with this chapter would violate an
evidentiary privilege under the laws of the state. Nothing
in this chapter shall be construed to prevent a controller or
processor from providing personal data concerning a consumer to
a person covered by an evidentiary privilege under the laws of
the state as part of a privileged communication.
4. A controller or processor that discloses personal data
to a third-party controller or processor, in compliance with
the requirements of this chapter, is not in violation of
this chapter if the third-party controller or processor that
receives and processes such personal data is in violation of
this chapter, provided that, at the time of disclosing the
personal data, the disclosing controller or processor did not
have actual knowledge that the recipient intended to commit a
violation. A third-party controller or processor receiving
personal data from a controller or processor in compliance with
the requirements of this chapter is likewise not in violation
of this chapter for the offenses of the controller or processor
from which it receives such personal data.
5. Nothing in this chapter shall be construed as an
obligation imposed on a controller or a processor that
adversely affects the privacy or other rights or freedoms
of any persons, such as exercising the right of free speech
pursuant to the first amendment to the United States
Constitution, or applies to personal data by a person in the
-17-course of a purely personal or household activity.
6. Personal data processed by a controller pursuant to
this section shall not be processed for any purpose other than
those expressly listed in this section unless otherwise allowed
by this chapter. Personal data processed by a controller
pursuant to this section may be processed to the extent that
such processing is as follows:
a. Reasonably necessary and proportionate to the purposes
listed in this section.
b. Adequate, relevant, and limited to what is necessary
in relation to the specific purposes listed in this section.
Personal data collected, used, or retained pursuant to
this section shall, where applicable, take into account
the nature and purpose or purposes of such collection, use,
or retention. Such data shall be subject to reasonable
administrative, technical, and physical measures to protect the
confidentiality, integrity, and accessibility of the personal
data.
7. If a controller processes personal data pursuant to an
exemption in this section, the controller bears the burden of
demonstrating that such processing qualifies for the exemption
and complies with the requirements in subsection 6.
8. Processing personal data for the purposes expressly
identified in subsection 1 shall not in and of itself make an
entity a controller with respect to such processing.
9. This chapter shall not require a controller, processor,
third party, or consumer to disclose trade secrets.
Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
1. The attorney general shall have exclusive authority to
enforce the provisions of this chapter. Whenever the attorney
general has reasonable cause to believe that any person has
engaged in, is engaging in, or is about to engage in any
violation of this chapter, the attorney general is empowered to
issue a civil investigative demand. The provisions of section
685.6 shall apply to civil investigative demands issued under
-18-this chapter.
2. Prior to initiating any action under this chapter,
the attorney general shall provide a controller or processor
ninety days’ written notice identifying the specific provisions
of this chapter the attorney general alleges have been or
are being violated. If within the ninety-day period, the
controller or processor cures the noticed violation and
provides the attorney general an express written statement that
the alleged violations have been cured and that no further such
violations shall occur, no action shall be initiated against
the controller or processor.
3. If a controller or processor continues to violate this
chapter following the cure period in subsection 2 or breaches
an express written statement provided to the attorney general
under that subsection, the attorney general may initiate an
action in the name of the state and may seek an injunction to
restrain any violations of this chapter and civil penalties of
up to seven thousand five hundred dollars for each violation
under this chapter. Any moneys collected under this section
including civil penalties, costs, attorney fees, or amounts
which are specifically directed shall be paid into the consumer
education and litigation fund established under section
714.16C.
4. Nothing in this chapter shall be construed as providing
the basis for, or be subject to, a private right of action for
violations of this chapter or under any other law.
Sec. 9. NEW SECTION. 715D.9 Preemption.
1. This chapter supersedes and preempts all rules,
regulations, codes, ordinances, and other laws adopted by a
city, county, municipality, or local agency regarding the
processing of personal data by controllers or processors.
2. Any reference to federal, state, or local law or statute
in this chapter shall be deemed to include any accompanying
rules or regulations or exemptions thereto, or in the case of a
federal agency, guidance issued by such agency thereto.
-19- Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
2025.
