The bill establishes new regulations regarding personal data processing practices for companies operating in Iowa, particularly those that process the personal data of 5,000 or more individuals annually. It defines key terms such as "automated decision making," "company," "personal data," and "process." Companies are required to disclose the purposes for which they intend to use personal data, obtain explicit consent from individuals before processing their data, and allow individuals to revoke consent easily. Additionally, companies must implement security measures to protect personal data and are prohibited from processing data without consent or penalizing individuals for exercising their rights under the bill.

The bill also grants residents specific rights concerning their personal data, including the right to confirm whether their data is being processed, request corrections, and demand deletion of their data. The attorney general is empowered to investigate violations and enforce compliance, with penalties for non-compliance reaching up to $7,500 per violation per affected resident. Furthermore, the bill outlines exemptions for certain types of data processing, such as that related to law enforcement or national security. A conforming change is made to existing consumer fraud laws to include violations of this new chapter on personal data processing.

Statutes affected:
Introduced: 714.16