Iowa is poised to become the sixth state to adopt a comprehensive data privacy law, after the House unanimously gave final approval to a bill aimed at providing consumers more control over how companies leverage their personal information.
The bill, which previously passed the state Senate with no opposition, now heads to Gov. Kim Reynolds (R).
“It’s more than important for just Iowa citizens — I think it’s important for the country,” said Rep. Ray Sorensen (R), who sponsored a version of the bill last year and helped shepherd the Senate measure through the House this year.
Passage of the Iowa bill signifies another milestone in the effort to enact comprehensive data privacy laws in the states, in the absence of federal law. It has been embraced in both red and blue states.
“What we’re doing ultimately is sending a message to our federal government that something needs to be done here,” Sorensen said. “We need to start working on this for the whole country, not just state by state.”
California, Colorado, Connecticut, Utah and Virginia already enacted similar laws, which empower consumers to ask what data a company has about them, request that data be deleted, and prohibit the sale of their information. The California and Virginia laws are already in effect. The Connecticut, Colorado and Utah laws kick in this year.
The Iowa measure does not go as far as other states.
“Definitely, if this is enacted, consumers in Iowa will have guarantees of new rights and protections,” said Keir Lamont, director for U.S. legislation at the Future of Privacy Forum, a nonpartisan think tank. “But at the same time compared to other states that have acted in this space … the Iowa bill would have a strong claim to be the least protective of those state laws.”
That think tank compared the Iowa bill to Connecticut’s law, which takes effect in July and is viewed as one of the most protective of consumers.
Like Connecticut, the Iowa measure would apply to companies that control or process the personal data of at least 100,000 state residents or possess the data of 25,000 residents and earn more than 50% of their revenues from selling people’s data. It also defines “personal data” similarly.
Unlike in Connecticut, companies would not have to get permission from Iowa consumers to use their data, nor would the law impose stricter limitations on the use of data collected from youth. David Stauss, a data privacy lawyer at Husch Blackwell, said the Iowa measure rivals Utah’s law “as the most business-friendly legislation passed to date.”
Sorensen described the Iowa bill as a hybrid of the Utah and Virginia laws. He said it was developed with input from groups including the Technology Association of Iowa, which took to Twitter to praise the bill’s passage.
In 2018, California was the first state to pass a comprehensive data privacy law. The California Consumer Privacy Act was later expanded by voter initiative. Colorado and Virginia adopted their own privacy measures in 2021, followed by Connecticut and Utah in 2022.
The push for such laws in the U.S. followed enactment of the European Union’s General Data Protection Regulation, which took effect in 2018 and became an international model for governing data privacy.
This year, consumer data privacy bills were introduced in at least 22 states, according to tracking by Husch Blackwell.
Lamont, with the Future of Privacy Forum, said he is monitoring bills this year in Hawaii, Indiana, Montana, New Hampshire, Oklahoma, Oregon and Texas.
The Texas bill is among House Speaker Dade Phelan’s (R) top priorities for the session. The Indiana bill, which failed last year, was passed unanimously by the Senate and received a House hearing this week.
“This bill would protect Hoosiers from the invasive collection of shoppers’ data,” Indiana Sen. Liz Brown (R), the prime sponsor of the bill, said in a statement following the Senate vote in January. “There are currently no federal regulations against this, which is why it’s important to establish data rights for our citizens.”
The Oregon privacy measure, which was introduced at the request of Attorney General Ellen Rosenblum (D), is also drawing attention, Lamont said, because it includes a private right of action. That would allow citizens to directly sue companies for violations of the law.
“If that stays in, that’s going to be a really significant shift for state privacy laws,” Lamont said.
While Congress has not yet acted, a version of the bipartisan American Data Privacy and Protection Act advanced out of the Committee on Energy and Commerce in December by an overwhelming majority. It is likely to be reintroduced in the current Congress.
Lamont said it is another indication that both state and federal lawmakers feel increasing pressure to take steps to protect consumer digital privacy.
“I do think there’s a very real sense of Americans wanting and desiring new rights and protections for the privacy of their personal information, and that is something federal and state lawmakers are responding to,” Lamont said.
While states have called for a federal solution, the bill in Congress is drawing concern from top California officials.
Last month, California Gov. Gavin Newsom (D) and Attorney General Rob Bonta (D) sent a letter to Congress opposing language in the federal bill that would preempt California law.
“California is at the forefront of privacy in response to quickly changing technology,” Bonta said in a statement announcing the letter. “We urge Congress not to undercut the important protections that have been established through efforts by the states. Any federal law should set the floor, not the ceiling for privacy law.”