Iowa Latest State to Pass Consumer Privacy Law: 5 Things Employers Need to Know
Iowa will soon be the sixth state in the nation with a comprehensive consumer privacy law – but the good news for employers is that it does not apply to data collected in the employment context and does not include a private right of action. Iowa Senate File 262 passed in the House on March 15 after previously passing in the Senate. It is expected to soon be signed into effect by the governor and will take effect on January 1, 2025. What does this law mean for your business? Here are the answers to your five biggest questions.
[Ed. Note: Governor Kim Reynolds signed the bill into law on March 28.]
1. Will Iowa’s Law Catch Businesses By Surprise?
For the most part, no. Companies that are already complying with the other state consumer privacy laws – including California, Utah, Colorado, Connecticut, and Virginia – will find this law familiar. It is most similar to the Utah Consumer Privacy Act, which takes effect December 31.
2. What Does SF262 Require?
3. To Whom Does Iowa’s Law Apply?
The new Iowa law applies to businesses in the state or out-of-state businesses that target their products or services to residents of the state and that:
- control or process personal data of at least 100,000 Iowa residents; or
- derive over 50% of their annual gross revenue from the sale of personal data and also control or process personal data of 25,000 or more Iowa residents.
With this relatively high threshold and current population of Iowa hovering around 3.2 million, most businesses in this state will not be subject to the law.
4. What Exemptions Exist?
Unlike California’s broadly sweeping consumer privacy law which applies to employee and job applicant data, the Iowa law does not apply to data collected, created, or received in the employment context from or about an employee or job applicant for employment-related purposes. Also excluded from SF262’s definition of “consumer” is a person acting in a commercial or employment context. This is a big win for employers in the state.
5. What Are the Penalties for Non-Compliance?
SF262 does not create a private right of action for consumers. Like California’s CCPA, this law gives authority to the Iowa Attorney General to investigate non-compliance and assess penalties of up to $7,500 per violation of the statute.
Nothing in this law comes as a surprise, as it closely aligns with other states’ comprehensive consumer privacy laws. But it is a continuation of the trend sweeping the nation, as over a dozen other states currently have pending consumer privacy legislation. This will likely not be the only state to pass this type of legislation this year.
Fisher Phillips will continue to monitor consumer privacy obligations and provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insights to get the most up-to-date information direct to your inbox. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or an attorney on the firm’s Consumer Privacy Team.