Bill Text: IA SF2208 | 2021-2022 | 89th General Assembly | Introduced
Bill Title: A bill for an act relating to consumer data protection, making penalties applicable, and including effective date provisions.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2022-02-09 - Subcommittee: Nunn, Mathis, and Williams. S.J. 250. [SF2208 Detail]
Download: Iowa-2021-SF2208-Introduced.html
Senate
File
2208
-
Introduced
SENATE
FILE
2208
BY
NUNN
A
BILL
FOR
An
Act
relating
to
consumer
data
protection,
making
penalties
1
applicable,
and
including
effective
date
provisions.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
5349XS
(1)
89
es/rn
S.F.
2208
Section
1.
NEW
SECTION
.
715D.1
Definitions.
1
As
used
in
this
chapter,
unless
the
context
otherwise
2
requires:
3
1.
“Aggregate
data”
means
information
that
relates
to
a
4
group
or
category
of
consumers,
from
which
individual
consumer
5
identities
have
been
removed,
that
is
not
linked
or
reasonably
6
linkable
to
any
consumer.
7
2.
“Authenticate”
means
verifying
through
reasonable
means
8
that
a
consumer,
entitled
to
exercise
their
consumer
rights
in
9
section
715D.3,
is
the
same
consumer
exercising
such
consumer
10
rights
with
respect
to
the
personal
data
at
issue.
11
3.
“Biometric
data”
means
data
generated
by
automatic
12
measurements
of
an
individual’s
biological
characteristics,
13
such
as
a
fingerprint,
voiceprint,
eye
retinas,
irises,
or
14
other
unique
biological
patterns
or
characteristics
that
is
15
used
to
identify
a
specific
individual.
“Biometric
data”
16
does
not
include
a
physical
or
digital
photograph,
a
video
or
17
audio
recording
or
data
generated
therefrom,
or
information
18
collected,
used,
or
stored
for
health
care
treatment,
payment,
19
or
operations
under
HIPAA.
20
4.
“Child”
means
any
natural
person
younger
than
thirteen
21
years
of
age.
22
5.
“Consent”
means
a
clear
affirmative
act
signifying
a
23
consumer’s
freely
given,
specific,
informed,
and
unambiguous
24
agreement
to
process
personal
data
relating
to
the
consumer.
25
“Consent”
may
include
a
written
statement,
including
a
26
statement
written
by
electronic
means,
or
any
other
unambiguous
27
affirmative
action.
28
6.
“Controller”
means
the
person
that,
alone
or
jointly
with
29
others,
determines
the
purpose
and
means
of
processing
personal
30
data.
31
7.
“De-identified
data”
means
data
that
cannot
reasonably
be
32
linked
to
an
identified
or
identifiable
natural
person.
33
8.
“Health
Insurance
Portability
and
Accountability
34
Act”
or
“HIPAA”
means
the
Health
Insurance
Portability
and
35
-1-
LSB
5349XS
(1)
89
es/rn
1/
16
S.F.
2208
Accountability
Act
of
1996,
Pub.
L.
No.
104-191,
including
1
amendments
thereto
and
regulations
promulgated
thereunder.
2
9.
“Precise
geolocation
data”
means
information
derived
from
3
technology,
including
but
not
limited
to
global
positioning
4
system
level
latitude
and
longitude
coordinates
or
other
5
mechanisms,
that
identifies
the
specific
location
of
a
natural
6
person
with
precision
and
accuracy
within
a
radius
of
one
7
thousand
seven
hundred
fifty
feet.
“Precise
geolocation
8
data”
does
not
include
the
content
of
communications
or
any
9
data
generated
by
or
connected
to
advanced
utility
metering
10
infrastructure
systems
or
equipment
for
use
by
a
utility.
11
10.
“Process”
or
“processing”
means
any
operation
or
set
12
of
operations
performed,
whether
by
manual
or
automated
means,
13
on
personal
data
or
on
sets
of
personal
data,
such
as
the
14
collection,
use,
storage,
disclosure,
analysis,
deletion,
or
15
modification
of
personal
data.
16
11.
“Processor”
means
a
person
that
processes
personal
data
17
on
behalf
of
a
controller.
18
12.
“Profiling”
means
any
form
of
solely
automated
19
processing
performed
on
personal
data
to
evaluate,
analyze,
20
or
predict
personal
aspects
related
to
an
identified
or
21
identifiable
natural
person’s
economic
situation,
health,
22
personal
preferences,
interests,
reliability,
behavior,
23
location,
or
movements.
24
13.
“Pseudonymous
data”
means
personal
data
that
cannot
25
be
attributed
to
a
specific
natural
person
without
the
use
26
of
additional
information,
provided
that
such
additional
27
information
is
kept
separately
and
is
subject
to
appropriate
28
technical
and
organizational
measures
to
ensure
that
29
the
personal
data
is
not
attributed
to
an
identified
or
30
identifiable
natural
person.
31
14.
“Sale
of
personal
data”
means
the
exchange
of
personal
32
data
for
monetary
consideration
by
the
controller
to
a
third
33
party.
“
Sale
of
personal
data”
does
not
include:
34
a.
The
disclosure
of
personal
data
to
a
processor
that
35
-2-
LSB
5349XS
(1)
89
es/rn
2/
16
S.F.
2208
processes
the
personal
data
on
behalf
of
the
controller.
1
b.
The
disclosure
of
personal
data
to
a
third
party
for
2
purposes
of
providing
a
product
or
service
requested
by
the
3
consumer
or
a
parent
of
a
child.
4
c.
The
disclosure
or
transfer
of
personal
data
to
an
5
affiliate
of
the
controller.
6
d.
The
disclosure
of
information
that
the
consumer
7
intentionally
made
available
to
the
general
public
via
a
8
channel
of
mass
media
and
did
not
restrict
to
a
specific
9
audience.
10
e.
The
disclosure
or
transfer
of
personal
data
to
a
third
11
party
as
an
asset
that
is
part
of
a
proposed
or
actual
merger,
12
acquisition,
bankruptcy,
or
other
transaction
in
which
the
13
third
party
assumes
control
of
all
or
part
of
the
controller's
14
assets.
15
15.
“Sensitive
data”
means
a
category
of
personal
data
that
16
includes:
17
a.
Personal
data
revealing
racial
or
ethnic
origin,
18
religious
beliefs,
mental
or
physical
health
diagnosis,
sexual
19
orientation,
or
citizenship
or
immigration
status.
20
b.
Genetic
or
biometric
data
that
is
processed
for
the
21
purpose
of
uniquely
identifying
a
natural
person.
22
c.
The
personal
data
collected
from
a
child.
23
d.
Precise
geolocation
data.
24
16.
“Targeted
advertising”
means
displaying
advertisements
25
to
a
consumer
where
the
advertisement
is
selected
based
on
26
personal
data
obtained
from
that
consumer’s
activities
over
27
time
and
across
nonaffiliated
websites
or
online
applications
28
to
predict
such
consumer’s
preferences
or
interests.
“Targeted
29
advertising”
does
not
include:
30
a.
Advertisements
based
on
activities
within
a
controller’s
31
own
or
affiliated
websites
or
online
applications.
32
b.
Advertisements
based
on
the
context
of
a
consumer’s
33
current
search
query,
visit
to
a
website,
or
online
34
application.
35
-3-
LSB
5349XS
(1)
89
es/rn
3/
16
S.F.
2208
c.
Advertisements
directed
to
a
consumer
in
response
to
the
1
consumer’s
request
for
information
or
feedback.
2
d.
Processing
personal
data
solely
for
measuring
or
3
reporting
advertising
performance,
reach,
or
frequency.
4
17.
“Trade
secret”
means
information,
including
but
not
5
limited
to
a
formula,
pattern,
compilation,
program,
device,
6
method,
technique,
or
process,
that:
7
a.
Derives
independent
economic
value,
actual
or
potential,
8
from
not
being
generally
known
to,
and
not
being
readily
9
ascertainable
by
proper
means
by,
other
persons
who
can
obtain
10
economic
value
from
its
disclosure
or
use.
11
b.
Is
the
subject
of
efforts
that
are
reasonable
under
the
12
circumstances
to
maintain
its
secrecy.
13
Sec.
2.
NEW
SECTION
.
715D.2
Scope
and
exemptions.
14
1.
This
chapter
applies
to
persons
conducting
business
in
15
the
state
or
producing
products
or
services
that
are
targeted
16
to
residents
of
the
state
and
that
during
a
calendar
year
17
either:
18
a.
Control
or
process
personal
data
of
at
least
one
hundred
19
thousand
consumers.
20
b.
Control
or
process
personal
data
of
at
least
twenty-five
21
thousand
consumers
and
derive
over
fifty
percent
of
gross
22
revenue
from
the
sale
of
personal
data.
23
2.
This
chapter
shall
not
apply
to
the
state
or
any
24
political
subdivision
of
the
state,
financial
institutions
25
or
data
subject
to
Tit.
V
of
the
federal
Gramm-Leach-Bliley
26
Act
of
1999,
15
U.S.C.