______________________________
AMY SINCLAIR
President of the Senate
______________________________
PAT GRASSLEY
Speaker of the House
I hereby certify that this bill originated in the Senate and
is known as Senate File 262, Ninetieth General Assembly.
______________________________
W. CHARLES SMITHSON
Secretary of the Senate
Approved _______________, 2023
______________________________
KIM REYNOLDS
Governor
es/rn
penalties, and including effective date provisions.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
Section 1. NEW SECTION. 715D.1 Definitions.
As used in this chapter, unless the context otherwise
requires:
1. “Affiliate” means a legal entity that controls, is
controlled by, or is under common control with another legal
entity or shares common branding with another legal entity.
For the purposes of this definition, “control” or “controlled”
means:
a. Ownership of, or the power to vote, more than fifty
percent of the outstanding shares of any class of voting
security of a company.
b. Control in any manner over the election of a majority of
the directors or of individuals exercising similar functions.
c. The power to exercise controlling influence over the
management of a company.
2. “Aggregate data” means information that relates to a
group or category of consumers, from which individual consumer
identities have been removed, that is not linked or reasonably
linkable to any consumer.
3. “Authenticate” means verifying through reasonable means
that a consumer, entitled to exercise their consumer rights in
section 715D.3, is the same consumer exercising such consumer
rights with respect to the personal data at issue.
4. “Biometric data” means data generated by automatic
measurements of an individual’s biological characteristics,
such as a fingerprint, voiceprint, eye retinas, irises, or
other unique biological patterns or characteristics that is
used to identify a specific individual. “Biometric data”
does not include a physical or digital photograph, a video or
audio recording or data generated therefrom, or information
collected, used, or stored for health care treatment, payment,
or operations under HIPAA.
5. “Child” means any natural person younger than thirteen
years of age.
6. “Consent” means a clear affirmative act signifying a
-1-consumer’s freely given, specific, informed, and unambiguous
agreement to process personal data relating to the consumer.
“Consent” may include a written statement, including a
statement written by electronic means, or any other unambiguous
affirmative action.
7. “Consumer” means a natural person who is a resident of
the state acting only in an individual or household context and
excluding a natural person acting in a commercial or employment
context.
8. “Controller” means a person that, alone or jointly with
others, determines the purpose and means of processing personal
data.
9. “Covered entity” means the same as “covered entity”
defined by HIPAA.
10. “De-identified data” means data that cannot reasonably
be linked to an identified or identifiable natural person.
11. “Fund” means the consumer education and litigation fund
established pursuant to section 714.16C.
12. “Health care provider” means any of the following:
a. A general hospital, ambulatory surgical or treatment
center, skilled nursing center, or assisted living center
licensed or certified by the state.
b. A psychiatric hospital licensed by the state.
c. A hospital operated by the state.
d. A hospital operated by the state board of regents.
e. A person licensed to practice medicine or osteopathy in
the state.
f. A person licensed to furnish health care policies or
plans in the state.
g. A person licensed to practice dentistry in the state.
h. “Health care provider” does not include a continuing care
retirement community or any nursing facility of a religious
body which depends upon prayer alone for healing.
13. “Health Insurance Portability and Accountability Act”
or “HIPAA” means the federal Health Insurance Portability and
-2-Accountability Act of 1996, Pub.L. No.104-191, including
amendments thereto and regulations promulgated thereunder.
14. “Health record” means any written, printed, or
electronically recorded material maintained by a health care
provider in the course of providing health services to an
individual concerning the individual and the services provided,
including related health information provided in confidence to
a health care provider.
15. “Identified or identifiable natural person” means a
person who can be readily identified, directly or indirectly.
16. “Institution of higher education” means nonprofit
private institutions of higher education and proprietary
private institutions of higher education in the state,
community colleges, and each associate-degree-granting and
baccalaureate public institutions of higher education in the
state.
17. “Nonprofit organization” means any corporation organized
under chapter 504, any organization exempt from taxation
under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the
Internal Revenue Code, any organization exempt from taxation
under section 501(c)(4) of the Internal Revenue Code that
is established to detect or prevent insurance-related crime
or fraud, and any subsidiaries and affiliates of entities
organized pursuant to chapter 499.
