Read the full stored bill text
House
File
2048
-
Introduced
HOUSE
FILE
2048
BY
GEARHART
A
BILL
FOR
An
Act
relating
to
personal
data
processing
practices
for
1
companies,
and
making
civil
penalties
applicable.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
5397YH
(3)
91
dg/jh
H.F.
2048
Section
1.
NEW
SECTION
.
715F.1
Definitions.
1
1.
“Automated
decision
making”
means
a
process
that
uses
2
personal
data
to
make
decisions,
including
but
not
limited
to
3
profiling,
risk
scoring,
and
determining
eligibility,
without
4
human
involvement.
5
2.
“Company”
means
a
person
conducting
business
in
this
6
state
that
processes
the
personal
data
of
five
thousand
or
more
7
individuals
who
reside
in
this
state
in
a
single
calendar
year.
8
3.
“Personal
data”
means
any
information
that
is
linked
9
or
reasonably
linkable
to
an
identified
or
identifiable
10
individual.
“Personal
data”
does
not
include
de-identified
or
11
aggregate
data
or
publicly
available
information.
12
4.
“Process”
means
the
act
of
performing
an
operation
on
13
personal
data,
including
collecting,
storing,
using,
analyzing,
14
disclosing,
or
deleting
personal
data.
15
Sec.
2.
NEW
SECTION
.
715F.2
Company
requirements.
16
1.
A
company
shall
do
all
of
the
following:
17
a.
Disclose
all
of
the
following
to
an
individual
in
a
clear
18
and
conspicuous
manner
prior
to
processing
the
individual’s
19
personal
data:
20
(1)
The
purposes
for
which
the
company
intends
to
use
21
the
individual’s
personal
data,
including
but
not
limited
to
22
whether
the
personal
data
will
be
used
for
automated
decision
23
making
or
artificial
intelligence
training.
The
purposes
shall
24
include
a
plain
language
description
of
how
the
personal
data
25
will
be
used.
26
(2)
The
types
of
personal
data
the
company
intends
to
27
process.
28
(3)
The
types
of
persons
with
whom
the
company
intends
to
29
share
or
sell
personal
data.
30
(4)
Whether
the
individual
will
be
compensated
for
31
providing
personal
data,
and
in
what
form
such
compensation
32
will
come.
33
b.
(1)
Obtain
consent
from
an
individual
to
allow
the
34
company
to
process
the
individual’s
personal
data
prior
to
35
-1-
LSB
5397YH
(3)
91
dg/jh
1/
5
H.F.
2048
processing
the
individual’s
personal
data.
1
(2)
A
company
shall
obtain
consent
from
an
individual
2
by
offering
the
individual
a
clear
means
to
affirmatively
3
provide
the
consent.
The
company
shall
not
use
deceptive
or
4
manipulative
means
to
obtain
an
individual’s
consent.
5
c.
Collect
only
the
personal
data
reasonably
necessary
to
6
achieve
the
purposes
disclosed
under
paragraph
“a”
.
7
d.
Allow
an
individual
to
revoke
consent
to
allow
the
8
company
to
process
the
individual’s
data
in
a
manner
that
is
no
9
more
burdensome
than
the
manner
used
to
obtain
the
individual’s
10
consent.
11
e.
Cease
all
processing
of
the
individual’s
personal
data
12
within
thirty
calendar
days
of
receiving
notice
that
the
13
individual
has
revoked
consent
to
allow
the
company
to
process
14
the
individual’s
personal
data.
15
f.
Implement
and
maintain
administrative,
technical,
and
16
physical
practices
that
ensure
the
security
of
personal
data
17
the
company
processes.
The
practices
shall
be
appropriate
for
18
the
company
given
the
volume,
nature,
and
sensitivity
of
the
19
personal
data
the
company
processes.
20
2.
A
company
shall
not
do
any
of
the
following:
21
a.
Process
personal
data
in
a
manner
the
individual
to
whom
22
the
personal
data
pertains
has
not
consented.
23
b.
Deny
or
downgrade
an
individual’s
service
solely
because
24
the
individual
exercised
a
right
granted
under
section
715F.3.
25
Sec.
3.
NEW
SECTION
.
715F.3
Personal
data
processing
——
26
individual
rights.
27
A
resident
of
this
state
shall
have
all
of
the
following
28
rights:
29
1.
To
obtain
confirmation
from
a
company
of
whether
the
30
company
is
processing
the
individual’s
personal
data.
31
2.
To
obtain
a
detailed
summary
of
the
personal
data
32
processed
by
a
company.
33
3.
To
request
that
a
company
correct
inaccurate
personal
34
data
pertaining
to
the
individual
and
processed
by
the
company.
35
-2-
LSB
5397YH
(3)
91
dg/jh
2/
5
H.F.
2048
4.
Subject
to
other
data
retention
requirements,
to
1
request
that
a
company
delete
personal
data
pertaining
to
the
2
individual
and
processed
by
the
company.
3
5.
To
revoke,
at
any
time,
consent
the
individual
gave
to
a
4
company
to
process
the
individual’s
personal
data.
5
Sec.
4.
NEW
SECTION
.
715F.4
Enforcement
——
penalties.
6
1.
The
attorney
general
shall
have
the
authority
to
7
investigate
violations
and
enforce
this
chapter.
8
2.