§6801
et
seq.,
covered
entities
or
27
business
associates
governed
by
the
privacy,
security,
and
28
breach
notification
rules
issued
by
the
department
of
human
29
services,
the
department
of
health,
45
C.F.R.
pts.
160
and
164
30
established
pursuant
to
HIPAA,
nonprofit
organizations,
or
31
institutions
of
higher
education.
32
3.
Protected
information
and
personal
data
collected
33
under
state
or
federal
law,
including
but
not
limited
to
data
34
protected
under
HIPAA;
the
federal
Fair
Credit
Reporting
Act,
35
-4-
LSB
5349XS
(1)
89
es/rn
4/
16
S.F.
2208
15
U.S.C.
§1681
et
seq.;
confidential
records
protected
under
1
42
U.S.C.
§290dd-2;
in
the
course
of
employment
or
application
2
for
employment;
emergency
contact
information
for
employees;
3
and
for
purposes
of
the
protection
of
natural
persons
under
45
4
C.F.R.
pt.
46;
are
exempt
from
requirements
in
this
chapter.
5
Sec.
3.
NEW
SECTION
.
715D.3
Consumer
data
rights.
6
1.
A
consumer
may
invoke
the
consumer
rights
authorized
7
pursuant
to
this
section
at
any
time
by
submitting
a
request
to
8
a
controller
specifying
the
consumer
rights
the
consumer
wishes
9
to
invoke.
A
child’s
parent
or
legal
guardian
may
invoke
such
10
consumer
rights
on
behalf
of
the
child
regarding
processing
11
personal
data
belonging
to
the
child.
A
controller
shall
12
comply
with
an
authenticated
consumer
request
to
exercise
all
13
of
the
following:
14
a.
To
confirm
whether
a
controller
is
processing
the
15
consumer’s
personal
data
and
to
access
such
personal
data.
16
b.
To
correct
inaccuracies
in
the
consumer’s
personal
data,
17
taking
into
account
the
nature
of
the
personal
data
and
the
18
purposes
of
the
processing
of
the
consumer’s
personal
data.
19
c.
To
delete
personal
data
provided
by
or
obtained
about
20
the
consumer.
21
d.
To
obtain
a
copy
of
the
consumer’s
personal
data
that
the
22
consumer
previously
provided
to
the
controller
in
a
portable
23
and,
to
the
extent
technically
practicable,
readily
usable
24
format
that
allows
the
consumer
to
transmit
the
data
to
another
25
controller
without
hindrance,
where
the
processing
is
carried
26
out
by
automated
means.
27
e.
To
opt
out
of
the
processing
of
the
personal
data
for
28
purposes
of
targeted
advertising,
the
sale
of
personal
data,
29
or
profiling
in
furtherance
of
decisions
that
produce
legal
or
30
similarly
significant
effects
concerning
the
consumer.
31
2.
Except
as
otherwise
provided
in
this
chapter,
a
32
controller
shall
comply
with
a
request
by
a
consumer
to
33
exercise
the
consumer
rights
authorized
pursuant
to
this
34
section
as
follows:
35
-5-
LSB
5349XS
(1)
89
es/rn
5/
16
S.F.
2208
a.
A
controller
shall
respond
to
the
consumer
without
undue
1
delay,
but
in
all
cases
within
forty-five
days
of
receipt
2
of
a
request
submitted
pursuant
to
the
methods
described
in
3
this
section.
The
response
period
may
be
extended
once
by
4
forty-five
additional
days
when
reasonably
necessary
upon
5
considering
the
complexity
and
number
of
the
consumer’s
6
requests
by
informing
the
consumer
of
any
such
extension
within
7
the
initial
forty-five-day
response
period,
together
with
the
8
reason
for
the
extension.
9
b.
If
a
controller
declines
to
take
action
regarding
the
10
consumer’s
request,
the
controller
shall
inform
the
consumer
11
without
undue
delay
of
the
justification
for
declining
to
take
12
action
and
instructions
for
how
to
appeal
the
decision
pursuant
13
to
this
section.
14
c.
Information
provided
in
response
to
a
consumer
request
15
shall
be
provided
by
a
controller
free
of
charge,
up
to
16
twice
annually
per
consumer.
If
requests
from
a
consumer
17
are
manifestly
unfounded,
excessive,
or
repetitive,
the
18
controller
may
charge
the
consumer
a
reasonable
fee
to
cover
19
the
administrative
costs
of
complying
with
the
request
or
20
decline
to
act
on
the
request.
