Press "Enter" to skip to content

Iowa Becomes Sixth State to Enact Comprehensive Consumer Data Privacy Law

state privacy legislationIowa Gov. Kim Reynolds on March 28 signed into law SF 262, making Iowa the sixth state to enact comprehensive consumer data privacy legislation.  The other states are California, Virginia, Colorado, Utah, and Connecticut.  The law will take effect Jan. 1, 2025.

In her press release, Gov. Reynolds stated, “In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data. That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”


The bill applies to any person conducting business in Iowa or producing products or services that are targeted to Iowans and that during a calendar year does either of the following: 

  1. Controls or processes personal data of at least 100,000 consumers; or
  2. Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Importantly, the law exempts financial institutions, their affiliates, and data subject to the Gramm-Leach Bliley Act. Also exempt, among others, are persons and certain data subject to the Health Insurance Portability and Accountability Act, and personal information to the extent its use is regulated and authorized by the Fair Credit Reporting Act.


Consumers are provided with the right to:

  1. confirm whether a controller is processing the consumer’s personal data and to access such personal data;
  2. delete personal data provided by the consumer;
  3. obtain a copy of the consumer’s personal data; and
  4. opt out of the sale of personal data.

A contract between a controller and a processor must include certain provisions to ensure that:

  1. each person processing personal data is subject to a duty of confidentiality;
  2. a processor will delete or return all personal data to the controller upon request;
  3. a processor will provide a controller with all information necessary to demonstrate the processor’s compliance; and
  4. any subcontractor or agent of the processor will meet the duties of the processor pursuant to a written contract.

The Attorney General has the exclusive authority to enforce the law. Prior to taking any action, the Attorney General must provide a controller or processor 90 days to cure the violation. In the absence of a cure, civil penalties of up to $7,500 may be sought for each violation.


The law preempts “all rules, regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or local agency regarding the processing of personal data by controllers or processors.”


The Iowa law is very similar to the data privacy laws in Virginia, Colorado, Utah, and Connecticut, so for businesses gearing up to comply with the law in one or more of those other states there should be little additional effort to include Iowa.

Iowa’s law is generally more business friendly since it does not include the right to correct and does not require opt in for processing sensitive data.  It also has a generous 90-day period for responding to consumer requests with a possible 45-day extension (Virginia, Colorado, Utah, and Connecticut are 45 and 45), and a 90-day cure period for violations (Virginia and Utah are 30, and Colorado and Connecticut are 60).

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: Grindstone Media Grp/

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.