Senate Study Bill 1071 - Introduced SENATE FILE _____ BY (PROPOSED COMMITTEE ON TECHNOLOGY BILL BY CHAIRPERSON COURNOYER) A BILL FOR An Act relating to consumer data protection, providing civil 1 penalties, and including effective date provisions. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 TLSB 1267XC (1) 90 es/rn
S.F. _____ Section 1. NEW SECTION . 715D.1 Definitions. 1 As used in this chapter, unless the context otherwise 2 requires: 3 1. Affiliate means a legal entity that controls, is 4 controlled by, or is under common control with another legal 5 entity or shares common branding with another legal entity. 6 For the purposes of this definition, control or controlled 7 means: 8 a. Ownership of, or the power to vote, more than fifty 9 percent of the outstanding shares of any class of voting 10 security of a company. 11 b. Control in any manner over the election of a majority of 12 the directors or of individuals exercising similar functions. 13 c. The power to exercise controlling influence over the 14 management of a company. 15 2. Aggregate data means information that relates to a 16 group or category of consumers, from which individual consumer 17 identities have been removed, that is not linked or reasonably 18 linkable to any consumer. 19 3. Authenticate means verifying through reasonable means 20 that a consumer, entitled to exercise their consumer rights in 21 section 715D.3, is the same consumer exercising such consumer 22 rights with respect to the personal data at issue. 23 4. Biometric data means data generated by automatic 24 measurements of an individuals biological characteristics, 25 such as a fingerprint, voiceprint, eye retinas, irises, or 26 other unique biological patterns or characteristics that is 27 used to identify a specific individual. Biometric data 28 does not include a physical or digital photograph, a video or 29 audio recording or data generated therefrom, or information 30 collected, used, or stored for health care treatment, payment, 31 or operations under HIPAA. 32 5. Child means any natural person younger than thirteen 33 years of age. 34 6. Consent means a clear affirmative act signifying a 35 -1- LSB 1267XC (1) 90 es/rn 1/ 24
S.F. _____ consumers freely given, specific, informed, and unambiguous 1 agreement to process personal data relating to the consumer. 2 Consent may include a written statement, including a 3 statement written by electronic means, or any other unambiguous 4 affirmative action. 5 7. Consumer means a natural person who is a resident of 6 the state acting only in an individual or household context and 7 excluding a natural person acting in a commercial or employment 8 context. 9 8. Controller means a person that, alone or jointly with 10 others, determines the purpose and means of processing personal 11 data. 12 9. Covered entity means the same as covered entity 13 defined by HIPAA. 14 10. De-identified data means data that cannot reasonably 15 be linked to an identified or identifiable natural person. 16 11. Fund means the consumer education and litigation fund 17 established pursuant to section 714.16C. 18 12. Health care provider means any of the following: 19 a. A general hospital, ambulatory surgical or treatment 20 center, skilled nursing center, or assisted living center 21 licensed or certified by the state. 22 b. A psychiatric hospital licensed by the state. 23 c. A hospital operated by the state. 24 d. A hospital operated by the state board of regents. 25 e. A person licensed to practice medicine or osteopathy in 26 the state. 27 f. A person licensed to furnish health care policies or 28 plans in the state. 29 g. A person licensed to practice dentistry in the state. 30 h. Health care provider does not include a continuing care 31 retirement community or any nursing facility of a religious 32 body which depends upon prayer alone for healing. 33 13. Health Insurance Portability and Accountability Act 34 or HIPAA means the federal Health Insurance Portability and 35 -2- LSB 1267XC (1) 90 es/rn 2/ 24
S.F. _____ Accountability Act of 1996, Pub. L. No. 104-191, including 1 amendments thereto and regulations promulgated thereunder. 2 14. Health record means any written, printed, or 3 electronically recorded material maintained by a health care 4 provider in the course of providing health services to an 5 individual concerning the individual and the services provided, 6 including related health information provided in confidence to 7 a health care provider. 8 15. Identified or identifiable natural person means a 9 person who can be readily identified, directly or indirectly. 10 16. Institution of higher education means nonprofit 11 private institutions of higher education and proprietary 12 private institutions of higher education in the state, 13 community colleges, and each associate-degree-granting and 14 baccalaureate public institutions of higher education in the 15 state. 16 17. Nonprofit organization means any corporation organized 17 under chapter 504, any organization exempt from taxation 18 under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the 19 Internal Revenue Code, any organization exempt from taxation 20 under section 501(c)(4) of the Internal Revenue Code that 21 is established to detect or prevent insurance-related crime 22 or fraud, and any subsidiaries and affiliates of entities 23 organized pursuant to chapter 499. 24 18. Personal data means any information that is linked or 25 reasonably linkable to an identified or identifiable natural 26 person. Personal data does not include de-identified or 27 aggregate data or publicly available information. 28 19. Precise geolocation data means information derived 29 from technology, including but not limited to global 30 positioning system level latitude and longitude coordinates or 31 other mechanisms, that identifies the specific location of a 32 natural person with precision and accuracy within a radius of 33 one thousand seven hundred fifty feet. Precise geolocation 34 data does not include the content of communications, or any 35 -3- LSB 1267XC (1) 90 es/rn 3/ 24
