Iowa Enacts New Privacy Law; Colorado Adopts Final Privacy Regulations

Iowa’s General Assembly enacted a new data privacy law, officially named the Act Relating to Consumer Data Protection Providing Civil Penalties and Including Effective Date Provisions. The new law will apply to businesses that process information about 100,000 or more Iowans, or that derive over fifty percent of gross revenue from the sale of information while processing information about 25,000 or more Iowans. Iowa is the sixth state with comprehensive data protection legislation, after California, Virginia, Colorado, Utah, and Connecticut.

The law will take effect on January 1, 2025. It required business subject to the law to implement adequate information security measures and provide an appropriate privacy policy. Businesses are allowed to collect and use personal information only for purposes that are legitimate, necessary, and proportionate. When businesses use processors to process personal information for them, they will be required to sign a written contract that governs the relationship between and the duties of the processor. The law gives Iowa data subjects several rights, including the right to receive a copy of the information that the business processes about them, to have it deleted, and to instruct the business not to sell it or use it for behaviorally-targeted advertising on the web.

Enforcement of the new law vests exclusively with the Iowa attorney general, and the law forecloses any private right of action for individuals affected by its violation.

Meanwhile, the Attorney General of Colorado has published the final version of the regulations implementing the Colorado Privacy Act, scheduled to take effect on July 1, 2023. The Colorado regulations are similar to the regulations currently being finalized in California under the California Privacy Rights Act.

The new regulations in Colorado govern, among other matters, the privacy notices that must be given to consumers, the rights granted to consumers regarding their information, and the means that must be made available to them to exercise those rights. The Colorado regulations require that privacy notices be clear, detailed, and accessible. Different processing purposes should be described distinctively from one another.

Businesses are required to comply with several data privacy principles, such as data minimization. Information such as photographs, voice recordings, and biometric identifiers must be reviewed annually to determine whether their continued retention for a legitimate purpose is justified. The regulations also specify the circumstances in which the business must seek the data subject’s consent, for example, to process sensitive personal information such as medical or biometric information.

The Colorado regulations also cover universal opt-out mechanisms that transmit a consumer’s request to opt out of behaviorally-targeted advertising, the sale of information, or the development of a behavioral profile to make a decision that has a material impact on the data subject. The Colorado Department of Justice is entrusted with declaring universal opt-out mechanisms that meet regulatory requirements. The first announcement of universal opt-out mechanisms is expected before January 2024. Once a universal opt-out mechanism is announced, businesses will be given a grace period of six months to adapt their online service to honor signals received through these mechanisms.

Click here to read the Iowa Act Relating to Consumer Data Protection.

Click here to read the final version of Colorado privacy regulations.