The
controller
bears
the
burden
21
of
demonstrating
the
manifestly
unfounded,
excessive,
or
22
repetitive
nature
of
the
request.
23
d.
If
a
controller
is
unable
to
authenticate
the
request
24
using
commercially
reasonable
efforts,
the
controller
shall
25
not
be
required
to
comply
with
a
request
to
initiate
an
action
26
under
this
section
and
may
request
that
the
consumer
provide
27
additional
information
reasonably
necessary
to
authenticate
the
28
consumer
and
the
consumer’s
request.
29
3.
A
controller
shall
establish
a
process
for
a
consumer
30
to
appeal
the
controller’s
refusal
to
take
action
on
a
request
31
within
a
reasonable
period
of
time
after
the
consumer’s
32
receipt
of
the
decision
pursuant
to
this
section.
The
appeal
33
process
shall
be
conspicuously
available
and
similar
to
the
34
process
for
submitting
requests
to
initiate
action
pursuant
to
35
-6-
LSB
5349XS
(1)
89
es/rn
6/
16
S.F.
2208
this
section.
Within
sixty
days
of
receipt
of
an
appeal,
a
1
controller
shall
inform
the
consumer
in
writing
of
any
action
2
taken
or
not
taken
in
response
to
the
appeal,
including
a
3
written
explanation
of
the
reasons
for
the
decisions.
If
4
the
appeal
is
denied,
the
controller
shall
also
provide
the
5
consumer
with
an
online
mechanism
through
which
the
consumer
6
may
contact
the
attorney
general
to
submit
a
complaint.
7
Sec.
4.
NEW
SECTION
.
715D.4
Data
controller
duties.
8
1.
A
controller
shall
limit
the
collection
of
personal
data
9
to
what
is
reasonably
necessary
in
relation
to
the
purposes
for
10
which
such
data
is
processed
and
disclose
the
collection
of
the
11
data
to
the
consumer
and
obtain
consent
from
the
consumer
for
12
the
data
collection.
A
controller
shall
adopt
and
implement
13
reasonable
administrative,
technical,
and
physical
data
14
security
practices
to
protect
the
confidentiality,
integrity,
15
and
accessibility
of
personal
data.
A
controller
shall
not
16
process
sensitive
data
without
the
consumer’s
consent.
17
2.
A
controller
shall
not
discriminate
against
a
consumer
18
for
exercising
any
of
the
consumer
rights
contained
in
this
19
chapter,
including
denying
goods
or
services,
charging
20
different
prices
or
rates
for
goods
or
services,
or
providing
21
a
different
level
of
quality
of
goods
and
services
to
the
22
consumer.
23
3.
Any
provision
of
a
contract
or
agreement
that
purports
to
24
waive
or
limit
in
any
way
consumer
rights
pursuant
to
section
25
715E.3
shall
be
deemed
contrary
to
public
policy
and
shall
be
26
void
and
unenforceable.
27
4.
A
controller
shall
provide
consumers
with
a
reasonably
28
accessible,
clear,
and
meaningful
privacy
notice
that
includes:
29
a.
The
categories
of
personal
data
processed
by
the
30
controller.
31
b.
The
purpose
for
processing
personal
data.
32
c.
How
consumers
may
exercise
their
consumer
rights
pursuant
33
to
section
715D.3,
including
how
a
consumer
may
appeal
a
34
controller’s
decision
with
regard
to
the
consumer’s
request.
35
-7-
LSB
5349XS
(1)
89
es/rn
7/
16
S.F.
2208
d.
The
categories
of
personal
data
that
the
controller
1
shares
with
third
parties,
if
any.
2
e.
The
categories
of
third
parties,
if
any,
with
whom
the
3
controller
shares
personal
data.
4
5.
If
a
controller
sells
a
consumer’s
personal
data
to
third
5
parties
or
uses
such
personal
data
for
targeted
advertising,
6
the
controller
shall
clearly
and
conspicuously
disclose
such
7
activity,
as
well
as
the
manner
in
which
a
consumer
may
8
exercise
the
right
to
opt
out
of
such
sales
or
use.
9
6.
A
controller
shall
establish,
and
shall
describe
in
10
a
privacy
notice,
secure
and
reliable
means
for
consumers
to
11
submit
a
request
to
exercise
their
consumer
rights
under
this
12
chapter.
Such
means
shall
consider
the
need
for
secure
and
13
reliable
communication
of
such
requests
and
the
ability
of
14
the
controller
to
authenticate
the
identity
of
the
consumer
15
making
the
request.
A
controller
shall
not
require
a
consumer
16
to
create
a
new
account
in
order
to
exercise
consumer
rights
17
pursuant
to
section
715D.3.
