The latest state comprehensive privacy law, enacted in Iowa, lacks several requirements for businesses and rights for consumers included in most other states’ legislation.
Iowa became the sixth state to sign localized data protections into law last week with its act, referred to as Senate File 262, even as federal lawmakers remain stymied on passing a national privacy standard. It’s considered one of the more business-friendly approaches so far, which privacy advocates say results in weaker data privacy protections.
There are some common features among the state measures: State attorneys general are the primary enforcers of all six laws, and they all empower consumers to access, delete, or opt out of the sale of their personal data. The measures all regulate only businesses that process the data of at least 100,000 consumers or generate more than half their revenue by selling personal data.
All the state laws initially offered businesses a right-to-cure period—a set number of days to correct violations before facing regulatory action—with the longest being Iowa’s 90 days. The California Privacy Protection Agency now determines the length of the period for that state’s offenders, and some states plan to sunset those provisions. Iowa and Utah’s cure periods, however, are permanent.
The chief differences between Iowa’s law and the others include not requiring businesses to assess their cybersecurity and not granting consumers the right to correct inaccurate information or to delete data collected by third parties.
To contact the reporter on this story:
To contact the editors responsible for this story: