State Privacy Update: A New Omnibus Privacy Law Passes in Iowa, Colorado Finalizes Privacy Rules
This week saw two new major developments in the state privacy law landscape. On March 15, Iowa’s House unanimously passed Senate File 262 (SF 262), an omnibus privacy bill that already unanimously passed the Senate earlier this month. Having been approved in both chambers, the bill will go to the Governor. If enacted, SF 262 will become the sixth omnibus state privacy law in the country, following laws in California, Colorado, Connecticut, Utah, and Virginia.
Also on March 15, the Colorado Attorney General’s (AG) office filed its final Colorado Privacy Act rules with the Secretary of State’s Office. The rules, which were promulgated pursuant to the Colorado Privacy Act (CPA), will be published in the Colorado Register later this month and will become effective on July 1, 2023.
As we have discussed in our webinar: Staying Ahead of State Privacy Laws, compliance requirements for emerging U.S. state privacy laws and regulations can be a quickly shifting target. This week’s developments add to the complex and evolving state privacy landscape that companies must navigate in real time. Below is a high-level summary of the Iowa bill and the Colorado regulations, which impacted companies will need to understand and incorporate into their compliance plans.
The Iowa Bill
On March 15, SF 262 passed the Iowa House. The bill had passed the Senate on March 6 and will move on to the Governor’s desk. If enacted, the bill would become the sixth omnibus state privacy law in the United States. Below is a high-level look at the bill, which, if enacted, would go into effect on January 1, 2025.
- Scope. The bill would apply to persons conducting business in Iowa or targeting consumers who are Iowa residents, and either (1) control or process the data of at least 100,000 consumers, or (2) control or process data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
- Consumer Rights. The bill would create several consumer rights similar to other state privacy laws, including:
- The right to know
- The right to delete data provided by the consumer
- The right to data portability
- The right to opt-out of data sales
- The right to nonretaliation for exercising consumer rights
- Controller Obligations. The bill would create several obligations for controllers, including:
- Implementing reasonable data security practices
- Providing consumers with clear notice and an opportunity to opt-out of sensitive data processing for a nonexempt purpose
- Providing privacy notices that meet certain requirements, including disclosures related to data sales and targeted advertising.
- Controller-Processor Obligations. The bill would require contracts between controllers and processors to meet several requirements, and it would require processors to assist controllers in fulfilling their duties, such as fulfilling consumer rights requests and data security obligations.
- Enforcement and Implementation. Under the bill, the AG would have sole authority to enforce the law, and the AG must provide a 90-day cure period before initiating any enforcement action. The bill would not create a private right of action. Additionally, the bill does not include a rulemaking provision.
The Colorado Regulations
The final Colorado regulations are the result of a lengthy rulemaking process, which included a series of drafts, comment periods, stakeholder meetings, and a formal rulemaking hearing.
The final rules span several topics that supplement and, in many cases, add to a covered company’s obligations under the CPA. This includes:
- Definitions. The regulations define several terms that are left undefined by the CPA. For example, the rules define “automated processing” and include separate definitions for “solely automated,” “human involved,” and “human reviewed” processing. The term “sensitive data inferences” is also defined in the rules.
- Communications with Consumers. The rules set forth baseline requirements for controllers with respect to certain disclosures, notifications, and other communications with consumers required under the CPA and the rules.
- Consumer Rights. The rules provide further clarification around consumer rights, which include rights to opt-out, access, correct, delete, and data portability. For example, the rules outline guidelines for controllers in establishing methods for consumers to submit requests, as well as guidelines for controllers to respond to and honor consumer rights requests.
- Controller Obligations. Controllers will be required to follow more detailed rules regarding privacy notices, changes to privacy notices, loyalty programs, purpose specification, data minimization, and security and confidentiality of user data. The rules also expand on controllers’ duties regarding sensitive data.
- Universal Opt-Out Mechanism (UOOM). The regulations create technical requirements for UOOMs that would allow consumers to opt out of processing for the purposes of targeted advertising or data sales. The AG will maintain a public list of recognized UOOMs and will release an initial list by January 1, 2024. Controllers must begin recognizing and responding to these recognized UOOMs on July 1, 2024.
- Consent. The rules create requirements for obtaining consumer consent as required under the CPA. For example, the rules expand on the statute’s prohibition on obtaining consent using “dark patterns.” The rules also provide detailed examples of what is required for consent to be valid under the law. Notably, the rules establish new consent “refresh” obligations when a consumer has not interacted with a controller for a two-year period.
- Data Protection Assessments (DPA). The CPA requires controllers to conduct DPAs for processing “that presents a heightened risk of harm to a consumer,” which is explained in the statute. The rules provide detailed requirements to which DPAs must adhere. These include standards for internal and external stakeholder involvement in DPAs, as well as a list of 13 minimum elements that must be included in the DPA.
- Profiling. The Colorado regulations have a special section dedicated to rules that govern automated profiling. This section includes transparency requirements, opt-out requirements, and DPA requirements. The rules distinguish between different types of automated profiling. For example, the opt-out right obligations for controllers vary depending on the level of human involvement in the automated decisionmaking activity.
Navigating the plethora of statutory and regulatory privacy obligations is becoming increasingly complex. Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and compliance with new privacy laws and advocate before government agencies. Please reach out to any of the authors with questions.