18. “Personal data” means any information that is linked or
reasonably linkable to an identified or identifiable natural
person. “Personal data” does not include de-identified or
aggregate data or publicly available information.
19. “Precise geolocation data” means information derived
from technology, including but not limited to global
positioning system level latitude and longitude coordinates or
other mechanisms, that identifies the specific location of a
natural person with precision and accuracy within a radius of
one thousand seven hundred fifty feet. “Precise geolocation
data” does not include the content of communications, or
-3-any data generated by or connected to utility metering
infrastructure systems or equipment for use by a utility.
20. “Process” or “processing” means any operation or set
of operations performed, whether by manual or automated means,
on personal data or on sets of personal data, such as the
collection, use, storage, disclosure, analysis, deletion, or
modification of personal data.
21. “Processor” means a person that processes personal data
on behalf of a controller.
22. “Protected health information” means the same as
protected health information established by HIPAA.
23. “Pseudonymous data” means personal data that cannot
be attributed to a specific natural person without the use
of additional information, provided that such additional
information is kept separately and is subject to appropriate
technical and organizational measures to ensure that
the personal data is not attributed to an identified or
identifiable natural person.
24. “Publicly available information” means information
that is lawfully made available through federal, state, or
local government records, or information that a business has
reasonable basis to believe is lawfully made available to
the general public through widely distributed media, by the
consumer, or by a person to whom the consumer has disclosed the
information, unless the consumer has restricted the information
to a specific audience.
25. “Sale of personal data” means the exchange of personal
data for monetary consideration by the controller to a third
party. “Sale of personal data” does not include:
a. The disclosure of personal data to a processor that
processes the personal data on behalf of the controller.
b. The disclosure of personal data to a third party for
purposes of providing a product or service requested by the
consumer or a parent of a child.
c. The disclosure or transfer of personal data to an
-4-affiliate of the controller.
d. The disclosure of information that the consumer
intentionally made available to the general public via a
channel of mass media and did not restrict to a specific
audience.
e. The disclosure or transfer of personal data when a
consumer uses or directs a controller to intentionally disclose
personal data or intentionally interact with one or more third
parties.
f. The disclosure or transfer of personal data to a third
party as an asset that is part of a proposed or actual merger,
acquisition, bankruptcy, or other transaction in which the
third party assumes control of all or part of the controller’s
assets.
26. “Sensitive data” means a category of personal data that
includes the following:
a. Racial or ethnic origin, religious beliefs, mental or
physical health diagnosis, sexual orientation, or citizenship
or immigration status, except to the extent such data is used
in order to avoid discrimination on the basis of a protected
class that would violate a federal or state anti-discrimination
law.
b. Genetic or biometric data that is processed for the
purpose of uniquely identifying a natural person.
c. The personal data collected from a known child.
d. Precise geolocation data.
27. “State agency” means the same as defined in 129 IAC
10.2(8B).
28. “Targeted advertising” means displaying advertisements
to a consumer where the advertisement is selected based on
personal data obtained from that consumer’s activities over
time and across nonaffiliated websites or online applications
to predict such consumer’s preferences or interests. “Targeted
advertising” does not include the following:
a. Advertisements based on activities within a controller’s
-5-own or affiliated websites or online applications.
b. Advertisements based on the context of a consumer’s
current search query, visit to a website, or online
application.
c. Advertisements directed to a consumer in response to the
consumer’s request for information or feedback.
d. Processing personal data solely for measuring or
reporting advertising performance, reach, or frequency.
29. “Third party” means a natural or legal person, public
authority, agency, or body other than the consumer, controller,
processor, or an affiliate of the processor or the controller.
30. “Trade secret” means information, including but not
limited to a formula, pattern, compilation, program, device,
method, technique, or process, that consists of the following:
a. Information that derives independent economic value,
actual or potential, from not being generally known to, and not
being readily ascertainable by proper means by, other persons
who can obtain economic value from its disclosure or use.
b. Information that is the subject of efforts that are
reasonable under the circumstances to maintain its secrecy.
