Senate File 262 for an Act relating to consumer data protection was signed, on 28 March 2023, by the Governor of Iowa, thereby becoming law. In particular, the bill was previously signed by the President of the Iowa Senate and the Speaker of the House on the same date, prior to being sent to the Governor. More specifically, the law will apply to a person conducting business in Iowa or producing products or services that are targeted to consumers who are Iowa residents and that during a calendar year does either of the following:

• controls or processes personal data of at least 100,000 consumers; or
• controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Additionally, the law provides for consumer data rights, including the right to access, obtain a copy of, and delete personal data, as well as to opt-out of targeted advertising or the sale of personal data. Moreover, the law provides for duties of data controllers, which include:

• adopting and implementing reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
• not processing a consumer's sensitive personal information without the consumer having been presented with clear notice and an opportunity to opt out of such processing; and
• providing consumers with a reasonably accessible, clear, and meaningful privacy notice.

Moreover, the law provides for data processor duties, including assisting the data controller in their responsibilities, fulfilling the controller's obligations to respond to requests to exercise consumer rights, and meeting the controller's obligations with respect to the security of processing personal data and the notification of a security breach.

Notably, the law will come into effect on 1 January 2025.

You can read the law here and view its progress here.