Senate File 2272 - Introduced
SENATE FILE 2272
BY ALONS
A BILL FOR
1 An Act relating to consumer data protection, and including
2 effective date provisions.
3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
TLSB 5571XS (4) 90
nls/ko
S.F. 2272
1 Section 1. Section 715D.1, subsection 5, as enacted by
2 2023 Iowa Acts, chapter 17, section 1, is amended to read as
3 follows:
4 5. “Child” means any natural person younger than thirteen
5 eighteen years of age.
6 Sec. 2. Section 715D.1, as enacted by 2023 Iowa Acts,
7 chapter 17, section 1, is amended by adding the following new
8 subsections:
9 NEW SUBSECTION. 9A. “Decision that produces legal or
10 similarly significant effects concerning a consumer” means a
11 decision made by a controller that affects the ability of a
12 person to access any of the following:
13 a. Financial and lending services.
14 b. Housing.
15 c. Insurance.
16 d. Education.
17 e. Criminal justice services.
18 f. Employment opportunities.
19 g. Health care services.
20 h. Basic necessities, such as food and water.
21 NEW SUBSECTION. 12A. “Health data” means data that
22 pertains to the health status of an individual that discloses
23 information related to the past, current, or future physical or
24 mental health status of the individual.
25 NEW SUBSECTION. 21A. “Profiling” means any form of
26 automated processing performed on personal data to evaluate,
27 analyze, or predict specific factors related to the economic
28 status, health, personal preferences, interests, reliability,
29 behavior, location, or movements of an identified or
30 identifiable individual.
31 Sec. 3. Section 715D.1, subsection 14, as enacted by
32 2023 Iowa Acts, chapter 17, section 1, is amended to read as
33 follows:
34 14. “Health record” means any written, printed, or
35 electronically recorded material maintained by a health care
LSB 5571XS (4) 90
-1- nls/ko 1/4
S.F. 2272
1 provider in the course of providing health services to an
2 individual concerning the individual and the services provided,
3 including related health information and associated nonhealth
4 information, provided in confidence to a health care provider.
5 Sec. 4. Section 715D.1, subsection 26, as enacted by 2023
6 Iowa Acts, chapter 17, section 1, is amended by adding the
7 following new paragraph:
8 NEW PARAGRAPH. e. Health data.
9 Sec. 5. Section 715D.2, subsection 2, as enacted by 2023
10 Iowa Acts, chapter 17, section 2, is amended to read as
11 follows:
12 2. This Except as it relates to health data, this chapter
13 shall not apply to the state or any political subdivision of
14 the state; financial institutions, affiliates of financial
15 institutions, or data subject to Tit. V of the federal
16 Gramm-Leach-Bliley Act of 1999, l5 U.S.C. §6801 et seq.;
17 persons who are subject to and comply with regulations
18 promulgated pursuant to Tit. II, subtit. F, of the federal
19 Health Insurance Portability and Accountability Act of 1996,
20 Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal
21 Health Information Technology for Economic and Clinical Health
22 Act of 2009, 42 U.S.C. §17921 - 17954; nonprofit organizations;
23 or institutions of higher education.
24 Sec. 6. Section 715D.2, subsection 3, as enacted by 2023
25 Iowa Acts, chapter 17, section 2, is amended by adding the
26 following new paragraph:
27 NEW PARAGRAPH. 0b. Information or data maintained by a
28 public health authority, as defined by HIPAA, provided the
29 public health authority has received the consumer’s consent
30 unless otherwise required by HIPAA.
31 Sec. 7. Section 715D.2, subsection 3, paragraph l, as
32 enacted by 2023 Iowa Acts, chapter 17, section 2, is amended
33 to read as follows:
34 l. Information used only for public health activities and
35 purposes Purposes as authorized by HIPAA., provided that the
LSB 5571XS (4) 90
-2- nls/ko 2/4
S.F. 2272
1 information is all of the following:
2 (1) De-identified.
3 (2) Aggregated.
4 (3) Processed in batches of no less than one hundred
5 consumers.
6 Sec. 8. Section 715D.3, subsection 1, paragraph d, as
7 enacted by 2023 Iowa Acts, chapter 17, section 3, is amended
8 by striking the paragraph and inserting in lieu thereof the
9 following:
10 d. To be notified of, or to opt out of, profiling in
11 furtherance of a decision that produces legal or similarly
12 significant effects concerning a consumer. Notification to
13 the consumer pursuant to this paragraph shall be in plain
14 language and include the type of data subject to profiling,
15 any requirements for a person receiving the consumer’s data to
16 delete or return the data, and the process for a consumer to
17 file a complaint.
18 Sec. 9. EFFECTIVE DATE. This Act takes effect January 1,
19 2025.
20 EXPLANATION
21 The inclusion of this explanation does not constitute agreement with
22 the explanation’s substance by the members of the general assembly.
23 This bill relates to consumer data protection and amends
24 2023 Iowa Acts, chapter 17.
25 Under Code section 715D.1, as enacted by 2023 Iowa Acts,
26 chapter 17, section 1, “child” is defined as any natural person
27 younger than 13 years of age. Under the bill, “child” is
28 defined as any natural person younger than 18 years of age.
29 The bill expands the definition of “health record” to
30 include, in addition to any record containing related health
31 information, any record containing nonhealth information that
32 is related to health information provided in confidence to a
33 health care provider.
34 The bill expands the definition of “sensitive data” to
35 include health data. “Health data” is defined in the bill.
LSB 5571XS (4) 90
-3- nls/ko 3/4
S.F. 2272
1 Under the bill, except as it relates to health data, the
2 Code chapter shall not apply to the state or any political
3 subdivision of the state; financial institutions, affiliates
4 of financial institutions, or data subject to Tit. V of the
5 federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et
6 seq.; persons who are subject to and comply with regulations
7 promulgated pursuant to Tit. II, subtit. F, of the federal
8 Health Insurance Portability and Accountability Act of 1996,
9 Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal
10 Health Information Technology for Economic and Clinical Health
11 Act of 2009, 42 U.S.C. §17921 – 17954; nonprofit organizations;
12 or institutions of higher education.
13 The bill exempts information or data maintained by a
14 public health authority, as defined by HIPAA, from the Code
15 chapter provided the public health authority has received the
16 consumer’s authorization, unless otherwise required by HIPAA.
17 The bill exempts information used only for public health
18 activities and purposes as authorized by HIPAA, provided that
19 the information is de-identified, aggregated, and processed in
20 batches of no less than 100 consumers from the Code chapter.
21 Under the bill, a consumer shall have the right to request
22 to be notified of, or to opt out of, profiling in furtherance
23 of a decision that produces legal or similarly significant
24 effects concerning a consumer. The bill defines “profiling”
25 as any form of automated processing performed on personal data
26 to evaluate, analyze, or predict specific factors related to
27 the economic status, health, personal preferences, interests,
28 reliability, behavior, location, or movements of an individual.
29 Notification to the consumer shall be in plain language and
30 include the type of data subject to profiling, any requirements
31 for a person receiving the consumer’s data to delete or return
32 the data, and the process for a consumer to file a complaint.
33 “Decision that produces legal or similarly significant effects
34 concerning a consumer” is defined in the bill.
35 The bill takes effect January 1, 2025.
LSB 5571XS (4) 90
-4- nls/ko 4/4

Statutes affected:
Introduced: 715D.1, 715D.2, 715D.3