Sec. 2. NEW SECTION. 715D.2 Scope and exemptions.
1. This chapter applies to a person conducting business in
the state or producing products or services that are targeted
to consumers who are residents of the state and that during a
calendar year does either of the following:
a. Controls or processes personal data of at least one
hundred thousand consumers.
b. Controls or processes personal data of at least
twenty-five thousand consumers and derives over fifty percent
of gross revenue from the sale of personal data.
2. This chapter shall not apply to the state or any
political subdivision of the state; financial institutions,
affiliates of financial institutions, or data subject to Tit.V
of the federal Gramm-Leach-Bliley Act of 1999, l5 U.S.C.§6801
et seq.; persons who are subject to and comply with regulations
-6-promulgated pursuant to Tit.II, subtit.F, of the federal
Health Insurance Portability and Accountability Act of 1996,
Pub.L.No.104-191, and Tit.XIII, subtit.D, of the federal
Health Information Technology for Economic and Clinical Health
Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations;
or institutions of higher education.
3. The following information and data is exempt from this
chapter:
a. Protected health information under HIPAA.
b. Health records.
c. Patient identifying information for purposes of 42 U.S.C.
§290dd-2.
d. Identifiable private information for purposes of the
federal policy for the protection of human subjects under 45
C.F.R. pt.46.
e. Identifiable private information that is otherwise
information collected as part of human subjects research
pursuant to the good clinical practice guidelines issued by
the international council for harmonization of technical
requirements for pharmaceuticals for human use.
f. The protection of human subjects under 21 C.F.R. pts.6,
50, and 56.
g. Personal data used or shared in research conducted in
accordance with the requirements set forth in this chapter, or
other research conducted in accordance with applicable law.
h. Information and documents created for purposes of the
federal Health Care Quality Improvement Act of 1986, 42 U.S.C.
§11101 et seq.
i. Patient safety work product for purposes of the federal
Patient Safety and Quality Improvement Act, 42 U.S.C. §299b-21
et seq.
j. Information derived from any of the health care-related
information listed in this subsection that is de-identified in
accordance with the requirements for de-identification pursuant
to HIPAA.
-7- k. Information originating from, and intermingled to be
indistinguishable with, or information treated in the same
manner as information exempt under this subsection that is
maintained by a covered entity or business associate as defined
by HIPAA or a program or a qualified service organization as
defined by 42 U.S.C. §290dd-2.
l. Information used only for public health activities and
purposes as authorized by HIPAA.
m. The collection, maintenance, disclosure, sale,
communication, or use of any personal information bearing on a
consumer’s credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or
mode of living by a consumer reporting agency or furnisher that
provides information for use in a consumer report, and by a
user of a consumer report, but only to the extent that such
activity is regulated by and authorized under the federal Fair
Credit Reporting Act, 15 U.S.C. §1681 et seq.
n. Personal data collected, processed, sold, or disclosed in
compliance with the federal Driver’s Privacy Protection Act of
1994, 18 U.S.C. §2721 et seq.
o. Personal data regulated by the federal Family Educational
Rights and Privacy Act, 20 U.S.C. §1232 et seq.
p. Personal data collected, processed, sold, or disclosed in
compliance with the federal Farm Credit Act, 12 U.S.C. §2001
et seq.
q. Data processed or maintained as follows:
(1) In the course of an individual applying to, employed
by, or acting as an agent or independent contractor of a
controller, processor, or third party, to the extent that the
data is collected and used within the context of that role.
(2) As the emergency contact information of an individual
under this chapter used for emergency contact purposes.
(3) That is necessary to retain to administer benefits
for another individual relating to the individual under
subparagraph (1) and used for the purposes of administering
-8-those benefits.
r. Personal data used in accordance with the federal
Children’s Online Privacy Protection Act, 15 U.S.C. §6501 –
6506, and its rules, regulations, and exceptions thereto.
Sec. 3. NEW SECTION. 715D.3 Consumer data rights.
