Author

Amanda Anderson

4A's VP, Government Relations

Topic

  • Government Relations
  • Privacy Law

On March 15, 2023 the Iowa legislature unanimously advanced the country’s sixth state comprehensive data privacy law, SF 262. Governor Reynolds signed the legislation on March 28, 2023. SF 262 will go into effect on January 1, 2025.

Covered entities are subject to SF 262 if they control or process personal data on 100,000 Iowan consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. The bill offers some consumer rights (access, deletion, portability, and opt-out of sale), 90-day periods for data subject request responses, and a non-sunsetting right to cure for violations. The bill also allows a business 90 days to cure any violations of the act should the Iowa Attorney General send the business written notice of any issues. This is notable as no other state law allows more than 60 days to cure upon notice of a violation. The Iowa Attorney General will have exclusive enforcement authority and may issue fines of up to $7,500.00 per violation. 

Iowa’s bill has notable divergence from the interoperability found in most existing state laws. It does not contain a sensitive data opt-in consent requirement nor require a user’s right to correct. It also does not require covered entities to conduct risk assessments or practice purpose limitation and/or data minimization. Iowa’s data subject response provision also contains a potential 45-day extension to the 90-day response period, contrasting from the standard 45-day response period other states carry.

Notably missing from the bill are private right of action enforcement, required data protection assessments, attorney general rulemaking authority, the required recognition of browser-based or app-based, universal opt-out signals (i.e. global privacy control signals), and the ability to opt out of targeted advertising. 

Iowa’s privacy legislation shares the same basic framework as privacy laws enacted in Colorado, Connecticut, Utah and Virginia in recent years. However, SF 262 runs closest to Utah’s existing law. Given SF 262’s likeness to established state frameworks already enacted, Iowa’s bill isn’t expected to put heavy compliance burdens on businesses complying with existing comprehensive state privacy laws. See how Iowa’s SF 262 stacks up against other U.S. state privacy laws here

Want to learn more about Iowa SF 262? Please contact Amanda Anderson, 4As Director of Government Relations.

Related Posts

View All Posts
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More

02/03/2025

U.S. Copyright Office Publishes Part 2 of AI Report, Offering Clarity on Copyright for Generative AI Outputs

Learn More
View All Posts