What You Need To Know About Iowa’s and Indiana’s New Consumer Privacy Laws
AuthorsJason M. Schwent , Melissa K. Ventrone
On March 28, Iowa’s six-year-long effort to pass comprehensive consumer data privacy legislation was finally completed, making Iowa the sixth state to pass such a law. Just over two weeks later, Indiana’s legislature passed its own comprehensive consumer data privacy law (with Governor Eric Holcomb expected to sign the bill into law shortly) to make Indiana the seventh state with such comprehensive legislation. The new Iowa law (the Iowa Act Relating to Consumer Data Protection) is set to take effect on Jan. 1, 2025, and the Indiana law (the Indiana Consumer Data Protection law) a year later on Jan. 1, 2026.
Not only were both laws passed within a short time of one another, but they both share quite a few similarities to one another and to other similar comprehensive data privacy laws. For those who do business in Iowa or Indiana or have Iowa or Indiana consumers, here are important features of the new laws’ applicability and effects on consumer rights and business obligations.
Both the Iowa law and Indiana’s approved bill apply to (a) entities that do business in those states; and (b) to entities that target the residents of Iowa or Indiana. Both states delineate between those who collect and control data and those who process data for others. To be subject to the laws, both statutes provide that they apply to businesses that, in the prior calendar year:
- Control or process the data of at least 100,000 residents; or
- Control or process personal data of at least 25,000 residents and derive over 50% of gross revenue from the sale of personal data.
Both laws define consumers as residents of the state acting in a noncommercial and nonemployment context (as opposed to CPRA which applies to employees for instance).
Both laws also create a number of consumer rights.
|Iowa Consumer Rights||Indiana Consumer Rights|
|The right to confirm whether an entity subject to the law is processing the consumer’s data and to access that data;||The right to confirm whether an entity is processing the consumer’s personal data and to access that information;|
|The right to delete personal data provided by an Iowa resident to an entity subject to the law;||The right to delete personal data provided by or obtained about the consumer;|
|The right to obtain a copy of the data they provided to an entity covered by the law in a portable and readily usable format that allows the consumer “to transmit the data to another entity without hindrance, where processing is carried out by automated means;”||The right to obtain, at the entity’s discretion, either a copy of or a representative summary of the personal data the consumer provided to the entity;|
|The right to opt-out of the sale of personal data, where the term “sale” includes the exchange of personal data for monetary consideration by an entity covered by the law to a third party.||The right to opt out of the processing of the consumer’s personal data for purposes of:
“Sale” under the Indiana law is defined to mean the exchange of personal data for monetary consideration.
|The right to correct inaccuracies in the consumer’s personal data that was provided by the consumer.|
The Iowa law does not give residents the right to correct their personal data or to opt out of profiling or automated decision-making and does not require Iowa businesses to recognize universal opt-out signals.
Entities covered by the law must respond to consumer rights requests in Iowa within 90 days and, in Indiana, within 45 days. And both laws prohibit discrimination against consumers for exercising their rights under the law and give consumers the right to appeal an entity’s refusal to take action on a consumer request.
One interesting note, under the Indiana law, riverboat casinos are expressly allowed to use facial recognition technology as part of their operations—a unique exception so far in the area of consumer data protection.
Both of these laws increase the importance of and the scrutiny of website privacy policies. In both states, entities subject to these laws are required to provide residents with a privacy notice advising residents of the categories of personal data processed, the purpose for processing the data, the categories of personal data disclosed, the categories of third parties to whom personal data is disclosed, and how consumers can exercise their consumer rights under the law.
Both laws also required that covered entities have contracts with service providers that process consumer data for them and require these contracts to provide instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the rights and duties of both parties to the contract. The contract must also describe the process for retaining data, deleting data, accessing data, and holding subcontractors accountable.
Covered entities are also subject to a number of general requirements with respect to their handling and processing of consumer personal data. Such entities can process personal data, but only that which is reasonably necessary and if it is adequate, relevant, and limited to what is necessary in relation to the specific purposes for its collection. Entities that process data must also implement reasonable physical, technical, and administrative data security practices to protect the confidentiality, integrity, and availability of collected personal data, and these practices must be appropriate to the volume and nature of the data collected.
Under Iowa law, entities can only process sensitive data collected from a consumer for a nonexempt purpose unless they provide the consumer with clear notice and an opportunity to opt out of such processing. Under Indiana law, entities cannot process sensitive data without obtaining the consumer’s consent. And, in both states, collecting and processing sensitive data from a consumer under the age of 13 must be done in accordance with the requirements of the Children’s Online Privacy Protection Act (“COPPA”)—requiring opt-in consent for such collection.
Indiana law also requires covered entities to conduct and document risk assessments whenever they plan to: (1) process personal data for purposes of targeted advertising, (2) sell personal data, (3) process data for the purposes of profiling, (4) process sensitive data, or (5) when processing would involve a heightened risk of harm.
Neither statute creates a private right of action (as is the case in all such similar laws except those in California) as enforcement authority is held exclusively by each state’s Attorney General. Fines under both laws can be for up to $7,500 per violation, but Iowa requires a notice and cure period (90 days in Iowa and 30 days in Indiana) before such fines can be imposed.
How Clark Hill Can Help