S.F. _____ data generated by or connected to advanced utility metering 1 infrastructure systems or equipment for use by a utility. 2 20. Process or processing means any operation or set 3 of operations performed, whether by manual or automated means, 4 on personal data or on sets of personal data, such as the 5 collection, use, storage, disclosure, analysis, deletion, or 6 modification of personal data. 7 21. Processor means a person that processes personal data 8 on behalf of a controller. 9 22. Protected health information means the same as 10 protected health information established by HIPAA. 11 23. Pseudonymous data means personal data that cannot 12 be attributed to a specific natural person without the use 13 of additional information, provided that such additional 14 information is kept separately and is subject to appropriate 15 technical and organizational measures to ensure that 16 the personal data is not attributed to an identified or 17 identifiable natural person. 18 24. Publicly available information means information 19 that is lawfully made available through federal, state, or 20 local government records, or information that a business has 21 reasonable basis to believe is lawfully made available to 22 the general public through widely distributed media, by the 23 consumer, or by a person to whom the consumer has disclosed the 24 information, unless the consumer has restricted the information 25 to a specific audience. 26 25. Sale of personal data means the exchange of personal 27 data for monetary consideration by the controller to a third 28 party. Sale of personal data does not include: 29 a. The disclosure of personal data to a processor that 30 processes the personal data on behalf of the controller. 31 b. The disclosure of personal data to a third party for 32 purposes of providing a product or service requested by the 33 consumer or a parent of a child. 34 c. The disclosure or transfer of personal data to an 35 -4- LSB 1267XC (1) 90 es/rn 4/ 24
S.F. _____ affiliate of the controller. 1 d. The disclosure of information that the consumer 2 intentionally made available to the general public via a 3 channel of mass media and did not restrict to a specific 4 audience. 5 e. The disclosure or transfer of personal data when a 6 consumer uses or directs a controller to intentionally disclose 7 personal data or intentionally interact with one or more third 8 parties. 9 f. The disclosure or transfer of personal data to a third 10 party as an asset that is part of a proposed or actual merger, 11 acquisition, bankruptcy, or other transaction in which the 12 third party assumes control of all or part of the controllers 13 assets. 14 26. Sensitive data means a category of personal data that 15 includes the following: 16 a. Racial or ethnic origin, religious beliefs, mental or 17 physical health diagnosis, sexual orientation, or citizenship 18 or immigration status, except to the extent such data is used 19 in order to avoid discrimination on the basis of a protected 20 class that would violate a federal or state anti-discrimination 21 law. 22 b. Genetic or biometric data that is processed for the 23 purpose of uniquely identifying a natural person. 24 c. The personal data collected from a known child. 25 d. Precise geolocation data. 26 27. State agency means the same as defined in 129 IAC 27 10.2(8B). 28 28. Targeted advertising means displaying advertisements 29 to a consumer where the advertisement is selected based on 30 personal data obtained from that consumers activities over 31 time and across nonaffiliated websites or online applications 32 to predict such consumers preferences or interests. Targeted 33 advertising does not include the following: 34 a. Advertisements based on activities within a controllers 35 -5- LSB 1267XC (1) 90 es/rn 5/ 24
S.F. _____ own or affiliated websites or online applications. 1 b. Advertisements based on the context of a consumers 2 current search query, visit to a website, or online 3 application. 4 c. Advertisements directed to a consumer in response to the 5 consumers request for information or feedback. 6 d. Processing personal data solely for measuring or 7 reporting advertising performance, reach, or frequency. 8 29. Third party means a natural or legal person, public 9 authority, agency, or body other than the consumer, controller, 10 processor, or an affiliate of the processor or the controller. 11 30. Trade secret means information, including but not 12 limited to a formula, pattern, compilation, program, device, 13 method, technique, or process, that consists of the following: 14 a. Information that derives independent economic value, 15 actual or potential, from not being generally known to, and not 16 being readily ascertainable by proper means by, other persons 17 who can obtain economic value from its disclosure or use. 18 b. Information that is the subject of efforts that are 19 reasonable under the circumstances to maintain its secrecy. 20 Sec. 2. NEW SECTION . 715D.2 Scope and exemptions. 21 1. This chapter applies to a person conducting business in 22 the state or producing products or services that are targeted 23 to consumers who are residents of the state and that during a 24 calendar year does either of the following: 25 a. Controls or processes personal data of at least one 26 hundred thousand consumers. 27 b. Controls or processes personal data of at least 28 twenty-five thousand consumers and derives over fifty percent 29 of gross revenue from the sale of personal data. 30 2. This chapter shall not apply to the state or any 31 political subdivision of the state; financial institutions, 32 affiliates of financial institutions, or data subject to Tit. V 33 of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801 34 et seq.; covered entities or business associates governed by 35 -6- LSB 1267XC (1) 90 es/rn 6/ 24
