Iowa - Cookies & Similar Technologies

1. Governing Texts

1.1 Legislation 

• The Private Right of Action for Consumer Frauds Act, enacted in 2009 and found in §714H of Title XVI of the Iowa Code, provides a private right of action to consumers who have an ascertainable loss resulting from an unfair practice, deception, fraud, false pretense, or false promise, or the misrepresentation, concealment, suppression, or omission of a material fact with the intent that others will rely on that misleading or false statement. While this does not specifically address cookies and similar technologies, it is similar to the Federal Trade Commission Act of 1914 (FTC Act) prohibiting unlawful and deceptive acts, which has been held to cover data privacy notices. 
• An Act relating to consumer data protection (ICDPA), which goes into effect January 1, 2025, is codified in §715D.1 of Title XVI of the Iowa Code. The ICDPA is Iowa's comprehensive privacy law, similar to many other state data privacy laws enacted throughout the US. The ICDPA impacts how data is collected, retained, and processed online, thus implicating cookies and similar tracking technologies. 
• An Act Relating to Student Personal Information Protection (the Student Information Act) was enacted in 2018 and incorporated in §279.71 of Title VII of the Iowa Code. The Student Information Act prohibits the sharing and disclosure of covered student information obtained electronically on websites maintained for educational purposes. 

1.2. Regulatory Authority Guidance  

None of the Iowa laws governing privacy notices and cookies grant any rulemaking or regulatory authority. 

2. Definitions

• Cookies & similar technologies: These are not specifically defined in the Iowa Code. 
• Consent: This is defined as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action (§715D.1(6) of the Iowa Code). 
• Personal data: This is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified or aggregate data or publicly available information (§715D.1(18) of the Iowa Code). 
• Online identifiers: There is no definition of 'online identifiers' in Iowa law. However, there is a definition of 'internet identifiers.' An 'internet identifier' is an electronic mail address, instant message address, or identifier, or any other designation or moniker used for self-identification during internet communication or posting, including all designations used for the purpose of routing or self-identification in internet communications or postings (§692A.101(15) of the Iowa Code). 
• Consumer: This is defined as a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context (§715D.1(7) of the Iowa Code). 
• Controller: This is defined as a person that, alone or jointly with others, determines the purpose and means of processing personal data (§715D.1(8) of the Iowa Code). 
• De-identified data: This is defined as data that cannot reasonably be linked to an identified or identifiable natural person. (§715D.1(10)of the Iowa Code). 
• Identifiable natural person: This is defined as a person who can be readily identified, directly or indirectly (§715D.1(15) of the Iowa Code). 
• Data processing: This is defined as any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data (§715D.1(20) of the Iowa Code). 
• Processor: This is defined as a person who processes personal data on behalf of a controller (§715D.1(21) of the Iowa Code). 
• Pseudonymous data: This is defined as personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (§715D.1(23) of the Iowa Code). 
• Sensitive data: This is defined as a category of personal data that includes the following: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law; genetic or biometric data that is processed for the purpose of uniquely identifying a natural person; personal data collected from an individual under 13 years of age; or precise geolocation data (§715D.1(26) of the Iowa Code). 
• Targeted advertising: This is defined as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across non-affiliated websites or online applications to predict such consumer's preferences or interests. Targeted advertising does not include advertisements based on activities within a controller's own or affiliated website or advertisements based on the context of the consumer's search query. While targeted advertising does not explicitly invoke the use of cookies or other tracking technologies, it would be nearly impossible for targeted advertising to occur without the usage of cookies, web beacons, pixels, or other related tracking technologies (§715D.1(28) of the Iowa Code). 

3. Consent Management

3.1. Is consent required?  

Consent pertaining to cookie usage is not necessarily required under the ICDPA; however, a mechanism to opt out of cookie usage may be required in the following circumstances (§715D.4 of the Iowa Code): 

• the controller is processing sensitive data for certain non-exempt purposes; 
• the controller is selling personal data to a third party; and/or 
• the controller is engaging in targeted advertising. 

The controller must provide clear notice and opportunity to opt out of such activities (§715D.4(2) of the Iowa Code). 

3.2. Conditions for valid consent 

As detailed above, consent must be an affirmative act on the part of the consumer. Consent must be unambiguous, specific, freely given, and properly informed §715D.1(6) of the Iowa Code). 

3.3. Analytics and audience measurement cookies 

No consent is required for the processing of personal data only for the purpose of analyzing advertising performance, reach, or frequency. 

3.4. Exemptions 

The ICDPA does not apply to state political subdivisions; financial institutions, their affiliates, or data subject to the Gramm-Leach-Bliley Act of 1999 (GLBA); persons who already must abide by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009; non-profits; and institutions of higher education. 

The ICDPA also exempts certain data, including (without limitation) the following (§715D.2(2) of the Iowa Code): 

• protected health information under HIPAA, as well as health records, substance abuse records, and other health-related records; 
• identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization of technical requirements for pharmaceuticals for human use; 
• personal data used or shared in research conducted in accordance with the requirements set forth in the ICDPA; 
• any information bearing on a consumer's creditworthiness, credit standing, or personal characteristics or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated and authorized under the Fair Credit Reporting Act (FCRA); 
• personal data regulated by the Family Educational Rights and Privacy Act of 1974; 
• data that is necessary to collect and retain to facilitate benefits; and 
• data collected or processed in relation to the Farm Credit Act of 1933. 

For a full list of exempt data, see §715D.2 of the Iowa Code. 

3.5. Cookie information requirements 

While there are no explicit requirements for cookie-collected information, there are requirements stemming from the broader privacy protection scheme that could apply to cookies. 

Under the ICDPA, a controller must provide clear notice and opportunity to opt out of the processing of the consumer's data prior to the processing of any sensitive data. 

