My Digital Therapy

Me talking about state privacy laws

Indiana and Iowa Pass Privacy Laws; Stick to Existing Models

Those of us who have spent a few years or decades in privacy have long asked three core questions:

  • How come Indiana doesn’t have its own privacy law that’s similar to Virginia’s?
  • How come Iowa doesn’t have its own privacy law that sort of looks like Utah’s?
  • Can we get rid of the CMIA already? 

Well, my privacy friends, good news on the first two, because Indiana and Iowa passed their privacy laws and they are indeed pretty similar to Virginia’s and Utah’s respectively.  For those keeping track at home, these are the 6th and 7th states to pass comprehensive privacy laws.

Links to the description of these are provided further below.  In a nutshell, these laws apply to businesses that process the personal data of 100,000 residents of the applicable state or else generate a certain percentage of revenue from the sale of personal data.  Under these laws, such businesses are required to:

  • Respect data subject rights. Both laws provide the following rights: access, delete, opt out of certain processing, portability, opt out of sales. Indiana also provides the right to correct and to portability.
  • Limit the use of personal data to the purpose for which data is collected.
  • Maintain reasonable security for the data.
  • Provide a clear privacy notice describing the collection/use/disclosure of data.
  • Conduct privacy impact assessments for certain data processing.
  • Enter into data processing contracts.

The Implications

The most clear implications are for the residents of Iowa and Indiana, who now have certain data subject rights with respect to information collected by certain companies.  That’s nice.  For businesses, the implications are less notable.  Since these laws are similar to existing state laws, the new obligations are pretty modest:

  • Update your privacy policy to expressly inform residents of these states that they have data subject rights.
  • Ensure that your company’s data subject requests processing is responsive to requests from Iowa and Indiana (although it is becoming more common to respond to requests from all states to avoid FTCA and state AG scrutiny under consumer protection laws).
  • If your company separates processing of information (especially sensitive information) by state of residency, add Indiana and Iowa to the list of states for which data must comply with state law requirements. 
  • If your company separates consent or cookie management on its website based on state of origin, add Indiana and Iowa to the consent management consideration.
  • Add data from Indiana and Iowa to privacy impact assessments.

IAPP summarizes the Iowa law here and the Indiana law here.

I’ll address getting rid of CMIA in a separate post. 

Never miss a post!

Posted

in

by

digitalhealthguy

Tags:

, ,