Iowa has become the latest state to pass its own privacy legislation, while at the same time the state of Colorado has finalized the rules for its Privacy Act, which is is scheduled to go into effect on July 1.
In Iowa, both houses of the state legislature have passed Senate File 262, and the bill has moved to the desk of Republican Kim Reynolds for her signature or veto.
Perhaps most importantly to companies in the accounts receivable management industry, the bill does not include a private right of action, prohibiting consumers from filing lawsuits for alleged violation’s of the bill’s provisions. Many of the other provisions in the bill are similar to the other states that have enacted their own privacy laws, such as California, Connecticut, Virginia, and Utah. In fact, the Technology Association of Iowa welcomed passage of the bill.
The bill does not include a consumer’s right to correct nor does it include sensitive data opt-in consent. Covered entities — defined as those that control or process personal data on 100,000 Iowan consumers or derive 50% of their revenue from selling the data of more than 25,000 consumers — are not required to conduct risk assessments, either.
Meanwhile, in Colorado, the Colorado Privacy Act will apply to entities that control or process personal data of at least 100,000 consumers per calendar year; or sell personal data and control or process the personal data of at least 25,000 consumers. It does not apply to certain entities including state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.
Covered entities must conduct and document a data protection assessment and it is the first law in the nation to provide regulations governing data protection assessments conducted under a general state privacy law.
Like Iowa, there is no private right of action in the Colorado Privacy Act.