Bill Text: IA SF143 | 2025-2026 | 91st General Assembly | Introduced
Bill Title: A bill for an act relating to consumer data protection, and including retroactive applicability provisions.
Spectrum: Partisan Bill (Republican 5-0)
Status: (Introduced) 2025-01-30 - Subcommittee recommends passage. [SF143 Detail]
Download: Iowa-2025-SF143-Introduced.html
Senate
File
143
-
Introduced
SENATE
FILE
143
BY
ALONS
,
WESTRICH
,
SALMON
,
GUTH
,
and
LOFGREN
A
BILL
FOR
An
Act
relating
to
consumer
data
protection,
and
including
1
retroactive
applicability
provisions.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
1302XS
(3)
91
nls/ko
S.F.
143
Section
1.
Section
715D.1,
subsection
5,
Code
2025,
is
1
amended
to
read
as
follows:
2
5.
“Child”
means
any
natural
person
younger
than
thirteen
3
eighteen
years
of
age.
4
Sec.
2.
Section
715D.1,
Code
2025,
is
amended
by
adding
the
5
following
new
subsections:
6
NEW
SUBSECTION
.
9A.
“Decision
that
produces
legal
or
7
similarly
significant
effects
concerning
a
consumer”
means
a
8
decision
made
by
a
controller
that
affects
the
ability
of
a
9
person
to
access
any
of
the
following:
10
a.
Financial
and
lending
services.
11
b.
Housing.
12
c.
Insurance.
13
d.
Education.
14
e.
Criminal
justice
services.
15
f.
Employment
opportunities.
16
g.
Health
care
services.
17
NEW
SUBSECTION
.
12A.
“Health
data”
means
data
that
18
pertains
to
the
health
status
of
an
individual
that
discloses
19
information
related
to
the
past,
current,
or
future
physical
or
20
mental
health
status
of
the
individual.
21
NEW
SUBSECTION
.
21A.
“Profiling”
means
any
form
of
22
automated
processing
performed
on
personal
data
to
evaluate,
23
analyze,
or
predict
specific
factors
related
to
the
economic
24
status,
health,
personal
preferences,
interests,
reliability,
25
behavior,
location,
or
movements
of
an
identified
or
26
identifiable
individual.
27
Sec.
3.
Section
715D.1,
subsection
14,
Code
2025,
is
amended
28
to
read
as
follows:
29
14.
“Health
record”
means
any
written,
printed,
or
30
electronically
recorded
material
maintained
by
a
health
care
31
provider
in
the
course
of
providing
health
services
to
an
32
individual
concerning
the
individual
and
the
services
provided,
33
including
related
health
information
and
associated
nonhealth
34
information,
provided
in
confidence
to
a
health
care
provider.
35
-1-
LSB
1302XS
(3)
91
nls/ko
1/
4
S.F.
143
Sec.
4.
Section
715D.1,
subsection
26,
Code
2025,
is
amended
1
by
adding
the
following
new
paragraph:
2
NEW
PARAGRAPH
.
e.
Health
data.
3
Sec.
5.
Section
715D.2,
subsection
2,
Code
2025,
is
amended
4
to
read
as
follows:
5
2.
This
Except
as
it
relates
to
health
data,
this
chapter
6
shall
not
apply
to
the
state
or
any
political
subdivision
of
7
the
state;
financial
institutions,
affiliates
of
financial
8
institutions,
or
data
subject
to
Tit.
V
of
the
federal
9
Gramm-Leach-Bliley
Act
of
1999,
15
U.S.C.
§6801
et
seq.;
10
persons
who
are
subject
to
and
comply
with
regulations
11
promulgated
pursuant
to
Tit.
II,
subtit.
F,
of
the
federal
12
Health
Insurance
Portability
and
Accountability
Act
of
1996,
13
Pub.
L.
No.
104-191,
and
Tit.
XIII,
subtit.
D,
of
the
federal
14
Health
Information
Technology
for
Economic
and
Clinical
Health
15
Act
of
2009,
42
U.S.C.
§17921
–
17954;
nonprofit
organizations;
16
or
institutions
of
higher
education.
17
Sec.
6.
Section
715D.2,
subsection
3,
Code
2025,
is
amended
18
by
adding
the
following
new
paragraph:
19
NEW
PARAGRAPH
.
0b.
Information
or
data
maintained
by
a
20
public
health
authority,
as
defined
by
HIPAA,
provided
the
21
public
health
authority
has
received
the
consumer’s
consent
22
unless
otherwise
required
by
HIPAA.
23
Sec.
7.
Section
715D.2,
subsection
3,
paragraph
l,
Code
24
2025,
is
amended
to
read
as
follows:
25
l.
Information
used
only
for
public
health
activities
and
26
purposes
Purposes
as
authorized
by
HIPAA
.