18
Sec.
5.
NEW
SECTION
.
715D.5
Processor
duties.
19
1.
A
processor
shall
assist
a
controller
in
duties
required
20
under
this
chapter.
21
2.
A
contract
between
a
controller
and
a
processor
shall
22
govern
the
processor’s
data
processing
procedures
with
respect
23
to
processing
performed
on
behalf
of
the
controller.
The
24
contract
shall
clearly
set
forth
instructions
for
processing
25
personal
data,
the
nature
and
purpose
of
processing,
the
type
26
of
data
subject
to
processing,
the
duration
of
processing,
and
27
the
rights
and
duties
of
both
parties.
The
contract
shall
also
28
include
requirements
that
the
processor
shall
do
all
of
the
29
following:
30
a.
Ensure
that
each
person
processing
personal
data
is
31
subject
to
a
duty
of
confidentiality
with
respect
to
the
data.
32
b.
At
the
controller’s
direction,
delete
or
return
all
33
personal
data
to
the
controller
as
requested
at
the
end
of
the
34
provision
of
services,
unless
retention
of
the
personal
data
35
-8-
LSB
5349XS
(1)
89
es/rn
8/
16
S.F.
2208
is
required
by
law.
1
c.
Upon
the
reasonable
request
of
the
controller,
make
2
available
to
the
controller
all
information
in
the
processor’s
3
possession
necessary
to
demonstrate
the
processor’s
compliance
4
with
the
duties
in
this
chapter.
5
d.
Cooperate
with
reasonable
assessments
by
the
controller,
6
the
controller’s
designated
assessor,
or
qualified
and
7
independent
third-party
assessor
as
chosen
by
the
processor
8
that
will
provide
a
report
of
such
assessment
to
the
controller
9
upon
request.
10
e.
Engage
any
subcontractor
or
agent
pursuant
to
a
written
11
contract
in
accordance
with
this
section
that
requires
the
12
subcontractor
to
meet
the
duties
of
the
processor
with
respect
13
to
the
personal
data.
14
Sec.
6.
NEW
SECTION
.
715D.6
Data
protection
assessments.
15
1.
A
controller
shall
conduct
and
document
a
data
protection
16
assessment
regarding
processing
activities
involving
personal
17
data,
including
but
not
limited
to
the
sale
of
personal
18
data,
the
use
of
personal
data
for
targeted
advertising,
and
19
processing
that
results
in
a
reasonably
foreseeable
risk
of
20
unfair
discrimination,
injury,
or
intrusions
to
a
consumer’s
21
expectation
of
privacy.
22
2.
Data
protection
assessments
conducted
pursuant
to
23
subsection
1
shall
identify
and
evaluate
benefits
and
risks
24
regarding
data
processing,
the
controller,
the
consumer,
25
other
stakeholders,
and
the
public.
Safeguards
used
by
26
the
controller
and
processor
may
be
considered.
The
use
27
of
de-identified
data
and
the
reasonable
expectations
of
28
consumers,
as
well
as
the
context
of
the
processing
and
the
29
relationship
between
the
controller
and
the
consumer
whose
30
personal
data
will
be
processed,
shall
be
factored
into
this
31
assessment
by
the
controller.
32
3.
The
attorney
general
may
request,
pursuant
to
a
consumer
33
complaint,
that
a
controller
disclose
relevant
data
protection
34
assessment
information
during
an
investigation
conducted
by
the
35
-9-
LSB
5349XS
(1)
89
es/rn
9/
16
S.F.
2208
attorney
general
under
section
714.16.
The
controller
shall
1
make
the
data
protection
assessment
available
to
the
attorney
2
general.
The
attorney
general
may
evaluate
the
data
protection
3
assessment
for
compliance
with
the
responsibilities
set
forth
4
in
section
715D.4.
Pursuant
to
section
714.16,
subsection
7,
5
the
attorney
general
may
seek
and
obtain
an
order
that
a
party
6
held
in
violation
of
this
section
pay
damages
to
the
attorney
7
general
on
behalf
of
a
person
injured
by
the
violation.
8
4.
Data
protection
assessments
conducted
by
a
controller
9
for
the
purpose
of
compliance
with
other
laws
or
regulations
10
may
comply
under
this
section
if
the
assessments
have
a
11
reasonably
comparable
scope
and
effect.
12
Sec.
7.
NEW
SECTION
.
715D.7
Processing
data
——
exemptions.
13
1.
A
controller
in
possession
of
de-identified
data
shall
14
comply
with
the
following:
15
a.