1. A consumer may invoke the consumer rights authorized
pursuant to this section at any time by submitting a request to
the controller, through the means specified by the controller
pursuant to section 715D.4, subsection 6, specifying the
consumer rights the consumer wishes to invoke. A known child’s
parent or legal guardian may invoke such consumer rights
on behalf of the known child regarding processing personal
data belonging to the child. A controller shall comply with
an authenticated consumer request to exercise all of the
following:
a. To confirm whether a controller is processing the
consumer’s personal data and to access such personal data.
b. To delete personal data provided by the consumer.
c. To obtain a copy of the consumer’s personal data, except
as to personal data that is defined as “personal information”
pursuant to section 715C.1 that is subject to security breach
protection, that the consumer previously provided to the
controller in a portable and, to the extent technically
practicable, readily usable format that allows the consumer
to transmit the data to another controller without hindrance,
where the processing is carried out by automated means.
d. To opt out of the sale of personal data.
2. Except as otherwise provided in this chapter, a
controller shall comply with a request by a consumer to
exercise the consumer rights authorized pursuant to this
section as follows:
a. A controller shall respond to the consumer without
undue delay, but in all cases within ninety days of receipt
of a request submitted pursuant to the methods described in
this section. The response period may be extended once by
-9-forty-five additional days when reasonably necessary upon
considering the complexity and number of the consumer’s
requests by informing the consumer of any such extension within
the initial ninety-day response period, together with the
reason for the extension.
b. If a controller declines to take action regarding the
consumer’s request, the controller shall inform the consumer
without undue delay of the justification for declining to take
action, except in the case of a suspected fraudulent request,
in which case the controller may state that the controller was
unable to authenticate the request. The controller shall also
provide instructions for appealing the decision pursuant to
subsection 3.
c. Information provided in response to a consumer request
shall be provided by a controller free of charge, up to
twice annually per consumer. If a request from a consumer
is manifestly unfounded, excessive, repetitive, technically
unfeasible, or the controller reasonably believes that the
primary purpose of the request is not to exercise a consumer
right, the controller may charge the consumer a reasonable fee
to cover the administrative costs of complying with the request
or decline to act on the request. The controller bears the
burden of demonstrating the manifestly unfounded, excessive,
repetitive, or technically unfeasible nature of the request.
d. If a controller is unable to authenticate a request
using commercially reasonable efforts, the controller shall
not be required to comply with a request to initiate an action
under this section and may request that the consumer provide
additional information reasonably necessary to authenticate the
consumer and the consumer’s request.
3. A controller shall establish a process for a consumer
to appeal the controller’s refusal to take action on a request
within a reasonable period of time after the consumer’s
receipt of the decision pursuant to this section. The appeal
process shall be conspicuously available and similar to the
-10-process for submitting requests to initiate action pursuant
to this section. Within sixty days of receipt of an appeal,
a controller shall inform the consumer in writing of any
action taken or not taken in response to the appeal, including
a written explanation of the reasons for the decision. If
the appeal is denied, the controller shall also provide the
consumer with an online mechanism through which the consumer
may contact the attorney general to submit a complaint.
Sec. 4. NEW SECTION. 715D.4 Data controller duties.
1. A controller shall adopt and implement reasonable
administrative, technical, and physical data security practices
to protect the confidentiality, integrity, and accessibility
of personal data. Such data security practices shall be
appropriate to the volume and nature of the personal data at
issue.
2. A controller shall not process sensitive data collected
from a consumer for a nonexempt purpose without the consumer
having been presented with clear notice and an opportunity to
opt out of such processing, or, in the case of the processing
of sensitive data concerning a known child, without processing
such data in accordance with the federal Children’s Online
Privacy Protection Act, 15 U.S.C. §6501 et seq.
3. A controller shall not process personal data in
violation of state and federal laws that prohibit unlawful
discrimination against a consumer. A controller shall not
discriminate against a consumer for exercising any of the
consumer rights contained in this chapter, including denying
goods or services, charging different prices or rates for
goods or services, or providing a different level of quality
of goods and services to the consumer. However, nothing in
this chapter shall be construed to require a controller to
provide a product or service that requires the personal data
of a consumer that the controller does not collect or maintain
or to prohibit a controller from offering a different price,
rate, level, quality, or selection of goods or services to a
-11-consumer, including offering goods or services for no fee,
if the consumer has exercised the consumer’s right to opt
out pursuant to section 715D.3 or the offer is related to a
consumer’s voluntary participation in a bona fide loyalty,
rewards, premium features, discounts, or club card program.
