Senate File 143 - Introduced SENATE FILE 143 BY ALONS , WESTRICH , SALMON , GUTH , and LOFGREN A BILL FOR An Act relating to consumer data protection, and including 1 retroactive applicability provisions. 2 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 3 TLSB 1302XS (3) 91 nls/ko
S.F. 143 Section 1. Section 715D.1, subsection 5, Code 2025, is 1 amended to read as follows: 2 5. Child means any natural person younger than thirteen 3 eighteen years of age. 4 Sec. 2. Section 715D.1, Code 2025, is amended by adding the 5 following new subsections: 6 NEW SUBSECTION . 9A. Decision that produces legal or 7 similarly significant effects concerning a consumer means a 8 decision made by a controller that affects the ability of a 9 person to access any of the following: 10 a. Financial and lending services. 11 b. Housing. 12 c. Insurance. 13 d. Education. 14 e. Criminal justice services. 15 f. Employment opportunities. 16 g. Health care services. 17 NEW SUBSECTION . 12A. Health data means data that 18 pertains to the health status of an individual that discloses 19 information related to the past, current, or future physical or 20 mental health status of the individual. 21 NEW SUBSECTION . 21A. Profiling means any form of 22 automated processing performed on personal data to evaluate, 23 analyze, or predict specific factors related to the economic 24 status, health, personal preferences, interests, reliability, 25 behavior, location, or movements of an identified or 26 identifiable individual. 27 Sec. 3. Section 715D.1, subsection 14, Code 2025, is amended 28 to read as follows: 29 14. Health record means any written, printed, or 30 electronically recorded material maintained by a health care 31 provider in the course of providing health services to an 32 individual concerning the individual and the services provided, 33 including related health information and associated nonhealth 34 information, provided in confidence to a health care provider. 35 -1- LSB 1302XS (3) 91 nls/ko 1/ 4
S.F. 143 Sec. 4. Section 715D.1, subsection 26, Code 2025, is amended 1 by adding the following new paragraph: 2 NEW PARAGRAPH . e. Health data. 3 Sec. 5. Section 715D.2, subsection 2, Code 2025, is amended 4 to read as follows: 5 2. This Except as it relates to health data, this chapter 6 shall not apply to the state or any political subdivision of 7 the state; financial institutions, affiliates of financial 8 institutions, or data subject to Tit. V of the federal 9 Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801 et seq.; 10 persons who are subject to and comply with regulations 11 promulgated pursuant to Tit. II, subtit. F, of the federal 12 Health Insurance Portability and Accountability Act of 1996, 13 Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal 14 Health Information Technology for Economic and Clinical Health 15 Act of 2009, 42 U.S.C. 17921 17954; nonprofit organizations; 16 or institutions of higher education. 17 Sec. 6. Section 715D.2, subsection 3, Code 2025, is amended 18 by adding the following new paragraph: 19 NEW PARAGRAPH . 0b. Information or data maintained by a 20 public health authority, as defined by HIPAA, provided the 21 public health authority has received the consumers consent 22 unless otherwise required by HIPAA. 23 Sec. 7. Section 715D.2, subsection 3, paragraph l, Code 24 2025, is amended to read as follows: 25 l. Information used only for public health activities and 26 purposes Purposes as authorized by HIPAA . , provided that the 27 information is all of the following: 28 (1) De-identified. 29 (2) Aggregated. 30 (3) Processed in batches of no less than one hundred 31 consumers. 32 Sec. 8. Section 715D.3, subsection 1, paragraph d, Code 33 2025, is amended by striking the paragraph and inserting in 34 lieu thereof the following: 35 -2- LSB 1302XS (3) 91 nls/ko 2/ 4
S.F. 143 d. To be notified of, or to opt out of, profiling in 1 furtherance of a decision that produces legal or similarly 2 significant effects concerning a consumer. Notification to 3 the consumer pursuant to this paragraph shall be in plain 4 language and include the type of data subject to profiling, 5 any requirements for a person receiving the consumers data to 6 delete or return the data, and the process for a consumer to 7 file a complaint. 8 Sec. 9. RETROACTIVE APPLICABILITY. This Act applies 9 retroactively to January 1, 2025. 10 EXPLANATION 11 The inclusion of this explanation does not constitute agreement with 12 the explanations substance by the members of the general assembly. 13 This bill relates to consumer data protection. 14 Under Code section 715D.1, child is defined as any natural 15 person younger than 13 years of age. Under the bill, child 16 is defined as any natural person younger than 18 years of age. 17 The bill expands the definition of health record to 18 include, in addition to any record containing related health 19 information, any record containing nonhealth information that 20 is related to health information provided in confidence to a 21 health care provider. 22 The bill expands the definition of sensitive data to 23 include health data. Health data is defined in the bill. 24 Under the bill, except as it relates to health data, the 25 Code chapter shall not apply to the state or any political 26 subdivision of the state; financial institutions, affiliates 27 of financial institutions, or data subject to Tit. V of the 28 federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801 et 29 seq.; persons who are subject to and comply with regulations 30 promulgated pursuant to Tit. II, subtit. F, of the federal 31 Health Insurance Portability and Accountability Act of 1996, 32 Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal 33 Health Information Technology for Economic and Clinical Health 34 Act of 2009, 42 U.S.C. 17921 17954; nonprofit organizations; 35 -3- LSB 1302XS (3) 91 nls/ko 3/ 4
S.F. 143 or institutions of higher education. 1 The bill exempts information or data maintained by a 2 public health authority, as defined by HIPAA, from the Code 3 chapter provided the public health authority has received the 4 consumers authorization, unless otherwise required by HIPAA. 5 The bill exempts information used only for public health 6 activities and purposes as authorized by HIPAA, provided that 7 the information is de-identified, aggregated, and processed in 8 batches of no less than 100 consumers from the Code chapter. 9 Under the bill, a consumer shall have the right to request 10 to be notified of, or to opt out of, profiling in furtherance 11 of a decision that produces legal or similarly significant 12 effects concerning a consumer. The bill defines profiling 13 as any form of automated processing performed on personal data 14 to evaluate, analyze, or predict specific factors related to 15 the economic status, health, personal preferences, interests, 16 reliability, behavior, location, or movements of an individual. 17 Notification to the consumer shall be in plain language and 18 include the type of data subject to profiling, any requirements 19 for a person receiving the consumers data to delete or return 20 the data, and the process for a consumer to file a complaint. 21 Decision that produces legal or similarly significant effects 22 concerning a consumer is defined in the bill. 23 The bill applies retroactively to January 1, 2025. 24 -4- LSB 1302XS (3) 91 nls/ko 4/ 4