,
provided
that
the
27
information
is
all
of
the
following:
28
(1)
De-identified.
29
(2)
Aggregated.
30
(3)
Processed
in
batches
of
no
less
than
one
hundred
31
consumers.
32
Sec.
8.
Section
715D.3,
subsection
1,
paragraph
d,
Code
33
2025,
is
amended
by
striking
the
paragraph
and
inserting
in
34
lieu
thereof
the
following:
35
-2-
LSB
1302XS
(3)
91
nls/ko
2/
4
S.F.
143
d.
To
be
notified
of,
or
to
opt
out
of,
profiling
in
1
furtherance
of
a
decision
that
produces
legal
or
similarly
2
significant
effects
concerning
a
consumer.
Notification
to
3
the
consumer
pursuant
to
this
paragraph
shall
be
in
plain
4
language
and
include
the
type
of
data
subject
to
profiling,
5
any
requirements
for
a
person
receiving
the
consumer’s
data
to
6
delete
or
return
the
data,
and
the
process
for
a
consumer
to
7
file
a
complaint.
8
Sec.
9.
RETROACTIVE
APPLICABILITY.
This
Act
applies
9
retroactively
to
January
1,
2025.
10
EXPLANATION
11
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
12
the
explanation’s
substance
by
the
members
of
the
general
assembly.
13
This
bill
relates
to
consumer
data
protection.
14
Under
Code
section
715D.1,
“child”
is
defined
as
any
natural
15
person
younger
than
13
years
of
age.
Under
the
bill,
“child”
16
is
defined
as
any
natural
person
younger
than
18
years
of
age.
17
The
bill
expands
the
definition
of
“health
record”
to
18
include,
in
addition
to
any
record
containing
related
health
19
information,
any
record
containing
nonhealth
information
that
20
is
related
to
health
information
provided
in
confidence
to
a
21
health
care
provider.
22
The
bill
expands
the
definition
of
“sensitive
data”
to
23
include
health
data.
“Health
data”
is
defined
in
the
bill.
24
Under
the
bill,
except
as
it
relates
to
health
data,
the
25
Code
chapter
shall
not
apply
to
the
state
or
any
political
26
subdivision
of
the
state;
financial
institutions,
affiliates
27
of
financial
institutions,
or
data
subject
to
Tit.
V
of
the
28
federal
Gramm-Leach-Bliley
Act
of
1999,
15
U.S.C.
§6801
et
29
seq.;
persons
who
are
subject
to
and
comply
with
regulations
30
promulgated
pursuant
to
Tit.
II,
subtit.
F,
of
the
federal
31
Health
Insurance
Portability
and
Accountability
Act
of
1996,
32
Pub.
L.
No.
104-191,
and
Tit.
XIII,
subtit.
D,
of
the
federal
33
Health
Information
Technology
for
Economic
and
Clinical
Health
34
Act
of
2009,
42
U.S.C.
§17921
–
17954;
nonprofit
organizations;
35
-3-
LSB
1302XS
(3)
91
nls/ko
3/
4
S.F.
143
or
institutions
of
higher
education.
1
The
bill
exempts
information
or
data
maintained
by
a
2
public
health
authority,
as
defined
by
HIPAA,
from
the
Code
3
chapter
provided
the
public
health
authority
has
received
the
4
consumer’s
authorization,
unless
otherwise
required
by
HIPAA.
5
The
bill
exempts
information
used
only
for
public
health
6
activities
and
purposes
as
authorized
by
HIPAA,
provided
that
7
the
information
is
de-identified,
aggregated,
and
processed
in
8
batches
of
no
less
than
100
consumers
from
the
Code
chapter.
9
Under
the
bill,
a
consumer
shall
have
the
right
to
request
10
to
be
notified
of,
or
to
opt
out
of,
profiling
in
furtherance
11
of
a
decision
that
produces
legal
or
similarly
significant
12
effects
concerning
a
consumer.
The
bill
defines
“profiling”
13
as
any
form
of
automated
processing
performed
on
personal
data
14
to
evaluate,
analyze,
or
predict
specific
factors
related
to
15
the
economic
status,
health,
personal
preferences,
interests,
16
reliability,
behavior,
location,
or
movements
of
an
individual.
17
Notification
to
the
consumer
shall
be
in
plain
language
and
18
include
the
type
of
data
subject
to
profiling,
any
requirements
19
for
a
person
receiving
the
consumer’s
data
to
delete
or
return
20
the
data,
and
the
process
for
a
consumer
to
file
a
complaint.
21
“Decision
that
produces
legal
or
similarly
significant
effects
22
concerning
a
consumer”
is
defined
in
the
bill.
23
The
bill
applies
retroactively
to
January
1,
2025.
24
-4-
LSB
1302XS
(3)
91
nls/ko
4/
4
