United States of America: Adopted Consumer Data Protection Act (SF 262)

On 15 March 2023, the Bill for an Act relating to consumer data protection, providing civil penalties, and including effective date provisions (Consumer Data Protection Act -SF 262) was adopted by the Iowa House of Representatives. The Act outlines measures that data controllers and processors would be required to implement when collecting and storing personal data. In particular, data controllers would be required to adopt reasonable administrative, technical, and physical data security practices to safeguard personal data and to refrain from processing sensitive data obtained from consumers for non-exempt purposes without clear notice and an opportunity to opt out. In addition, data controllers would also be required to provide consumers with transparent privacy notices disclosing whether they sell personal data to third parties or participate in targeted advertising. Finally, the bill provides consumers with the right to opt out of the sale of their data, defined as the "exchange of personal data for consideration by the data controller to a third party".