S.F. _____ the privacy, security, and breach notification rules issued by 1 the Iowa department of health and human services; 45 C.F.R. 2 pts. 160 and 164 established pursuant to HIPAA; nonprofit 3 organizations; or institutions of higher education. 4 3. The following information and data is exempt from this 5 chapter: 6 a. Protected health information under HIPAA. 7 b. Health records. 8 c. Patient identifying information for purposes of 42 U.S.C. 9 290dd-2. 10 d. Identifiable private information for purposes of the 11 federal policy for the protection of human subjects under 45 12 C.F.R. pt. 46. 13 e. Identifiable private information that is otherwise 14 information collected as part of human subjects research 15 pursuant to the good clinical practice guidelines issued by 16 the international council for harmonization of technical 17 requirements for pharmaceuticals for human use. 18 f. The protection of human subjects under 21 C.F.R. pts. 6, 19 50, and 56. 20 g. Personal data used or shared in research conducted in 21 accordance with the requirements set forth in this chapter, or 22 other research conducted in accordance with applicable law. 23 h. Information and documents created for purposes of the 24 federal Health Care Quality Improvement Act of 1986, 42 U.S.C. 25 11101 et seq. 26 i. Patient safety work product for purposes of the federal 27 Patient Safety and Quality Improvement Act, 42 U.S.C. 299b-21 28 et seq. 29 j. Information derived from any of the health care-related 30 information listed in this subsection that is de-identified in 31 accordance with the requirements for de-identification pursuant 32 to HIPAA. 33 k. Information originating from, and intermingled to be 34 indistinguishable with, or information treated in the same 35 -7- LSB 1267XC (1) 90 es/rn 7/ 24
S.F. _____ manner as information exempt under this subsection that is 1 maintained by a covered entity or business associate as defined 2 by HIPAA or a program or a qualified service organization as 3 defined by 42 U.S.C. 290dd-2. 4 l. Information used only for public health activities and 5 purposes as authorized by HIPAA. 6 m. The collection, maintenance, disclosure, sale, 7 communication, or use of any personal information bearing on a 8 consumers credit worthiness, credit standing, credit capacity, 9 character, general reputation, personal characteristics, or 10 mode of living by a consumer reporting agency or furnisher that 11 provides information for use in a consumer report, and by a 12 user of a consumer report, but only to the extent that such 13 activity is regulated by and authorized under the federal Fair 14 Credit Reporting Act, 15 U.S.C. 1681 et seq. 15 n. Personal data collected, processed, sold, or disclosed in 16 compliance with the federal Drivers Privacy Protection Act of 17 1994, 18 U.S.C. 2721 et seq. 18 o. Personal data regulated by the federal Family Educational 19 Rights and Privacy Act, 20 U.S.C. 1232 et seq. 20 p. Personal data collected, processed, sold, or disclosed in 21 compliance with the federal Farm Credit Act, 12 U.S.C. 2001 22 et seq. 23 q. Data processed or maintained as follows: 24 (1) In the course of an individual applying to, employed 25 by, or acting as an agent or independent contractor of a 26 controller, processor, or third party, to the extent that the 27 data is collected and used within the context of that role. 28 (2) As the emergency contact information of an individual 29 under this chapter used for emergency contact purposes. 30 (3) That is necessary to retain to administer benefits 31 for another individual relating to the individual under 32 subparagraph (1) and used for the purposes of administering 33 those benefits. 34 r. Personal data used in accordance with the federal 35 -8- LSB 1267XC (1) 90 es/rn 8/ 24
S.F. _____ Childrens Online Privacy Protection Act, 15 U.S.C. 6501 1 6506, and its rules, regulations, and exceptions thereto. 2 Sec. 3. NEW SECTION . 715D.3 Consumer data rights. 3 1. A consumer may invoke the consumer rights authorized 4 pursuant to this section at any time by submitting a request to 5 the controller, through the means specified by the controller 6 pursuant to section 715D.4, subsection 6, specifying the 7 consumer rights the consumer wishes to invoke. A known childs 8 parent or legal guardian may invoke such consumer rights 9 on behalf of the known child regarding processing personal 10 data belonging to the child. A controller shall comply with 11 an authenticated consumer request to exercise all of the 12 following: 13 a. To confirm whether a controller is processing the 14 consumers personal data and to access such personal data. 15 b. To delete personal data provided by the consumer. 16 c. To obtain a copy of the consumers personal data, except 17 as to personal data that is defined as personal information 18 pursuant to section 715C.1 that is subject to security breach 19 protection, that the consumer previously provided to the 20 controller in a portable and, to the extent technically 21 practicable, readily usable format that allows the consumer 22 to transmit the data to another controller without hindrance, 23 where the processing is carried out by automated means. 24 d. To opt out of targeted advertising or the sale of 25 personal data. 26 2. Except as otherwise provided in this chapter, a 27 controller shall comply with a request by a consumer to 28 exercise the consumer rights authorized pursuant to this 29 section as follows: 30 a. A controller shall respond to the consumer without undue 31 delay, but in all cases within forty-five days of receipt 32 of a request submitted pursuant to the methods described in 33 this section. The response period may be extended once by 34 forty-five additional days when reasonably necessary upon 35 -9- LSB 1267XC (1) 90 es/rn 9/ 24
