Iowa becomes sixth state with its own data privacy law

Iowa's new law is most similar to Utah's, as it also defines personal data. The law is set to take effect on Jan. 1, 2025.
Iowa Gov. Kim Reynolds
Iowa Gov. Kim Reynolds speaks during a meeting at the White House on June 26, 2020. (Mandel Ngan / AFP / Getty Images)

Iowa became the sixth state with its own consumer data privacy law on Tuesday after Gov. Kim Reynolds signed bill S.F. 262.

Iowa joins California, Virginia, Utah, Connecticut and Colorado as the only states in the U.S. with a comprehensive data privacy law on the books. Iowa’s bill passed unanimously in the state’s House and Senate earlier this month. The law is set to take effect on Jan. 1, 2025.

While the Iowa privacy law is similar to the five others, it bears the most similarity to Utah’s law, the Utah Consumer Privacy Act, as it also defines personal data.

Like the laws in Virginia and Utah, Iowa’s privacy law applies to businesses that either control or process personal data of at least 100,000 consumers in Iowa, or control or process personal data of at least 25,000 Iowan consumers and derive over 50% of their gross revenue from the sale of that data.


It also lays out consumer data privacy rights, which include the right to confirm whether a controller is processing data and to access that data, the right to delete data provided by the consumer, the right to data portability, the right to opt out of data sales and the right to non-retaliation for exercising consumer rights.

Iowa’s framework differs, however, from a few others since it requires covered entities to provide a clear notice of data usage and opt-out option for sensitive data — which it defines as racial or ethnic origin, religious beliefs, mental or physical diagnosis, sexual orientation, citizenship or immigration status. Colorado, Connecticut and Virginia have opt-in requirements.

Iowa’s law does not contain a private right of action, which means plaintiffs in Iowa would not be able to bring cases against entities for non-compliance. Instead, compliance with the law will be enforced exclusively by the Iowa Attorney General, who must provide entities 90 days to correct compliance issues.

“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” Reynolds said in a news release. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”

Iowa’s new law arrives as many states begin to take both consumer and government operation privacy issues into their own hands and as efforts to enact a comprehensive privacy law at the federal have stalled out.

Latest Podcasts