Two New State Data Privacy Laws
In addition to comprehensive data privacy laws in California, Colorado, Virginia, Utah and Connecticut, and more under consideration in states such as Texas, state legislatures in Iowa and Indiana have passed two new data privacy laws. Iowa’s governor has signed its law; while Indiana’s governor is expected to sign its law on April 20, 2023. More detail on each is provided below.
[Update: As of 4/21, it appears that the Indiana governor neither signed nor vetoed SB 5. Since the legislature passed it on 4/13 and the governor took no action, it should now be enacted by operation of law.]
On March 28, 2023, Iowa’s governor signed “An Act Relating to Consumer Data Protection”, making Iowa the sixth state to enact a comprehensive data privacy laws. The Iowa Senate and House unanimously passed the bill, which will take effect on January 1, 2025. Iowa’s law applies to companies that: (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data.
The law exempts data regulated by the Fair Credit Reporting Act (FCRA). Exceptions also exist for state and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA), and healthcare organizations as specified in the statute subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), non-profits, higher education institutions including Family Educational Rights and Privacy Act (FERPA) data, data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA) and certain information related to employment.
The law includes many of the same types of provisions as in other state laws, assigning specific requirements to data controllers and processors, and establishing rights of data subjects, including the right to confirm that processing will occur, rights of access and deletion, obtaining a copy of personal data, and opting out of sales of personal data. Controllers must provide a privacy notice that identifies categories for processing and sharing of personal data, and how consumers can exercise their rights. Processors and controllers must execute an agreement concerning the scope of the processor’s services provided at the direction of the controller. The new law does not create a private right of action but permits consumers to report violations to the Iowa Attorney General. Before commencing an enforcement action, an entity suspected of violating the data privacy law is provided a 90-day cure period. Subsequently, the Iowa Attorney General may seek injunctive relief and levy a civil penalty of up to $7,500 per violation.
View Iowa's law here.
April 20, 2023, is the deadline for Indiana governor to sign the Indiana Consumer Data Privacy Act (SB 5). Indiana’s law most closely aligns with the Virginia Consumer Data Protection Act (“VCDPA”), and is less onerous than some of the other states. The law applicable to businesses (1) that conduct business in Indiana or produce products or services that are targeted to Indiana residents; and (2) (a) control or process the personal data of at least 100,000 consumers during a calendar year; or (b) control or process the personal data of at least 25,000 consumers during a calendar year and derive more than 50% of gross revenue from the sale of personal data.
The law provides similar rights and provisions as other states. Like Utah and Virginia, the law defines “sale” as encompassing monetary consideration and not “other valuable consideration.” Three somewhat notable aspects unique to Indiana’s law: (1) with respect to data portability, controllers possess discretion to either provide a complete copy of a consumer’s data or, alternatively, a “representative summary” of the data; (2) the right to opt out of profiling extends only to processing carried out “solely” by automated means; and (3) the right to correct extends only to personal data that was previously provided by the consumer to the controller, which is narrower than other states, which extend this consumer right to all data in the controller’s possession.
The effective date of the law is July 1, 2026, designed to give the state additional time to assess how businesses may implement similar state laws. This not only provides companies with time to modify their compliance programs, but also to afford legislators the opportunity to amend the current version.
View Indiana's law here.