S.F. _____ considering the complexity and number of the consumers 1 requests by informing the consumer of any such extension within 2 the initial forty-five-day response period, together with the 3 reason for the extension. 4 b. If a controller declines to take action regarding the 5 consumers request, the controller shall inform the consumer 6 without undue delay of the justification for declining to take 7 action, except in the case of a suspected fraudulent request, 8 in which case the controller may state that the controller was 9 unable to authenticate the request. The controller shall also 10 provide instructions for appealing the decision pursuant to 11 subsection 3. 12 c. Information provided in response to a consumer request 13 shall be provided by a controller free of charge, up to 14 twice annually per consumer. If a request from a consumer 15 is manifestly unfounded, excessive, repetitive, technically 16 unfeasible, or the controller reasonably believes that the 17 primary purpose of the request is not to exercise a consumer 18 right, the controller may charge the consumer a reasonable fee 19 to cover the administrative costs of complying with the request 20 or decline to act on the request. The controller bears the 21 burden of demonstrating the manifestly unfounded, excessive, 22 repetitive, or technically unfeasible nature of the request. 23 d. If a controller is unable to authenticate a request 24 using commercially reasonable efforts, the controller shall 25 not be required to comply with a request to initiate an action 26 under this section and may request that the consumer provide 27 additional information reasonably necessary to authenticate the 28 consumer and the consumers request. 29 3. A controller shall establish a process for a consumer 30 to appeal the controllers refusal to take action on a request 31 within a reasonable period of time after the consumers 32 receipt of the decision pursuant to this section. The appeal 33 process shall be conspicuously available and similar to the 34 process for submitting requests to initiate action pursuant 35 -10- LSB 1267XC (1) 90 es/rn 10/ 24
S.F. _____ to this section. Within sixty days of receipt of an appeal, 1 a controller shall inform the consumer in writing of any 2 action taken or not taken in response to the appeal, including 3 a written explanation of the reasons for the decision. If 4 the appeal is denied, the controller shall also provide the 5 consumer with an online mechanism through which the consumer 6 may contact the attorney general to submit a complaint. 7 Sec. 4. NEW SECTION . 715D.4 Data controller duties. 8 1. A controller shall adopt and implement reasonable 9 administrative, technical, and physical data security practices 10 to protect the confidentiality, integrity, and accessibility 11 of personal data. Such data security practices shall be 12 appropriate to the volume and nature of the personal data 13 at issue. A controller shall not process sensitive data 14 concerning a consumer or a nonexempt purpose without the 15 consumer having been presented with clear notice and an 16 opportunity to opt out of such processing, or, in the case of 17 the processing of sensitive data concerning a known child, 18 without processing such data in accordance with the federal 19 Childrens Online Privacy Protection Act, 15 U.S.C. 6501 et 20 seq. 21 2. A controller shall not process personal data in 22 violation of state and federal laws that prohibit unlawful 23 discrimination against a consumer. A controller shall not 24 discriminate against a consumer for exercising any of the 25 consumer rights contained in this chapter, including denying 26 goods or services, charging different prices or rates for 27 goods or services, or providing a different level of quality 28 of goods and services to the consumer. However, nothing in 29 this chapter shall be construed to require a controller to 30 provide a product or service that requires the personal data 31 of a consumer that the controller does not collect or maintain 32 or to prohibit a controller from offering a different price, 33 rate, level, quality, or selection of goods or services to a 34 consumer, including offering goods or services for no fee, 35 -11- LSB 1267XC (1) 90 es/rn 11/ 24
S.F. _____ if the consumer has exercised the consumers right to opt 1 out pursuant to section 715D.3 or the offer is related to a 2 consumers voluntary participation in a bona fide loyalty, 3 rewards, premium features, discounts, or club card program. 4 3. Any provision of a contract or agreement that purports to 5 waive or limit in any way consumer rights pursuant to section 6 715D.3 shall be deemed contrary to public policy and shall be 7 void and unenforceable. 8 4. A controller shall provide consumers with a reasonably 9 accessible, clear, and meaningful privacy notice that includes 10 the following: 11 a. The categories of personal data processed by the 12 controller. 13 b. The purpose for processing personal data. 14 c. How consumers may exercise their consumer rights pursuant 15 to section 715D.3, including how a consumer may appeal a 16 controllers decision with regard to the consumers request. 17 d. The categories of personal data that the controller 18 shares with third parties, if any. 19 e. The categories of third parties, if any, with whom the 20 controller shares personal data. 21 5. If a controller sells a consumers personal data to third 22 parties or engages in targeted advertising, the controller 23 shall clearly and conspicuously disclose such activity, as well 24 as the manner in which a consumer may exercise the right to opt 25 out of such activity. 26 6. A controller shall establish, and shall describe in 27 a privacy notice, secure and reliable means for consumers to 28 submit a request to exercise their consumer rights under this 29 chapter. Such means shall consider the ways in which consumers 30 normally interact with the controller, the need for secure and 31 reliable communication of such requests, and the ability of 32 the controller to authenticate the identity of the consumer 33 making the request. A controller shall not require a consumer 34 to create a new account in order to exercise consumer rights 35 -12- LSB 1267XC (1) 90 es/rn 12/ 24
