Iowa Becomes Sixth State to Enact Privacy Law

Iowa Becomes Sixth State to Enact Privacy Law

On March 28, 2023, Iowa Governor Kim Reynolds signed Senate File 262 (“Iowa Privacy Act”) into law, making Iowa the sixth state to enact a comprehensive privacy law, and the first state to do so in 2023.

The Iowa Privacy Act, which takes effect on January 1, 2025, contains many similar provisions as other enacted state privacy laws, but most closely aligns with the Virginia Consumer Data Protection Act and the Utah Consumer Privacy Act. However, a few key differences make the Iowa Privacy Act arguably a “lighter-touch” regulation:

  • No private right of action; 90-day right to cure
  • Provides GLBA (entity and data-based), HIPAA (entity and data-based), FCRA (data-based), and other exemptions
  • No consumer correction right
  • Controllers have 90 days to respond to consumer requests, with an additional 45-day extension if necessary
  • Does not require controllers to recognize consumer opt-outs via global opt-out mechanisms
  • Can collect sensitive personal data upon first providing clear notice and an opportunity for the consumer to opt-out rather than opt-in like in some other privacy laws (sensitive data concerning a known child must be processed in accordance with COPPA)
  • No data protection assessment requirement

As expected, the privacy landscape in the United States is rapidly evolving in 2023. Privacy laws in California and Virginia went into effect on January 1, 2023, while privacy laws in Colorado and Connecticut take effect on July 1, 2023. Rounding out the year, Utah’s comprehensive privacy framework is effective on December 31, 2023.

Over 20 states have introduced comprehensive privacy bills in the first quarter of 2023. Federal lawmakers declared passing a data privacy law as a top priority for 2023 after the American Data Privacy and Protection Act stalled in 2022. Several privacy bills have been introduced in 2023, but no bill has yet to reach floor vote.

In California, the California Privacy Protection Agency (CPPA), tasked with implementing and enforcing the California Privacy Rights Act (CPRA), submitted the first round of CPRA regulations to California’s Office of Administrative Law on February 14 for final review and approval. No information has been released as to whether that Office approved or denied any of the proposed regulations, though it is expected that the regulations will take effect in late April. Also in February, the CPPA started the informal rulemaking process for the second round of CPRA regulations covering topics like automated decision-making, risk assessments, and cybersecurity audits.

In mid-March, the Colorado Attorney General approved the final version of the Colorado Privacy Act regulations, which go into effect on July 1, 2023.  No corresponding regulations to privacy laws in Virginia, Connecticut, or Utah have been proposed.

Businesses that are complying with California and Virginia privacy laws, or are working to comply with other state privacy laws taking effect later in 2023, should examine how to leverage current compliance to cover the Iowa Privacy Act prior to its effective date.


Aaron works across numerous highly-regulated industries, helping them comply with state and federal laws related to privacy and data security, cannabis, marketing, teleservices, and other consumer protection matters.

2560 1708 Aaron Parry
Share This Post:
Start Typing
Skip to content