4. Any provision of a contract or agreement that purports to
waive or limit in any way consumer rights pursuant to section
715D.3 shall be deemed contrary to public policy and shall be
void and unenforceable.
5. A controller shall provide consumers with a reasonably
accessible, clear, and meaningful privacy notice that includes
the following:
a. The categories of personal data processed by the
controller.
b. The purpose for processing personal data.
c. How consumers may exercise their consumer rights pursuant
to section 715D.3, including how a consumer may appeal a
controller’s decision with regard to the consumer’s request.
d. The categories of personal data that the controller
shares with third parties, if any.
e. The categories of third parties, if any, with whom the
controller shares personal data.
6. If a controller sells a consumer’s personal data to third
parties or engages in targeted advertising, the controller
shall clearly and conspicuously disclose such activity, as well
as the manner in which a consumer may exercise the right to opt
out of such activity.
7. A controller shall establish, and shall describe in
a privacy notice, secure and reliable means for consumers to
submit a request to exercise their consumer rights under this
chapter. Such means shall consider the ways in which consumers
normally interact with the controller, the need for secure and
reliable communication of such requests, and the ability of
the controller to authenticate the identity of the consumer
making the request. A controller shall not require a consumer
-12-to create a new account in order to exercise consumer rights
pursuant to section 715D.3, but may require a consumer to use
an existing account.
Sec. 5. NEW SECTION. 715D.5 Processor duties.
1. A processor shall assist a controller in duties
required under this chapter, taking into account the nature of
processing and the information available to the processor by
appropriate technical and organizational measures, insofar as
is reasonably practicable, as follows:
a. To fulfill the controller’s obligation to respond to
consumer rights requests pursuant to section 715D.3.
b. To meet the controller’s obligations in relation to the
security of processing the personal data and in relation to the
notification of a security breach of the processor pursuant to
section 715C.2.
2. A contract between a controller and a processor shall
govern the processor’s data processing procedures with respect
to processing performed on behalf of the controller. The
contract shall clearly set forth instructions for processing
personal data, the nature and purpose of processing, the type
of data subject to processing, the duration of processing, and
the rights and duties of both parties. The contract shall also
include requirements that the processor shall do all of the
following:
a. Ensure that each person processing personal data is
subject to a duty of confidentiality with respect to the data.
b. At the controller’s direction, delete or return all
personal data to the controller as requested at the end of the
provision of services, unless retention of the personal data
is required by law.
c. Upon the reasonable request of the controller, make
available to the controller all information in the processor’s
possession necessary to demonstrate the processor’s compliance
with the obligations in this chapter.
d. Engage any subcontractor or agent pursuant to a written
-13-contract in accordance with this section that requires the
subcontractor to meet the duties of the processor with respect
to the personal data.
3. Nothing in this section shall be construed to relieve a
controller or a processor from imposed liabilities by virtue
of the controller or processor’s role in the processing
relationship as defined by this chapter.
4. Determining whether a person is acting as a controller or
processor with respect to a specific processing of data is a
fact-based determination that depends upon the context in which
personal data is to be processed. A processor that continues
to adhere to a controller’s instructions with respect to a
specific processing of personal data remains a processor.
Sec. 6. NEW SECTION. 715D.6 Processing data — exemptions.
1. Nothing in this chapter shall be construed to require the
following:
a. A controller or processor to re-identify de-identified
data or pseudonymous data.
b. Maintaining data in identifiable form.
c. Collecting, obtaining, retaining, or accessing any
data or technology, in order to be capable of associating an
authenticated consumer request with personal data.