The privacy notice that the controller must provide to the consumer shall be clear, reasonably accessible, and meaningful, including the following information (§715D.4 of the Iowa Code): 

• the categories of personal data processed by the controller; 
• the purpose for processing personal data; 
• how consumers can exercise their consumer rights regarding the disclosure, deletion, or amendment of collected personal data; 
• the categories of personal data shared with third parties; and 
• if the controller sells a consumer's personal data to third parties or engages in targeted advertising, then disclosure must be clear and conspicuous. 

3.6. Cookie consent mechanism  

There are no specific cookie consent mechanisms; however, the ICDPA requires certain activities that necessitate the use of cookies or similar tracking technologies to be clearly and conspicuously disclosed, detailing the manner in which the consumer may opt out, including a secure and reliable means for consumers to opt out, should they wish to do so (§715D,6 of the Iowa Code).  

3.7. Cookie walls  

There are no specific requirements regarding cookie consent walls.  

3.8. Consent duration  

There is no specific duration for consent outlined; however, consent may be freely revoked at any given time. 

4. Cookies & Third Parties

4.1. Conditions for placement of third-party cookies  

There are no specific requirements for the placement of third-party cookies. However, the ICDPA and the Student Information Act impose requirements for the disclosure of what third-party cookies have been permitted to collect information. The ICDPA requires the controller, who permits the placement of third-party cookies, to provide a privacy notice detailing such information in a reasonably accessible, clear, and meaningful manner (§715D.6 of the Iowa Code). Included in this notice must be the categories of personal data that are shared with third parties, as well as the categories of third parties, if any, that the controller shares personal data with (§715D.6(d) of the Iowa Code). Additionally, the Student Information Act prohibits any form of engagement in targeted advertising on internet sites or applications for children in kindergarten through grade 12, which almost always includes cookie collection, retention, processing, and/or the sale of personal information collected from such cookies to and by third parties (§279.71(2)(a) of the Iowa Code).  

4.2. Roles and responsibilities  

The controller is not the only party required to safeguard the collected information and implement reasonable security measures under the ICDPA. The processor must enter into a contract with the controller, which ought to govern the processor's data processing procedures with respect to the processing done on behalf of the controller. The contract should set limits on what data is processed and the purpose of processing. Additionally, the processor must ensure that the personal data is handled with discretion and confidentiality (§715.D(5)(2) of the Iowa Code. The controller is not the only party required to safeguard the collected information and implement reasonable security measures under the ICDPA. The processor must enter into a contract with the controller, which ought to govern the processor's data processing procedures with respect to the processing done on behalf of the controller. The contract should set limits on what data is processed and the purpose of processing. Additionally, the processor must ensure that the personal data is handled with discretion and confidentiality (§715.D(5)(2) of the Iowa Code. 

4.3. International data transfers 

Iowa law incorporates no specific requirements for international data transfers. 

5. Cookie Retention

There are no cookie-specific requirements for retention. However, the ICDPA contains provisions that dictate how any retained personal data ought to be maintained, which necessarily includes that collected by cookies and other similar technologies. According to the ICDPA, controllers, using reasonable measures, must protect the confidentiality, integrity, and accessibility of personal data (§715D.4(1) of the Iowa Code. 

6. Additional Information

Both the ICDPA and the Student Information Act impose limitations on the extent to which personal data may be processed, which includes personal data collected via cookies and other similar tracking technologies. Under the ICDPA, personal data may only be processed to the extent that is reasonably necessary and proportionate to the purposes identified. The collected and processed personal data must be adequate, relevant, and limited to what is necessary for a specific purpose (§715D.7(6) of the Iowa Code. Under the Student Information Act, students' personal data, which constitutes covered information, may not be disclosed to a third party, except to subcontractors who need the information to provide the contracted services (§279.71.(4)(f) of the Iowa Code). 

There have been no enforcement actions in Iowa to date. However, based on cases developing in other states that have already implemented privacy acts, there are two legal theories by which litigants are pursuing greater data collection and protection transparency that may impact Iowa in the near future. 

There are cases pending in California state and federal district courts in which the argument is that cookies and similar technologies are merely internet versions of pen registers, and thus should fall within the wiretap laws of each jurisdiction. Should the federal courts find in favor of this argument, then it could support an argument that Iowa's Wiretap Law (§808B.2 of the Iowa Code) likewise extends to cookie usage. Cookie usage would be unlawful, unless operating under the color of law. 

In a separate lawsuit, the plaintiffs have argued the tort intrusion upon seclusion should apply to personal data collection online, if the notices and opt-out mechanisms are found to be defective. Intrusion upon seclusion requires a false expectation of privacy and that breach of false expectation as highly offensive. It is unclear whether routine information collected online would be found to be highly offensive, but the first element of false expectation of privacy is likely to be satisfied. Should this be found to extend to online data collection, then consumers may have an additional private right of action. 

7. Case Law 7 Enforcement Decisions

There is no case law pertaining to the ICDPA yet in Iowa because the law will not be in effect until January 1, 2025. Additionally, neither the Student Information Act nor the Private Right of Action for Consumer Frauds Act have any pertinent case law. 

8. Penalties

There is no private right of action for the ICDPA. The Iowa Attorney General (AG) retains enforcement powers for the ICDPA. The AG may seek an injunction to restrain any further violations of the ICDPA, as well as up to $7,500 fine per violation. 

Under the Private Right of Action for Consumer Frauds Act, a consumer may pursue a private right of action if they have suffered an ascertainable loss of money or property as a result of a violation of the act. The AG is permitted to intervene, as well; however, should the AG fail to intervene, they are not precluded from bringing a separate enforcement action. 

Explore more and view Lee's expert profile on DataGuidance here. Special thanks to associate Katelyn Larossa for her assistance with this blog.