State Privacy Update – Iowa, California, and the NAIC

Privacy & Cybersecurity Newsletter
April 2023

Iowa Joins the Consumer Privacy Party

On March 28, 2023, Governor Kim Reynolds signed a new Iowa consumer privacy statute to be effective January 1, 2025, the Iowa Consumer Data Protection Act, joining California, Colorado, Connecticut, Utah and Virginia in enacting general consumer privacy legislation. Fortunately, Iowa follows the basic framework of the states other than California, by excluding business to business and employment data from the definition of personal information. The Iowa statute also incorporates broad, entity-based exemptions for financial institutions subject to the Gramm-Leach-Bliley Act, and persons subject to HIPAA, as well as nonprofits and others. Consumer rights (rights to access, delete, and opt out of sales) are also similar to the existing state privacy laws. Unlike the other states, Iowa does not provide a right to correct personal information or a right to limit processing of sensitive personal information, and does not impose an obligation to conduct risk assessments. We will soon update our comparison chart to highlight similarities and differences among the six state general consumer privacy laws.

CCPA Regs Finalized; more to follow.

On March 29, 2023, the California Privacy Protection Agency (the “CPPA") finalized its regulations for implementing the California Consumer Privacy Act, as amended (including by the California Privacy Rights Act, together, the “CCPA”). The proposed regulations had been substantially unchanged since November 3, 2022, when the latest version of the proposed regulations was circulated. Unfortunately, further regulatory action will be required to provide regulatory guidance concerning the following important issues: cybersecurity audits, risk assessments and automated decision making. Preliminary comments on these issues were requested by the CPPA on February 10, 2023, and comments were closed on March 27, 2023. The next CPPA meeting is scheduled for April 14, where the agency may provide an update on these anticipated additional regulations.

NAIC Consumer Privacy Protections Model Act (# 674)

As we reported here, the NAIC has promulgated a proposed new model consumer privacy law to replace the two prior models (#670 and #672), and to reconcile their inconsistencies. The comment period on the first draft of the new proposed model closed April 3, 2023. After the NAIC issues its next draft, which we hope will address the comments submitted by industry, we will publish our analysis of the new draft.