S.F. _____ pursuant to section 715D.3, but may require a consumer to use 1 an existing account. 2 Sec. 5. NEW SECTION . 715D.5 Processor duties. 3 1. A processor shall assist a controller in duties 4 required under this chapter, taking into account the nature of 5 processing and the information available to the processor by 6 appropriate technical and organizational measures, insofar as 7 is reasonably practicable, as follows: 8 a. To fulfill the controllers obligation to respond to 9 consumer rights requests pursuant to section 715D.3. 10 b. To meet the controllers obligations in relation to the 11 security of processing the personal data and in relation to the 12 notification of a security breach of the processor pursuant to 13 section 715C.2. 14 2. A contract between a controller and a processor shall 15 govern the processors data processing procedures with respect 16 to processing performed on behalf of the controller. The 17 contract shall clearly set forth instructions for processing 18 personal data, the nature and purpose of processing, the type 19 of data subject to processing, the duration of processing, and 20 the rights and duties of both parties. The contract shall also 21 include requirements that the processor shall do all of the 22 following: 23 a. Ensure that each person processing personal data is 24 subject to a duty of confidentiality with respect to the data. 25 b. At the controllers direction, delete or return all 26 personal data to the controller as requested at the end of the 27 provision of services, unless retention of the personal data 28 is required by law. 29 c. Upon the reasonable request of the controller, make 30 available to the controller all information in the processors 31 possession necessary to demonstrate the processors compliance 32 with the obligations in this chapter. 33 d. Engage any subcontractor or agent pursuant to a written 34 contract in accordance with this section that requires the 35 -13- LSB 1267XC (1) 90 es/rn 13/ 24
S.F. _____ subcontractor to meet the duties of the processor with respect 1 to the personal data. 2 3. Nothing in this section shall be construed to relieve a 3 controller or a processor from imposed liabilities by virtue 4 of the controller or processors role in the processing 5 relationship as defined by this chapter. 6 4. Determining whether a person is acting as a controller or 7 processor with respect to a specific processing of data is a 8 fact-based determination that depends upon the context in which 9 personal data is to be processed. A processor that continues 10 to adhere to a controllers instructions with respect to a 11 specific processing of personal data remains a processor. 12 Sec. 6. NEW SECTION . 715D.6 Processing data exemptions. 13 1. Nothing in this chapter shall be construed to require the 14 following: 15 a. A controller or processor to re-identify de-identified 16 data or pseudonymous data. 17 b. Maintaining data in identifiable form. 18 c. Collecting, obtaining, retaining, or accessing any 19 data or technology, in order to be capable of associating an 20 authenticated consumer request with personal data. 21 2. Nothing in this chapter shall be construed to require 22 a controller or processor to comply with an authenticated 23 consumer rights request, pursuant to section 715D.3, if all of 24 the following apply: 25 a. The controller is not reasonably capable of associating 26 the request with the personal data or it would be unreasonably 27 burdensome for the controller to associate the request with the 28 personal data. 29 b. The controller does not use the personal data to 30 recognize or respond to the specific consumer who is the 31 subject of the personal data, or associate the personal data 32 with other personal data about the same specific consumer. 33 c. The controller does not sell the personal data to any 34 third party or otherwise voluntarily disclose the personal data 35 -14- LSB 1267XC (1) 90 es/rn 14/ 24
S.F. _____ to any third party other than a processor, except as otherwise 1 permitted in this chapter. 2 3. Consumer rights contained in sections 715D.3 and 715D.4 3 shall not apply to pseudonymous data in cases where the 4 controller is able to demonstrate any information necessary 5 to identify the consumer is kept separately and is subject to 6 appropriate technical and organizational measures to ensure 7 that the personal data is not attributed to an identified or 8 identifiable natural person. 9 4. Controllers that disclose pseudonymous data or de- 10 identified data shall exercise reasonable oversight to monitor 11 compliance with any contractual commitments to which the 12 pseudonymous data or de-identified data is subject and shall 13 take appropriate steps to address any breaches of those 14 contractual commitments. 15 Sec. 7. NEW SECTION . 715D.7 Limitations. 16 1. Nothing in this chapter shall be construed to restrict a 17 controllers or processors ability to do the following: 18 a. Comply with federal, state, or local laws, rules, or 19 regulations. 20 b. Comply with a civil, criminal, or regulatory inquiry, 21 investigation, subpoena, or summons by federal, state, local, 22 or other governmental authorities. 23 c. Cooperate with law enforcement agencies concerning 24 conduct or activity that the controller or processor reasonably 25 and in good faith believes may violate federal, state, or local 26 laws, rules, or regulations. 27 d. Investigate, establish, exercise, prepare for, or defend 28 legal claims. 29 e. Provide a product or service specifically requested by a 30 consumer or parent or guardian of a child, perform a contract 31 to which the consumer or parent or guardian of a child is a 32 party, including fulfilling the terms of a written warranty, or 33 take steps at the request of the consumer or parent or guardian 34 of a child prior to entering into a contract. 35 -15- LSB 1267XC (1) 90 es/rn 15/ 24