2. Nothing in this chapter shall be construed to require
a controller or processor to comply with an authenticated
consumer rights request, pursuant to section 715D.3, if all of
the following apply:
a. The controller is not reasonably capable of associating
the request with the personal data or it would be unreasonably
burdensome for the controller to associate the request with the
personal data.
b. The controller does not use the personal data to
recognize or respond to the specific consumer who is the
subject of the personal data, or associate the personal data
with other personal data about the same specific consumer.
c. The controller does not sell the personal data to any
-14-third party or otherwise voluntarily disclose the personal data
to any third party other than a processor, except as otherwise
permitted in this chapter.
3. Consumer rights contained in sections 715D.3 and 715D.4
shall not apply to pseudonymous data in cases where the
controller is able to demonstrate any information necessary
to identify the consumer is kept separately and is subject to
appropriate technical and organizational measures to ensure
that the personal data is not attributed to an identified or
identifiable natural person.
4. Controllers that disclose pseudonymous data or
de-identified data shall exercise reasonable oversight to
monitor compliance with any contractual commitments to which
the pseudonymous data or de-identified data is subject and
shall take appropriate steps to address any breaches of those
contractual commitments.
Sec. 7. NEW SECTION. 715D.7 Limitations.
1. Nothing in this chapter shall be construed to restrict a
controller’s or processor’s ability to do the following:
a. Comply with federal, state, or local laws, rules, or
regulations.
b. Comply with a civil, criminal, or regulatory inquiry,
investigation, subpoena, or summons by federal, state, local,
or other governmental authorities.
c. Cooperate with law enforcement agencies concerning
conduct or activity that the controller or processor reasonably
and in good faith believes may violate federal, state, or local
laws, rules, or regulations.
d. Investigate, establish, exercise, prepare for, or defend
legal claims.
e. Provide a product or service specifically requested by a
consumer or parent or guardian of a child, perform a contract
to which the consumer or parent or guardian of a child is a
party, including fulfilling the terms of a written warranty, or
take steps at the request of the consumer or parent or guardian
-15-of a child prior to entering into a contract.
f. Take immediate steps to protect an interest that is
essential for the life or physical safety of the consumer or
of another natural person, and where the processing cannot be
manifestly based on another legal basis.
g. Prevent, detect, protect against, or respond to security
incidents, identity theft, fraud, harassment, malicious or
deceptive activities, or any illegal activity.
h. Preserve the integrity or security of systems.
i. Investigate, report, or prosecute those responsible for
any such action.
j. Engage in public or peer-reviewed scientific or
statistical research in the public interest that adheres to
all other applicable ethics and privacy laws and is approved,
monitored, and governed by an institutional review board, or
similar independent oversight entities that determine the
following:
(1) If the deletion of the information is likely to provide
substantial benefits that do not exclusively accrue to the
controller.
(2) The expected benefits of the research outweigh the
privacy risks.
(3) If the controller has implemented reasonable safeguards
to mitigate privacy risks associated with research, including
any risks associated with re-identification.
k. Assist another controller, processor, or third party with
any of the obligations under this subsection.
2. The obligations imposed on a controller or processor
under this chapter shall not restrict a controller’s or
processor’s ability to collect, use, or retain data as follows:
a. To conduct internal research to develop, improve, or
repair products, services, or technology.
b. To effectuate a product recall.
c. To identify and repair technical errors that impair
existing or intended functionality.
-16- d. To perform internal operations that are reasonably
aligned with the expectations of the consumer or reasonably
anticipated based on the consumer’s existing relationship with
the controller or are otherwise compatible with processing
data in furtherance of the provision of a product or service
specifically requested by a consumer or parent or guardian of a
child or the performance of a contract to which the consumer or
parent or guardian of a child is a party.
3. The obligations imposed on controllers or processors
under this chapter shall not apply where compliance by the
controller or processor with this chapter would violate an
evidentiary privilege under the laws of the state. Nothing
in this chapter shall be construed to prevent a controller or
processor from providing personal data concerning a consumer to
a person covered by an evidentiary privilege under the laws of
the state as part of a privileged communication.