A
violation
of
this
chapter
shall
constitute
an
unlawful
9
practice
under
section
714.16.
10
3.
A
resident
of
this
state
may
bring
a
private
action
11
against
a
company
for
injunctive
relief,
civil
penalties,
and
12
actual
damages
caused
by
any
of
the
following:
13
a.
An
unauthorized
entity
obtaining
the
resident’s
personal
14
data
due
to
the
company’s
failure
to
implement
or
maintain
15
sufficient
administrative,
technical,
and
physical
practices
to
16
ensure
the
security
of
personal
data
the
company
processes.
17
b.
A
violation
of
this
chapter
the
company
committed
that
18
resulted
in
actual
damages
to
the
resident.
19
4.
A
violation
of
this
chapter
shall
be
punishable
by
a
20
civil
penalty
of
up
to
seven
thousand
five
hundred
dollars
per
21
violation
per
affected
resident
of
this
state.
22
5.
Civil
penalties
awarded
to
the
state
under
this
chapter
23
shall
be
deposited
into
the
general
fund
of
the
state.
24
Sec.
5.
NEW
SECTION
.
715F.5
Exemptions.
25
This
chapter
shall
not
apply
to
any
of
the
following:
26
1.
Personal
data
processed
in
the
course
of
obtaining,
27
issuing,
or
executing
a
valid
warrant
or
subpoena.
28
2.
Personal
data
processed
solely
for
national
security
or
29
law
enforcement
purposes.
30
3.
Personal
data
that
has
been
de-identified
or
made
31
anonymous
so
that
the
data
can
no
longer
be
reasonably
linked
32
to
an
individual.
33
Sec.
6.
Section
714.16,
subsection
2,
Code
2026,
is
amended
34
by
adding
the
following
new
paragraph:
35
-3-
LSB
5397YH
(3)
91
dg/jh
3/
5
H.F.
2048
NEW
PARAGRAPH
.
t.
It
is
an
unlawful
practice
for
a
company
1
to
violate
chapter
715F.
2
EXPLANATION
3
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
4
the
explanation’s
substance
by
the
members
of
the
general
assembly.
5
This
bill
relates
to
personal
data
(data)
processing
6
practices
for
companies.
7
The
bill
defines
“automated
decision
making”
as
a
process
8
that
uses
data
to
make
decisions,
including
but
not
limited
to
9
profiling,
risk
scoring,
and
determining
eligibility,
without
10
human
involvement.
11
The
bill
defines
“company”
as
a
person
conducting
business
12
in
this
state
that
processes
the
data
of
5,000
or
more
13
individuals
who
reside
in
this
state
in
a
single
calendar
year.
14
The
bill
defines
“personal
data”
as
any
information
that
is
15
linked
or
reasonably
linkable
to
an
identified
or
identifiable
16
individual.
“Personal
data”
does
not
include
de-identified
or
17
aggregate
data
or
publicly
available
information.
18
The
bill
defines
“process”
as
the
act
of
performing
an
19
operation
on
data,
including
collecting,
storing,
using,
20
analyzing,
disclosing,
or
deleting
data.
21
The
bill
details
several
disclosures
a
company
must
make
22
and
acts
the
company
must
perform.
The
bill
also
prohibits
a
23
company
from
processing
data
in
a
manner
that
the
individual
24
to
whom
the
personal
data
pertains
has
not
consented,
and
25
prohibits
a
company
from
denying
or
downgrading
an
individual’s
26
service
solely
because
the
individual
exercised
a
right
granted
27
under
the
bill.
28
The
bill
details
several
rights
that
each
resident
of
this
29
state
shall
have
relating
to
data.
30
The
bill
authorizes
the
attorney
general
to
investigate
31
violations
and
enforce
the
bill.
A
violation
of
the
bill
32
shall
constitute
an
unlawful
practice
under
Code
section
33
714.16
(consumer
frauds).
A
resident
of
this
state
is
allowed
34
to
bring
a
private
action
against
a
company
for
injunctive
35
-4-
LSB
5397YH
(3)
91
dg/jh
4/
5
H.F.
2048
relief,
civil
penalties,
and
actual
damages
caused
by
an
1
unauthorized
entity
obtaining
the
resident’s
personal
data
due
2
to
the
company’s
failure
to
implement
or
maintain
sufficient
3
administrative,
technical,
and
physical
practices
to
ensure
4
the
security
of
personal
data
the
company
processes,
or
for
a
5
violation
of
the
bill
the
company
committed
that
resulted
in
6
actual
damages
to
the
resident.
A
violation
of
the
bill
is
7
punishable
by
a
civil
penalty
of
up
to
$7,500
per
violation
8
per
affected
resident
of
this
state.
Penalties
awarded
to
the
9
state
shall
be
deposited
into
the
general
fund
of
the
state.
10
The
bill
exempts
personal
data
processed
in
the
course
of
11
obtaining,
issuing,
or
executing
a
valid
warrant
or
subpoena;
12
personal
data
processed
solely
for
national
security
or
13
law
enforcement
purposes;
and
personal
data
that
has
been
14
de-identified
or
made
anonymous
so
that
the
data
can
no
15
longer
be
reasonably
linked
to
an
individual
from
the
bill’s
16
provisions.
17
The
bill
makes
a
conforming
change
to
Code
section
714.16.
18
-5-
LSB
5397YH
(3)
91
dg/jh
5/
5