S.F. _____ f. Take immediate steps to protect an interest that is 1 essential for the life or physical safety of the consumer or 2 of another natural person, and where the processing cannot be 3 manifestly based on another legal basis. 4 g. Prevent, detect, protect against, or respond to security 5 incidents, identity theft, fraud, harassment, malicious or 6 deceptive activities, or any illegal activity. 7 h. Preserve the integrity or security of systems. 8 i. Investigate, report, or prosecute those responsible for 9 any such action. 10 j. Engage in public or peer-reviewed scientific or 11 statistical research in the public interest that adheres to 12 all other applicable ethics and privacy laws and is approved, 13 monitored, and governed by an institutional review board, or 14 similar independent oversight entities that determine the 15 following: 16 (1) If the deletion of the information is likely to provide 17 substantial benefits that do not exclusively accrue to the 18 controller. 19 (2) The expected benefits of the research outweigh the 20 privacy risks. 21 (3) If the controller has implemented reasonable safeguards 22 to mitigate privacy risks associated with research, including 23 any risks associated with re-identification. 24 k. Assist another controller, processor, or third party with 25 any of the obligations under this subsection. 26 2. The obligations imposed on a controller or processor 27 under this chapter shall not restrict a controllers or 28 processors ability to collect, use, or retain data as follows: 29 a. To conduct internal research to develop, improve, or 30 repair products, services, or technology. 31 b. To effectuate a product recall. 32 c. To identify and repair technical errors that impair 33 existing or intended functionality. 34 d. To perform internal operations that are reasonably 35 -16- LSB 1267XC (1) 90 es/rn 16/ 24
S.F. _____ aligned with the expectations of the consumer or reasonably 1 anticipated based on the consumers existing relationship with 2 the controller or are otherwise compatible with processing 3 data in furtherance of the provision of a product or service 4 specifically requested by a consumer or parent or guardian of a 5 child or the performance of a contract to which the consumer or 6 parent or guardian of a child is a party. 7 3. The obligations imposed on controllers or processors 8 under this chapter shall not apply where compliance by the 9 controller or processor with this chapter would violate an 10 evidentiary privilege under the laws of the state. Nothing 11 in this chapter shall be construed to prevent a controller or 12 processor from providing personal data concerning a consumer to 13 a person covered by an evidentiary privilege under the laws of 14 the state as part of a privileged communication. 15 4. A controller or processor that discloses personal data 16 to a third-party controller or processor, in compliance with 17 the requirements of this chapter, is not in violation of 18 this chapter if the third-party controller or processor that 19 receives and processes such personal data is in violation of 20 this chapter, provided that, at the time of disclosing the 21 personal data, the disclosing controller or processor did not 22 have actual knowledge that the recipient intended to commit a 23 violation. A third-party controller or processor receiving 24 personal data from a controller or processor in compliance with 25 the requirements of this chapter is likewise not in violation 26 of this chapter for the offenses of the controller or processor 27 from which it receives such personal data. 28 5. Nothing in this chapter shall be construed as an 29 obligation imposed on a controller or a processor that 30 adversely affects the privacy or other rights or freedoms 31 of any persons, such as exercising the right of free speech 32 pursuant to the first amendment to the United States 33 Constitution, or applies to personal data by a person in the 34 course of a purely personal or household activity. 35 -17- LSB 1267XC (1) 90 es/rn 17/ 24
S.F. _____ 6. Personal data processed by a controller pursuant to 1 this section shall not be processed for any purpose other than 2 those expressly listed in this section unless otherwise allowed 3 by this chapter. Personal data processed by a controller 4 pursuant to this section may be processed to the extent that 5 such processing is as follows: 6 a. Reasonably necessary and proportionate to the purposes 7 listed in this section. 8 b. Adequate, relevant, and limited to what is necessary 9 in relation to the specific purposes listed in this section. 10 Personal data collected, used, or retained pursuant to 11 this section shall, where applicable, take into account 12 the nature and purpose or purposes of such collection, use, 13 or retention. Such data shall be subject to reasonable 14 administrative, technical, and physical measures to protect the 15 confidentiality, integrity, and accessibility of the personal 16 data. 17 7. If a controller processes personal data pursuant to an 18 exemption in this section, the controller bears the burden of 19 demonstrating that such processing qualifies for the exemption 20 and complies with the requirements in subsection 6. 21 8. Processing personal data for the purposes expressly 22 identified in subsection 1 shall not in and of itself make an 23 entity a controller with respect to such processing. 24 9. This chapter shall not require a controller, processor, 25 third party, or consumer to disclose trade secrets. 26 Sec. 8. NEW SECTION . 715D.8 Enforcement penalties. 27 1. The attorney general shall have exclusive authority to 28 enforce the provisions of this chapter. Whenever the attorney 29 general has reasonable cause to believe that any person has 30 engaged in, is engaging in, or is about to engage in any 31 violation of this chapter, the attorney general is empowered to 32 issue a civil investigative demand. The provisions of section 33 685.6 shall apply to civil investigative demands issued under 34 this chapter. 35 -18- LSB 1267XC (1) 90 es/rn 18/ 24
S.F. _____ 2. Prior to initiating any action under this chapter, 1 the attorney general shall provide a controller or processor 2 thirty days written notice identifying the specific provisions 3 of this chapter the attorney general alleges have been or 4 are being violated. If within the thirty-day period, the 5 controller or processor cures the noticed violation and 6 provides the attorney general an express written statement that 7 the alleged violations have been cured and that no further such 8 violations shall occur, no action shall be initiated against 9 the controller or processor. 10 3. If a controller or processor continues to violate this 11 chapter following the cure period in subsection 2 or breaches 12 an express written statement provided to the attorney general 13 under that subsection, the attorney general may initiate an 14 action in the name of the state and may seek an injunction to 15 restrain any violations of this chapter and civil penalties of 16 up to seven thousand five hundred dollars for each violation 17 under this chapter. Any moneys collected under this section 18 including civil penalties, costs, attorney fees, or amounts 19 which are specifically directed shall be paid into the consumer 20 education and litigation fund established under section 21 714.16C. 22 4. The attorney general may recover reasonable expenses 23 incurred in investigating and preparing the case, including 24 attorney fees, in any action initiated under this chapter. 25 5. Nothing in this chapter shall be construed as providing 26 the basis for, or be subject to, a private right of action for 27 violations of this chapter or under any other law. 28 Sec. 9. NEW SECTION . 715D.9 Preemption. 29 1. This chapter supersedes and preempts all rules, 30 regulations, codes, ordinances, and other laws adopted by a 31 city, county, municipality, or local agency regarding the 32 processing of personal data by controllers or processors. 33 2. Any reference to federal, state, or local law or statute 34 in this chapter shall be deemed to include any accompanying 35 -19- LSB 1267XC (1) 90 es/rn 19/ 24
S.F. _____ rules or regulations or exemptions thereto, or in the case of a 1 federal agency, guidance issued by such agency thereto. 2 Sec. 10. EFFECTIVE DATE. This Act takes effect January 1, 3 2025. 4 EXPLANATION 5 The inclusion of this explanation does not constitute agreement with 6 the explanations substance by the members of the general assembly. 7 This bill relates to consumer data protection. 8 The bill contains several definitions. The bill defines 9 controller to mean a person that, alone or jointly with 10 others, determines the purpose and means of processing personal 11 data. The bill defines identified or identifiable natural 12 person to mean a person who can be readily identified, 13 directly or indirectly. The bill defines personal data to 14 mean any information that is linked or reasonably linkable to 15 an identified or identifiable natural person, but does not 16 include de-identified data or publicly available information. 17 The bill defines process or processing to mean any 18 operation or set of operations performed, whether by manual or 19 automated means, on personal data or on sets of personal data, 20 such as the collection, use, storage, disclosure, analysis, 21 deletion, or modification of personal data. The bill defines 22 processor to mean a person that processes personal data 23 on behalf of a controller. The bill defines pseudonymous 24 data to mean personal data that cannot be attributed to 25 a specific natural person without the use of additional 26 information. The bill defines publicly available information 27 to mean information that is lawfully made available to the 28 general public through certain records or information that 29 a business has reasonable basis to believe is lawfully made 30 available under certain conditions. The bill defines targeted 31 advertising to mean displaying advertisements to a consumer 32 where the advertisement is selected based on personal data 33 obtained from that consumers activities over time and across 34 nonaffiliated websites or online applications to predict such 35 -20- LSB 1267XC (1) 90 es/rn 20/ 24
