Privacy experts weigh in on the growing number of state data privacy laws and the American Data Privacy and Protection Act legislation in the works at the federal level.

Carrie Pallardy, Contributing Reporter

March 24, 2023

6 Min Read
Iowa state map - road sign
GK Images via Alamy Stock

The Iowa Legislature has voted to approve Senate File 262, making Iowa the sixth state to have a comprehensive data privacy law. While the new law heralds the mounting interest in protecting consumer privacy, it adds to complicated conversation around the patchwork of state laws, the possibility of federal legislation, and what the ideal data privacy law looks like. Six data privacy experts spoke to InformationWeek about Iowa’s new law, how it compares to existing state laws, and how federal legislation could shape the landscape for consumer data privacy.

Iowa’s Data Privacy Law

This new data privacy law will go into effect on Jan. 1, 2025. Iowa joins five other states with data privacy laws. The structure of Iowa’s legislation is similar to existing data privacy laws in Colorado, Connecticut, Utah, and Virginia.

“It does not introduce any new ideas, though it lacks many of the features of the strongest state privacy laws. For example, Iowa’s inclusion of data rights for consumers does not include a right to correct data or a right to opt out of profiling. It also includes limitations on rights to data portability and deletion, similar to those seen in Utah,”saysCobun Zweifel-Keegan, managing director at global information privacy organization International Association of Privacy Professionals (IAPP).

The similarity between this law and other state data privacy laws means companies operating in those other states will likely not face additional steps to achieve compliance in Iowa. “Noteworthy though is that the Iowa law means that there is one more regulator who may identify and enforce privacy violations,” Bill Roberts, co-chair of Data Privacy, Protection and Litigation group at US law firm Day Pitney, points out.

California

“The first group of five states can roughly be sorted into two categories: California -- and all of the other states,” says Roberts. California has the most robust regulations of all the states that have enacted data privacy laws. The California Consumer Privacy Act (CCPA) was signed into law in 2018. The California Privacy Rights Act (CPRA) amended the CCPA, adding more privacy protections at the beginning of this year.

In 2022, California Governor Gavin Newsom signed AB 2273 into law, legislation designed to protect children’s online data and privacy, but that law is facing legal challenge. NetChoice, a tech industry group with members like Amazon, Google and Meta, is suing the state over AB 2273.

NetChoice argues that the law actually threatens children’s privacy. “To comply with AB 2273’s age-verification requirements, online services must collect each of its users’ sensitive personal data, like passports and biometric face scans, every time they go online. Child predators and hackers will be drawn to less secure sites as goldmines for children’s private data,” says Nicole Saad Bembridge, associate director of the recently launched NetChoice Litigation Center.

NetChoice is also arguing that the law violates the First Amendment. “AB 2273 also violates the First Amendment by prohibiting anonymous speech and by limiting Californians’ ability to share and receive information online,” Saad Bembridge says.

Impact on Consumers and Businesses

The emergence of more data privacy legislation is likely to continue. “It brings the US closer in line with trends we are seeing throughout the world as we have over 160 countries with data protection laws today,” says Dominique Shelton Leipzig, partner, cybersecurity and data privacy at global law firm Mayer Brown.

These laws have notable impacts on the companies subject to them and consumers. “For companies, comprehensive privacy laws like these enshrine the existing practices of the privacy profession into law. These laws clarify that our minimum standards for privacy are not just best practices, but legally enforceable by state attorneys general,” says Zweifel-Keegan.

While these laws shine a light on data privacy, many critics argue against the “patchwork” approach of state-by-state legislation. “The continuation of the current state-by-state trend means companies are increasingly complying with a complex and evolving patchwork of regulatory requirements. Right now, more than a dozen states have privacy laws underway,” says Andrew Clearwater, chief trust architect at privacy and security software company OneTrust.

For consumers, data privacy laws give them more control over how their data is collected and used. For example, the right to opt out of sale is a common provision in these state laws. But some point out that these laws place too much burden on consumers.

“People are inundated with terms of uses, privacy policies, click-wrap agreements, and online notices -- the success of these laws in empowering consumers to understand and control how their data is collected will depend on how forceful regulators are with respect to conspicuous and understandable privacy policies and notices,” Roberts clarifies.

Federal Legislation

While new state laws are in the works, the question of federal legislation looms large. “Nearly all privacy policy experts are united in the opinion that a single federal consumer privacy law would be better than a patchwork of state laws,” Zweifel-Keegan asserts.

The American Data Privacy and Protection Act (ADPPA) (HR 8152), introduced last year, is a bill that could become federal privacy law. The ADPPA would include the elements existing in state laws and go further, according to Zweifel-Keegan.

“Not only would it provide for uniformity between the diverging state requirements, it would also impose a data minimization standard to require companies to process data only for approved purposes,” he explains. “It includes new ideas for a data privacy law, like anti-discrimination provisions, as well as a requirement for data brokers to register on a centralized Do Not Collect registry.”

How the ADPPA would ultimately impact state data privacy laws is a big question. “Advocates are calling for the future federal privacy law to serve as a ‘floor’ instead of a ‘ceiling,’” says Heather Federman, chief privacy officer at data management company BigID. She offers the Health Insurance Portability and Accountability Act (HIPAA) as an example. “We have the federal HIPAA law for medical privacy protections, but states are able to keep their existing medical privacy laws and even make them stronger.”

Shelton Leipzig points out that there are different schools of thought on what a federal law should mean for state laws. “The business community has pushed for uniformity and thereby exemption of state privacy laws,” she says.

The timeline for the passage of federal legislation remains uncertain. In the meantime, more states could pass their own data privacy laws. “If other states are dead set on legislating before Congress passes an omnibus privacy measure, they should follow Iowa’s example and not add additional complexity to the existing privacy patchwork,” Saad Bembridge urges.

What to Read Next:

Special Report: Privacy in the Data-Driven Enterprise

Will Your Company Be Fined in the New Data Privacy Landscape?

Data Privacy Trends To Follow for 2023

About the Author(s)

Carrie Pallardy

Contributing Reporter

Carrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights