§ 715D.4 — Data controller duties

Iowa § 715D.4

• Jurisdiction: Iowa
• Title XVI: CRIMINAL LAW AND PROCEDURE
• Ch. 715D: CONSUMER DATA PROTECTIONS

Text

1. A controller shall adopt and implement reasonable administrative, technical, and
physical data security practices to protect the confidentiality, integrity, and accessibility of
personal data. Such data security practices shall be appropriate to the volume and nature
of the personal data at issue.
2. Acontrollershallnotprocesssensitivedatacollectedfromaconsumerforanonexempt
purpose without the consumer having been presented with clear notice and an opportunity
to opt out of such processing, or, in the case of the processing of sensitive data concerning a
known child, without processing such data in accordance with the federal Children’s Online
Privacy Protection Act, 15 U.S.C. §6501 et seq.
3. A controller shall not process personal data in violation of state and federal laws that
prohibit unlawful discrimination against a consumer. A controller shall not discriminate
against a consumer for exercising any of the consumer rights contained in this chapter,
including denying goods or services, charging different prices or rates for goods or services,
§715D.4, CONSUMER DATA PROTECTIONS 6
or providing a different level of quality of goods and services to the consumer. However,
nothing in this chapter shall be construed to require a controller to provide a product or
service that requires the personal data of a consumer that the controller does not collect or
maintain or to prohibit a controller from offering a different price, rate, level, quality, or
selection of goods or services to a consumer, including offering goods or services for no fee,
if the consumer has exercised the consumer’s right to opt out pursuant to section 715D.3 or
the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards,
premium features, discounts, or club card program.
4. Any provision of a contract or agreement that purports to waive or limit in any way
consumer rights pursuant to section 715D.3 shall be deemed contrary to public policy and
shall be void and unenforceable.
5. A controller shall provide consumers with a reasonably accessible, clear, and
meaningful privacy notice that includes the following:
a. The categories of personal data processed by the controller.
b. The purpose for processing personal data.
c. How consumers may exercise their consumer rights pursuant to section 715D.3,
including how a consumer may appeal a controller’s decision with regard to the consumer’s
request.
d. The categories of personal data that the controller shares with third parties, if any.
e. The categories of third parties, if any, with whom the controller shares personal data.
6. If a controller sells a consumer’s personal data to third parties or engages in targeted
advertising, the controller shall clearly and conspicuously disclose such activity, as well as
the manner in which a consumer may exercise the right to opt out of such activity.
7. A controller shall establish, and shall describe in a privacy notice, secure and reliable
means for consumers to submit a request to exercise their consumer rights under this
chapter. Such means shall consider the ways in which consumers normally interact with the
controller, the need for secure and reliable communication of such requests, and the ability of
the controller to authenticate the identity of the consumer making the request. A controller
shall not require a consumer to create a new account in order to exercise consumer rights
pursuant to section 715D.3, but may require a consumer to use an existing account.