S.F. _____ consumers preferences or interests, with exceptions. The bill 1 defines third party to mean a natural or legal person, public 2 authority, agency, or body other than the consumer, controller, 3 processor, or an affiliate of the processor or the controller. 4 The bill contains other defined terms. 5 The bill provides that persons conducting business in 6 the state or producing products or services targeted to 7 Iowans that annually control or process personal data of 8 over 99,999 consumers or control or process personal data of 9 25,000 consumers with 50 percent of gross revenue derived 10 from the sale of the personal data shall be subject to the 11 provisions of the bill. The state and political subdivisions 12 of the state, financial institutions or data subject to the 13 federal Gramm-Leach-Bliley Act of 1999, certain organizations 14 governed by rules by the department of health and human 15 services, certain federal governance laws and the federal 16 Health Insurance Portability and Accountability Act, nonprofit 17 organizations, higher learning institutions, and certain 18 protected information and personal data collected under state 19 or federal laws are exempt from provisions in the bill. 20 The bill provides consumers have personal data rights 21 that may be invoked at any time. Consumers or the parent of 22 a child may submit a request to a controller for a copy of 23 the controllers information relating to personal data. The 24 controller shall comply with such requests to confirm or deny 25 whether the controller is processing the personal data, to 26 provide the consumer with a copy of their personal data, and to 27 remove the consumer or child from personal data processing. 28 The bill requires that controllers provide responses to 29 defined personal data requests within 45 days of a consumer 30 initiating a request. Responses to personal data requests 31 shall be provided to a consumer free of charge up to twice per 32 year except where requests are overly burdensome or manifestly 33 unfounded. A business may extend the deadline for good cause, 34 including complexity, once by up to 45 days after informing the 35 -21- LSB 1267XC (1) 90 es/rn 21/ 24
S.F. _____ consumer of the reason for the extension. The bill provides 1 that controllers are not required to comply with requests where 2 a controller is unable through commercially reasonable efforts 3 to verify the identity of the consumer submitting the request. 4 The bill requires that controllers permit consumers to access 5 an appeals process except in cases that are unable to be 6 authenticated and provide consumers with information regarding 7 the appeals process in situations where a consumers request 8 is denied. 9 The bill provides that controllers must disclose to the 10 consumer the types of data being collected and obtain consent 11 from the consumers regarding the collection of personal 12 data and sensitive personal data processing. Controllers 13 must securely store personal data of consumers through 14 administrative, technical, and physical security practices. 15 Controllers shall not discriminate against consumers that 16 exercise consumer data rights as provided in the bill by 17 denying a consumer goods or services, charging different 18 prices, or providing lower quality goods with exceptions. 19 Contract provisions that require consumers to waive rights 20 defined by the bill will be considered void and unenforceable. 21 The bill provides that controllers give consumers reasonably 22 accessible and clear privacy notices that inform consumers of 23 the information regarding personal data transfer and purposes 24 and the methods for consumers to exercise rights. The bill 25 provides that controllers selling personal data to third 26 parties or using targeted advertising must clearly disclose 27 such activity and the right for the consumer to opt out of 28 such sales or use. The bill requires a controller to create a 29 method for private and secure processing of consumer requests. 30 The bill requires processors and the assigns or 31 subcontractors of processors to assist controllers in complying 32 with duties created by the bill. 33 The bill includes personal data processing exemptions, 34 including pseudonymous data and de-identified data as defined 35 -22- LSB 1267XC (1) 90 es/rn 22/ 24
S.F. _____ by the bill. The bill identifies exceptions where controllers 1 or processors are not required to comply with a consumer rights 2 request pursuant to the bill. The bill requires controllers 3 disclosing pseudonymous or de-identified data to exercise 4 reasonable oversight of contractual commitments regarding such 5 data. 6 The bill provides that the bill shall not restrict 7 controller or processor abilities to improve business or 8 function. Controllers or processors sharing personal data with 9 third parties are not liable for the noncompliance of third 10 parties if the controller or processor did not have personal 11 knowledge of the violation or intent to commit a violation, 12 nor is a third party liable for violations of a controller 13 or processor. The bill provides that if a controller seeks 14 certain exemptions, the controller bears the burden of 15 demonstrating that the controller qualifies for the exemption 16 and the exemption complies with the requirements in the bill. 17 The bill shall not require a business, consumer, or other 18 party to disclose trade secrets. 19 The bill provides that the attorney general shall 20 investigate controllers and processors upon reasonable cause 21 for violations of provisions of the bill. The attorney general 22 shall provide 30 days notice to a controller or processor 23 including the reason for which the entity is subject to an 24 investigation and permit the entity to cure the defect prior 25 to filing a civil action. A controller or processor found 26 to be in violation of provisions of the bill is subject to a 27 civil penalty of up to $7,500 per violation. Moneys collected 28 by the attorney general under the bill shall be paid into the 29 consumer education and litigation fund established under Code 30 section 714.16C. The attorney general shall recover reasonable 31 expenses for expenses related to the investigation. 32 The bill provides that a rule, regulation, code, ordinance, 33 or other law adopted regarding processing of personal data is 34 preempted by the bill. 35 -23- LSB 1267XC (1) 90 es/rn 23/ 24
S.F. _____ The bill takes effect January 1, 2025. 1 -24- LSB 1267XC (1) 90 es/rn 24/ 24