Iowa could soon join the growing roster of states with privacy laws that give residents the ability to wield control over some information about themselves that has been collected online.
But consumers' rights under the bill are so limited that advocacy group Consumer Reports is urging Governor Kim Reynolds to veto the measure.
The bill (SF 262), which was passed this week, “represents a wishlist of industry-sought provisions by offloading all the responsibility for privacy protection onto the individual with almost no substantive limitations on how companies collect or process data,” Consumer Reports analyst Matt Schwartz stated Thursday.
On the other hand, the Technology Association of Iowa, whose board includes employees of Google and Salesforce, cheered news of the bill's passage.
“We are proud to see SF262 ... pass unanimously this afternoon and on its way to the Governor's Desk,” the group tweeted Wednesday.
If enacted, the bill would give consumers the ability to learn what personal information about them has been collected, to have that data deleted, and to prevent the “sale” of that data -- with sale defined as a monetary exchange. The measure's definition of personal information excludes pseudonymous data, such as information stored on cookies.
Unlike privacy laws in some other states, including California, Colorado and Connecticut, the bill in Iowa doesn't appear to give consumers the right to opt out of pseudonymous online ad targeting -- meaning ads served based on data collected across sites, and stored on cookies.
Unless vetoed by Reynolds, or overridden by a national privacy law, the measure will take effect January 1, 2025.