4. A controller or processor that discloses personal data
to a third-party controller or processor, in compliance with
the requirements of this chapter, is not in violation of
this chapter if the third-party controller or processor that
receives and processes such personal data is in violation of
this chapter, provided that, at the time of disclosing the
personal data, the disclosing controller or processor did not
have actual knowledge that the recipient intended to commit a
violation. A third-party controller or processor receiving
personal data from a controller or processor in compliance with
the requirements of this chapter is likewise not in violation
of this chapter for the offenses of the controller or processor
from which it receives such personal data.
5. Nothing in this chapter shall be construed as an
obligation imposed on a controller or a processor that
adversely affects the privacy or other rights or freedoms
of any persons, such as exercising the right of free speech
pursuant to the first amendment to the United States
Constitution, or applies to personal data by a person in the
-17-course of a purely personal or household activity.
6. Personal data processed by a controller pursuant to
this section shall not be processed for any purpose other than
those expressly listed in this section unless otherwise allowed
by this chapter. Personal data processed by a controller
pursuant to this section may be processed to the extent that
such processing is as follows:
a. Reasonably necessary and proportionate to the purposes
listed in this section.
b. Adequate, relevant, and limited to what is necessary
in relation to the specific purposes listed in this section.
Personal data collected, used, or retained pursuant to
this section shall, where applicable, take into account
the nature and purpose or purposes of such collection, use,
or retention. Such data shall be subject to reasonable
administrative, technical, and physical measures to protect the
confidentiality, integrity, and accessibility of the personal
data.
7. If a controller processes personal data pursuant to an
exemption in this section, the controller bears the burden of
demonstrating that such processing qualifies for the exemption
and complies with the requirements in subsection 6.
8. Processing personal data for the purposes expressly
identified in subsection 1 shall not in and of itself make an
entity a controller with respect to such processing.
9. This chapter shall not require a controller, processor,
third party, or consumer to disclose trade secrets.
Sec. 8. NEW SECTION. 715D.8 Enforcement — penalties.
1. The attorney general shall have exclusive authority to
enforce the provisions of this chapter. Whenever the attorney
general has reasonable cause to believe that any person has
engaged in, is engaging in, or is about to engage in any
violation of this chapter, the attorney general is empowered to
issue a civil investigative demand. The provisions of section
685.6 shall apply to civil investigative demands issued under
-18-this chapter.
2. Prior to initiating any action under this chapter,
the attorney general shall provide a controller or processor
ninety days’ written notice identifying the specific provisions
of this chapter the attorney general alleges have been or
are being violated. If within the ninety-day period, the
controller or processor cures the noticed violation and
provides the attorney general an express written statement that
the alleged violations have been cured and that no further such
violations shall occur, no action shall be initiated against
the controller or processor.
3. If a controller or processor continues to violate this
chapter following the cure period in subsection 2 or breaches
an express written statement provided to the attorney general
under that subsection, the attorney general may initiate an
action in the name of the state and may seek an injunction to
restrain any violations of this chapter and civil penalties of
up to seven thousand five hundred dollars for each violation
under this chapter. Any moneys collected under this section
including civil penalties, costs, attorney fees, or amounts
which are specifically directed shall be paid into the consumer
education and litigation fund established under section
714.16C.
4. Nothing in this chapter shall be construed as providing
the basis for, or be subject to, a private right of action for
violations of this chapter or under any other law.
Sec. 9. NEW SECTION. 715D.9 Preemption.
1. This chapter supersedes and preempts all rules,
regulations, codes, ordinances, and other laws adopted by a
city, county, municipality, or local agency regarding the
processing of personal data by controllers or processors.
2. Any reference to federal, state, or local law or statute
in this chapter shall be deemed to include any accompanying
rules or regulations or exemptions thereto, or in the case of a
federal agency, guidance issued by such agency thereto.
-19- Sec. 10. EFFECTIVE DATE. This Act takes effect January 1,
2025.
______________________________
AMY SINCLAIR
President of the Senate
______________________________
PAT GRASSLEY
Speaker of the House
I hereby certify that this bill originated in the Senate and
is known as Senate File 262, Ninetieth General Assembly.
______________________________
W. CHARLES SMITHSON
Secretary of the Senate
Approved _______________, 2023
______________________________
KIM REYNOLDS
Governor
es/rn