The passage of two more laws in quick succession continues the trend toward comprehensive privacy legislation at the state level. Although the Iowa law will not take effect until January 1, 2025, and Indiana’s will not be effective until January 1, 2026, businesses should become familiar with these laws now to help ensure that their compliance programs meet current as well as future requirements. 

Both the Iowa and Indiana laws apply to businesses in their respective states, as well as out-of-state businesses that target their products or services to residents of the applicable state. In addition, in-scope businesses under either law, during a calendar year, (1) control or process personal data of at least 100,000 consumers who are state residents; or (2) control or process personal data of at least 25,000 consumers who are state residents and derive more than 50 percent of gross revenue from the sale of personal data.

The Iowa and Indiana laws have much in common with the frameworks used in data privacy laws in Colorado, Connecticut, Utah, and Virginia, but there are differences worth noting.   

• Consumer rights. Both the Iowa and Indiana laws grant consumers a range of rights relating to their personal information, including the rights to
  • Access
  • Delete
  • Data portability.

Consumers also have rights to appeal a business’s denial of a consumer data rights request and to opt out of the sale of their personal data.

In addition to these rights, the Indiana law also grants consumers the right to correct inaccuracies in their personal data that was previously provided to the business and to opt out of the processing of their personal data for targeted advertising and profiling purposes.

• Definition of “sale.” The definition of a “sale” of personal data is the same under both the Iowa and Indiana laws. A “sale” means the exchange of personal data for monetary consideration. There are also a number of exclusions: for example, a “sale” does not include disclosure of personal data to a processor, transfer to an affiliate, or disclosure as part of a merger or acquisition.
• Data Protection Impact Assessment. The Colorado Privacy Act, Virginia Consumer Data Protection Act, and California Consumer Privacy Act, as amended by the California Privacy Rights Act, each require completion of a data processing assessment in specific circumstances. Indiana’s law also includes a requirement for businesses to conduct assessments for certain processing activities. Specifically, businesses must assess the processing of data for targeted advertising, profiling, the sale of personal data, processing of sensitive data, or other activities that present a heightened risk of harm to consumers.

The Iowa law does not require covered businesses to conduct Data Protection Impact Assessments.

• Right to cure. Both the Iowa and the Indiana laws provide for a period during which businesses can cure their violations. The Iowa law gives businesses 90 days to cure a violation, and the Indiana provides 30 days. Notably, in addition to addressing the violations, businesses must also provide written statements to the applicable state attorney general confirming that the alleged violations were cured, and stating that no further violations will occur.
• Private right of action. Like most state privacy laws (California is an exception), neither the Iowa nor the Indiana law gives individuals the right to file lawsuits against businesses who violate the laws. The laws are enforced by their respective state attorneys general.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.