Written by Susan Kohn Ross, Lucy Plovnick, Stacey Chuvaieva and Albina Gasanbekova

Iowa and Indiana now become the sixth and the seventh states, respectively, to provide comprehensive privacy protection to those living in those states, following the lead of California, Virginia, Connecticut, Colorado, and Utah (in that order). Those who do business in Iowa or have Iowa consumers as customers/users have until January 1, 2025 to bring their operations into compliance. Those with a presence in and/or consumers-customers-users based in Indiana have until January 1, 2026, to comply.

Scope and Exemptions.  The Iowa and Indiana laws apply to companies conducting business in those states or who are producing products or services targeted to consumers who are residents of each state.  Like other state privacy laws, the Iowa and Indiana laws apply only to companies that annually (i) control or process the personal data of at least 100,000 consumers or (ii) control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.  Like Virginia, Connecticut and Colorado, Iowa and Indiana chose not to follow the requirement in California and Utah which ties jurisdiction to a minimum revenue level (e.g., $25 million). So, everyone doing business in Iowa and Indiana is subject to the privacy law, so long as they meet the consumer levels cited. Further, both states apply the law only to the data of individual residents acting in a noncommercial and non-employment capacity.

The Iowa and Indiana data privacy laws have industry-related exemptions similar to other states. These privacy laws do not apply to:

• Personal data categories regulated under other federal privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act, the Children’s Online Privacy Protection Act, the Driver’s Privacy Protection Act, and the Farm Credit Act.
• Entities covered by the Health Information Technology for Economic and Clinical Health Act and HIPAA, government entities, financial institutions, their affiliates and entities subject to the Gramm-Leach-Bliley Act, nonprofit organizations, and higher education institutions.

Consumer Data Rights. The laws in both Iowa and Indiana allow consumers to confirm, access, delete, and obtain a copy of their personal data. Iowa also allows consumer to opt out of the sale of their data. Indiana provides the right to correct, which Iowa law does not. Indiana’s law also features the right to opt out of the processing of the consumer’s personal data for certain activities, e.g., targeted advertising and profiling.

Iowa consumers have the right:

(1) to confirm whether a controller is processing the consumer’s personal data and to access such personal data;

(2) to delete personal data provided by the consumer;

(3) to obtain a copy of the consumer’s personal data;

(4) to opt in to the collection of sensitive data, e.g. religion, race, sexual orientation; and

(5) to opt out of the sale of personal data.

Indiana consumers have these and some added rights:

(1) to delete personal data provided by or obtained about the consumer;

(2) to obtain a copy of or a “representative summary” of the personal data the consumer provided to the entity;

(3) to opt out of the processing of the consumer’s personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; and  

(4) to correct inaccuracies in the consumer’s personal data that was provided by the consumer.

Data Controller and Processor Duties.  Under both Iowa’s and Indiana’s privacy laws, controllers and processors must adopt and implement reasonable data security practices. Both states also impose a list of transparency, non-discrimination, purpose limitation, and consent requirements on controllers. For example, controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice, collect consumer consent for processing sensitive data and implement opt-in parental consent for the collection of the personal data of children.  

Both states’ laws also require controllers to enter into data processing agreements with their processors stipulating the scope of the processing, the rights and obligations of the parties, the types of data and customers whose data is processed, instructions, the nature and purpose for processing, and the duration of processing. A controller is also not permitted to process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers, nor may a controller discriminate against consumers who chose to exercise their privacy rights.

Notably, under Indiana’s law, businesses are required to assess certain processing activities, such as the processing of data for targeted advertising, profiling, the sale of personal data, processing of sensitive data, or other activities that present a heightened risk of harm to consumers. Iowa has no corresponding obligations.

Enforcement and Penalties.  Neither the Iowa nor the Indiana law offers a private right of action and gives exclusive authority to enforce the law to the state attorney general.  Both the Iowa and Indiana laws provide for a period to cure violations.  Iowa allows 90 days and Indiana 30 days.  In case the controller or processor fails to cure the breach (when a breach is curable), the attorney general may initiate a civil action and may seek civil penalties and an injunction to restrain any violations.

While each of the states which has enacted consumer privacy laws included certain unique provisions, the laws in all the states are similar. In short, a business may not collect more data than it says it will collect, and may not make any use of the data collected except as disclosed and agreed to by the consumer.  The courts have also been consistent in holding it is not enough to say if you use our website that constitutes agreement to any of our policies. You must have evidence the consumer affirmatively agreed to the relevant policies. It is also increasingly a best practice to make your policies as easy to understand as possible, include a table of contents, and link each section in the policy to that table of contents (and this is true for the Terms of Use and the Privacy Policy). Another best practice is to regularly review your policies and make sure they are current, and also make sure the email address you publish is a team email address so that if someone is out of the office, a timely response to any inquiry is still accomplished.

Is it time to update your terms of use, your privacy policy and your internal procedures?