Iowa became the sixth state with a comprehensive privacy law after passing the Act Relating to Consumer Data Protection (ICDPA), with Indiana’s Senate Bill 5 set to cause Indiana to become the seventh, following Governor Holcomb’s signature. These two new laws are not the most restrictive of the bunch; however, the growing number of nuances among state privacy laws can make compliance burdensome.
Iowa’s law goes into effect on January 1, 2025, with Indiana’s law becoming effective a year later, on January 1, 2026. This long timeline leaves a significant legislative runway for amendments to be introduced and passed. The most likely reason for such a long compliance timeline is to put pressure on Congress to pass privacy legislation while minimizing the impact on small and medium sized businesses with regard to compliance expenditures if the federal privacy law preempts state laws.
Thresholds
Both laws apply to businesses conducting business in the state that are either (1) controlling or processing the personal data of at least 100,000 residents or (2) controlling or processing the personal data of 25,000 residents and deriving over 50% of gross revenue from the sale of personal data.
Consumer Rights and Controller Obligations
Both state laws provide consumers with the right to:
- confirm whether a controller is processing the consumer’s personal data and accessing the personal data;
- delete personal data provided by the consumer;
- data portability; and
- opt-out of the sale of personal data.
Furthermore, Indiana consumers also have the right to opt-out of profiling for decisions that have a legally significant effect. Other states call this the right to opt-out of algorithmic decision making.
Both laws require controllers to implement reasonable security practices, provide a compliant privacy notice to consumers, and enter into agreements with processors that handle the controller’s personal data. Indiana requires controllers to undertake data protection assessments, whereas Iowa does not.
Right to Cure
Both states provide a right to cure following a notice of violation: 90 days in Iowa and 30 days in Indiana. Unlike certain provisions of California’s privacy laws, these cure periods do not sunset automatically.
The Parker Poe Cybersecurity & Data Privacy Practice Group will continue to provide insights and updates on the rapidly changing privacy landscape. For more information, please contact us or your regular Parker Poe contact. You can also subscribe to our latest alerts and insights here.