Take
reasonable
measures
to
ensure
that
the
data
cannot
16
be
associated
with
a
natural
person.
17
b.
Publicly
commit
to
maintaining
and
using
de-identified
18
data
without
attempting
to
re-identify
the
data.
19
c.
Contractually
obligate
any
recipients
of
the
20
de-identified
data
to
comply
with
all
provisions
of
this
21
chapter.
22
2.
Nothing
in
this
chapter
shall
be
construed
to
require
23
a
controller
or
processor
to
comply
with
an
authenticated
24
consumer
rights
request,
pursuant
to
section
715D.3,
if
all
of
25
the
following
are
true:
26
a.
The
controller
is
not
reasonably
capable
of
associating
27
the
request
with
the
personal
data
or
it
would
be
unreasonably
28
burdensome
for
the
controller
to
associate
the
request
with
the
29
personal
data.
30
b.
The
controller
does
not
use
the
personal
data
to
31
recognize
or
respond
to
the
specific
consumer
who
is
the
32
subject
of
the
personal
data,
or
associate
the
personal
data
33
with
other
personal
data
about
the
same
specific
consumer.
34
c.
The
controller
does
not
sell
the
personal
data
to
any
35
-10-
LSB
5349XS
(1)
89
es/rn
10/
16
S.F.
2208
third
party
or
otherwise
voluntarily
disclose
the
personal
data
1
to
any
third
party
other
than
a
processor,
except
as
otherwise
2
permitted
in
this
chapter.
3
3.
Consumer
rights
contained
in
sections
715D.3
and
715D.4
4
shall
not
apply
to
pseudonymous
data
in
cases
where
the
5
controller
is
able
to
demonstrate
any
information
necessary
6
to
identify
the
consumer
is
kept
separately
and
is
subject
to
7
effective
technical
and
organizational
controls
that
prevent
8
the
controller
from
accessing
such
information.
9
4.
Controllers
that
disclose
pseudonymous
data
or
10
de-identified
data
shall
exercise
reasonable
oversight
to
11
monitor
compliance
with
any
contractual
commitments
to
which
12
the
pseudonymous
data
or
de-identified
data
is
subject
and
13
shall
take
appropriate
steps
to
address
any
breaches
of
those
14
contractual
commitments.
15
Sec.
8.
NEW
SECTION
.
715D.8
Limitations.
16
1.
The
duties
imposed
on
a
controller
or
processor
under
17
this
chapter
shall
not
restrict
a
controller’s
or
processor's
18
ability
beyond
the
extent
reasonably
necessary
to
improve
19
essential
internal
processes;
collect,
use,
or
retain
data
20
to
conduct
internal
research
to
develop,
improve,
or
repair
21
products,
services,
or
technology;
effectuate
a
product
recall;
22
or
identify
and
repair
technical
errors
that
impair
existing
or
23
intended
functionality.
24
2.
A
controller
or
processor
that
discloses
personal
data
25
to
a
third-party
controller
or
processor,
in
compliance
with
26
the
requirements
of
this
chapter,
is
not
in
violation
of
27
this
chapter
if
the
third-party
controller
or
processor
that
28
receives
and
processes
such
personal
data
is
in
violation
of
29
this
chapter,
provided
that,
at
the
time
of
disclosing
the
30
personal
data,
the
disclosing
controller
or
processor
did
not
31
have
actual
knowledge
that
the
recipient
intended
to
commit
a
32
violation.
A
third-party
controller
or
processor
receiving
33
personal
data
from
a
controller
or
processor
in
compliance
with
34
the
requirements
of
this
chapter
is
likewise
not
in
violation
35
-11-
LSB
5349XS
(1)
89
es/rn
11/
16
S.F.
2208
of
this
chapter
for
the
offenses
of
the
controller
or
processor
1
from
which
it
receives
such
personal
data.
2
3.
If
a
controller
processes
personal
data
pursuant
to
an
3
exemption,
the
controller
bears
the
burden
of
demonstrating
4
that
such
processing
qualifies
for
the
exemption
and
complies
5
with
the
requirements
in
this
chapter.
6
4.
This
chapter
shall
not
require
a
controller,
processor,
7
third
party,
or
consumer
to
disclose
trade
secrets.
8
Sec.
9.
Section
714.16,
subsection
2,
Code
2022,
is
amended
9
by
adding
the
following
new
paragraph:
10
NEW
PARAGRAPH
.
q.
It
is
an
unlawful
practice
for
a
11
controller
or
processor
of
personal
data
to
violate
any
of
the
12
provisions
of
chapter
715D.
13
Sec.
10.
EFFECTIVE
DATE.
This
Act
takes
effect
January
1,
14
2024.
15
EXPLANATION
16
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
17
the
explanation’s
substance
by
the
members
of
the
general
assembly.
18
This
bill
relates
to
consumer
data
protection.
19
The
bill
defines
“controller”
to
mean
a
person
that,
alone
20
or
jointly
with
others,
determines
the
purpose
and
means
21
of
processing
personal
data.
The
bill
defines
“process”
22
or
“processing”
to
mean
any
operation
or
set
of
operations
23
performed,
whether
by
manual
or
automated
means,
on
personal
24
data
or
on
sets
of
personal
data,
such
as
the
collection,
use,
25
storage,
disclosure,
analysis,
deletion,
or
modification
of
26
personal
data.
The
bill
defines
“processor”
to
mean
a
person
27
that
processes
personal
data
on
behalf
of
a
controller.
The
28
bill
defines
“pseudonymous
data”
to
mean
personal
data
that
29
cannot
be
attributed
to
a
specific
natural
person
without
the
30
use
of
additional
information.
The
bill
defines
“targeted
31
advertising”
to
mean
displaying
advertisements
to
a
consumer
32
where
the
advertisement
is
selected
based
on
personal
data
33
obtained
from
that
consumer’s
activities
over
time
and
across
34
nonaffiliated
websites
or
online
applications
to
predict
such
35
-12-
LSB
5349XS
(1)
89
es/rn
12/
16
S.F.
2208
consumer’s
preferences
or
interests,
with
exceptions.
1
The
bill
provides
that
persons
conducting
business
in
the
2
state
or
producing
products
or
services
targeted
to
Iowans
3
that
annually
control
or
process
personal
data
of
over
99,999
4
consumers
or
control
or
process
personal
data
of
25,000
5
consumers
with
50
percent
of
gross
revenue
from
the
sale
of
the
6
personal
data
shall
be
subject
to
the
provisions
of
the
bill.
7
The
state
and
political
subdivisions
of
the
state,
financial
8
institutions
or
data
subject
to
the
Gramm-Leach-Bliley
Act
of
9
1999,
certain
organizations
governed
by
rules
by
the
department
10
of
human
services,
the
department
of
health,
certain
federal
11
governance
laws
and
HIPAA,
nonprofit
organizations,
higher
12
learning
institutions,
and
certain
protected
information
and
13
personal
data
collected
under
state
or
federal
laws
are
exempt
14
from
provisions
in
the
bill.
15
The
bill
provides
consumers
have
personal
data
rights
16
that
may
be
invoked
at
any
time.
Consumers
or
the
parent
of
17
a
child
may
submit
a
request
to
a
controller
for
a
copy
of
18
the
controller’s
information
relating
to
personal
data.
The
19
controller
shall
comply
with
such
requests
to
confirm
or
deny
20
whether
the
controller
is
processing
the
personal
data,
to
21
delete
or
correct
inaccuracies
in
personal
data,
to
provide
the
22
consumer
with
a
copy
of
their
personal
data,
and
to
remove
the
23
consumer
or
child
from
personal
data
processing.
24
The
bill
requires
that
controllers
provide
responses
to
25
defined
personal
data
requests
within
45
days
of
a
consumer
26
initiating
a
request.
Responses
to
personal
data
requests
27
shall
be
provided
to
a
consumer
free
of
charge
up
to
twice
per
28
year
except
where
requests
are
overly
burdensome
or
manifestly
29
unfounded.
A
business
may
extend
the
deadline
for
good
cause,
30
including
complexity,
once
by
up
to
45
days
after
informing
the
31
consumer
of
the
reason
for
the
extension.
The
bill
provides
32
that
controllers
are
not
required
to
comply
with
requests
where
33
a
controller
is
unable
through
commercially
reasonable
efforts
34
to
verify
the
identity
of
the
consumer
submitting
the
request.
35
-13-
LSB
5349XS
(1)
89
es/rn
13/
16
S.F.
2208
The
bill
requires
that
controllers
permit
consumers
to
access
1
an
appeals
process
and
provide
consumers
with
information
2
regarding
the
appeals
process
in
situations
where
a
consumer’s
3
request
is
denied.
4
The
bill
provides
that
controllers
shall
limit
the
5
collection
of
personal
data
to
the
extent
reasonably
necessary.
6
Controllers
must
disclose
to
the
consumer
the
types
of
data
7
being
collected
and
obtain
consent
from
the
consumers
regarding
8
the
collection
of
personal
data
and
sensitive
personal
data
9
processing.
