Iowa Enacts Comprehensive Privacy Legislation

April 14, 2023

On March 28, 2023, Iowa became the sixth state to pass a modern consumer privacy law. Prior to Iowa, California, Colorado, Connecticut, Utah and Virginia also passed consumer privacy laws between the years 2020 and 2022.



Overview of SF 262, Iowa’s new privacy law

Iowa’s privacy law, which goes into effect in 2025, offers consumers various privacy rights:


  • the right to access personal data

  • the right to delete personal data provided

  • the right to data portability

  • the right to opt-out of the sale of personal data

  • the right to opt-out of targeted advertising

  • the right to opt-out of the processing of sensitive data for certain purposes

  • the right to appeal a controller’s decision not to act on a privacy request


Iowa’s privacy law continues the trend of U.S. states adding additional layers to the patchwork of privacy legislation in place. While there is significant overlap between the requirements of each state’s privacy regulations, there are some deviations.


Notably, Iowa’s privacy law does not include a revenue threshold for applicability like California and Utah. In addition, Iowa’s privacy law does not include a right to correction like California, Colorado, Virginia and Connecticut.



Additional developments regarding privacy regulations

Eighteen additional states currently have an active privacy bill. With momentum for state privacy legislation remaining strong, organizations must develop a comprehensive strategy to comply with current regulations, minimize the impact of future regulations and build trust with privacy-conscious consumers.


As organizations navigate the patchwork of state privacy laws, they must also remain aware of international developments.


In Europe, the European Commission released a draft adequacy decision on Dec. 13, 2022, approving the new EU-U.S. Transatlantic Data Privacy Framework. This draft adequacy decision is the first step in the EU’s adoption procedure. However, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs recommended on Feb. 14, 2023, that the European Commission reject the EU-U.S. Transatlantic Data Privacy Framework. According to the committee, the proposed framework does not fully comply with the EU’s General Data Protection Regulation (GDPR) and the Biden Administration’s executive order promising limits to surveillance activities is insufficient as it can be reversed at any time. This nonbinding draft resolution does not stop the adoption process, but the criticisms do highlight the lack of a federal U.S. privacy law.


In 2022, the American Data Privacy and Protection Act (ADPPA) was introduced within Congress to offer a comprehensive national privacy law. While it passed out of the Energy and Commerce Committee 53-2, it did not receive a vote within the House floor. Given the new session of Congress, the bill must be reintroduced to restart its legislative path in the House. A recent hearing hosted by the Energy and Commerce’s Subcommittee on Innovation, Data and Commerce addressed the proposed ADPPA.


"We were almost there," Subcommittee on Innovation, Data and Commerce Ranking Member Jan Schakowsky, D-Ill., said. "We heard the cry of the vast majority of Americans who are really tired of feeling helpless online. … I think it's time for us to roll up our sleeves and in a bipartisan way. The U.S. is far behind, and we need to catch up."



The path forward

Given the passage of Iowa’s privacy law and the uncertainty of other privacy initiatives, organizations are reminded that the best approach to consumer privacy is maintaining a consolidated, rationalized set of requirements and a suite of proactive operations to address these requirements. With these components in place, organizations will have a fit-for-purpose privacy program that can handle ambiguity, overcome obstacles and safely facilitate the processing of personal data.

Spencer Kindt
Senior Manager, Data Governance, Privacy and Protection | Optiv
Spencer specializes in helping organizations design, implement, optimize, assess and operate privacy and data governance programs. He ensures organizations properly handle high-risk data while unlocking the high value associated with it. He also has experience helping clients prepare for and address privacy regulations (e.g., GDPR, CCPA, CPRA, LGPD, HIPAA). Spencer has experience providing customized services to organizations ranging from the global Fortune 500 to smaller, privately-owned organizations across a variety of industries.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit