As discussed in Parts One and Two of this series, Iowa has recently enacted a consumer data protection statute called the “Iowa Consumer Data Protection Act” (“ICDPA”). The Act comes into effect on January 1, 2025. Below, the consumer data protection compliance lawyers at Revision Legal discuss why the ICDPA can be seen as the weakest and least protective of the current data consumer protection statutes.

Let’s take a detailed look at one example. Most consumer data protection statutes allow consumers to “opt out” of having their personal or sensitive data sold or used for targeted advertising. Typically, a clear and conspicuous “opt-out” button must be made available, allowing consumers to easily exercise their “opt-out” rights.

The ICDPA does not require this, and it seems that the ICDPA permits a cumbersome process for invoking “opt-out” rights. For example, section 715D.4 states that “[i]f a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.” Section 715D.3 states that a “consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to the controller …” Taken together, these provisions allow a controller to omit an “easy-click” button and require a consumer to “submit a request” for opting out. For obvious reasons, a “less easy” option for opting opt will reduce the number of consumers who exercise their opt-out rights.

Here are a few other examples of why the ICDPA can be deemed the weakest of the consumer data protection statutes:

• No “opt-in” requirement for cookie use or any effort to incentivize obtaining an “opt-in” — under the European data protection regulations, there must be an affirmed “opt-in” for cookies; other US statutes incentive asking for “opting-in” by excluding cookie-collected data as “personal data”
• “Sale of personal data” is defined in the ICDPA to mean the “exchange of personal data for monetary consideration by the controller to a third party” — this is a very weak definition; more protective statutes include concepts like obtaining “anything of value” in exchange for data and the idea that a “sale” can include “the sharing” of data
• No requirement for controllers to prepare data protection assessment reports
• No data protection when a person is “acting in a commercial or employment context,” including applying for a job — employers generally request a great deal of personal data when seeking job applicants
• The ICPDA grants immunity for controllers and processors for third-party violations of the ICDPA as long as the controllers or processors did not know in advance that the third party was going to use/process the shared/sold data in violation of the ICDPA — this is unique to the ICDPA
• Consumer “consent” is defined to include “any other unambiguous affirmative action,” which arguably includes any “negative” action like closing or ignoring a pop-up window
• And more

Contact T]the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.