Controllers
must
securely
store
personal
data
10
of
consumers
through
administrative,
technical,
and
physical
11
security
practices.
Controllers
shall
not
discriminate
against
12
consumers
that
exercise
consumer
data
rights
as
provided
in
13
the
bill
by
denying
a
consumer
goods
or
services,
charging
14
different
prices,
or
providing
lower
quality
goods.
Contract
15
provisions
that
require
consumers
to
waive
rights
defined
by
16
the
bill
will
be
considered
void
and
unenforceable.
17
The
bill
provides
that
controllers
give
consumers
reasonably
18
accessible
and
clear
privacy
notices
that
inform
consumers
of
19
the
information
regarding
personal
data
transfer
and
purposes
20
and
the
methods
for
consumers
to
exercise
rights.
The
bill
21
provides
that
controllers
selling
personal
data
to
third
22
parties
or
using
targeted
advertising
must
clearly
disclose
23
such
activity
and
the
right
for
the
consumer
to
opt
out
of
24
such
sales
or
use.
The
bill
requires
a
controller
to
create
a
25
method
for
private
and
secure
processing
of
consumer
requests.
26
The
bill
requires
processors
and
the
assigns
or
27
subcontractors
of
processors
to
assist
controllers
in
complying
28
with
duties
created
by
the
bill.
29
The
bill
requires
controllers
to
conduct
assessments
of
30
processing
activities
regarding
personal
data.
Data
protection
31
assessments
shall
consider
benefits
and
risks
regarding
32
personal
data
processing
to
the
controller,
consumer,
public,
33
and
other
stakeholders
among
other
factors
identified
by
the
34
bill.
The
bill
provides
that
the
attorney
general
may
request,
35
-14-
LSB
5349XS
(1)
89
es/rn
14/
16
S.F.
2208
pursuant
to
a
consumer
complaint,
an
investigation
pursuant
1
to
Code
section
714.16
and
require
that
a
controller
disclose
2
relevant
data
protection
assessment
information
and
analyze
3
the
provided
information
for
compliance
with
duties
described
4
by
the
bill.
Other
data
protection
assessments
a
controller
5
has
conducted
may
suffice
for
purposes
of
the
bill
if
the
6
assessments
are
reasonably
similar.
7
The
bill
includes
personal
data
processing
exemptions,
8
including
pseudonymous
data
and
de-identified
data
as
defined
9
by
the
bill.
The
bill
requires
that
controllers
in
possession
10
of
de-identified
data
take
measures
to
ensure
that
the
data
11
remains
de-identified,
publicly
commit
to
a
de-identified
12
maintenance
process,
and
require
agents
and
assigns
to
adhere
13
to
provisions
of
the
bill.
The
bill
identifies
exceptions
14
where
controllers
or
processors
are
not
required
to
comply
15
with
a
consumer
rights
request
pursuant
to
the
bill.
The
bill
16
requires
controllers
disclosing
pseudonymous
or
de-identified
17
data
to
exercise
reasonable
oversight,
security,
and
breach
18
mitigation
measures.
19
The
bill
provides
that
the
bill
shall
not,
beyond
the
20
degree
reasonably
necessary,
restrict
controller
or
processor
21
abilities
to
improve
business
or
function.
Controllers
or
22
processors
sharing
personal
data
with
third
parties
are
not
23
liable
for
the
noncompliance
of
third
parties
if
the
controller
24
or
processor
did
not
have
personal
knowledge
of
the
violation
25
or
intent
to
commit
a
violation,
nor
is
a
third
party
liable
26
for
violations
of
a
controller
or
processor.
The
bill
provides
27
that
if
a
controller
seeks
an
exemption,
the
controller
bears
28
the
burden
of
demonstrating
that
the
controller
qualifies
for
29
the
exemption
and
the
exemption
complies
with
the
requirements
30
in
the
bill.
31
The
bill
shall
not
require
a
business,
consumer,
or
other
32
party
to
disclose
trade
secrets.
33
A
violation
of
the
bill’s
provisions
constitutes
an
34
unlawful
practice
under
Code
section
714.16
(consumer
frauds).
35
-15-
LSB
5349XS
(1)
89
es/rn
15/
16
S.F.
2208
Several
types
of
remedies
are
available
if
a
court
finds
that
a
1
person
has
committed
an
unlawful
practice,
including
injunctive
2
relief,
disgorgement
of
moneys
or
property,
and
a
civil
penalty
3
not
to
exceed
$40,000
per
violation.
4
The
bill
takes
effect
January
1,
2024.
5
-16-
LSB
5349XS
(1)
89
es/rn
16/
16