On March 28, Iowa Governor Kim Reynolds signed Senate File (SF) 262, "an Act relating to consumer data protection, providing civil penalties, and including effective date provisions." Following in the footsteps of California (here and here), Virginia, Colorado, Utah, and Connecticut, Iowa has become the sixth state to pass its own unique take on a comprehensive data privacy law.
With Congress still unable to agree upon the details of a national privacy framework, this most recent addition to the steadily expanding list of inconsistent state statutes further exacerbates compliance headaches for companies and adds to consumer confusion.
Laws in California and Virginia already are in effect. The start date for those in Colorado and Connecticut is July 1, 2023. Utah's statute becomes valid at the end of this year. And Iowa's SF 262 kicks in on January 1, 2025.In other state-level privacy news, both California and Colorado recently finalized rulemaking proceedings arising from their respective comprehensive data privacy statutes:
- On March 29, the California Office of Administrative Law approved the initial set of rules implementing the California Privacy Rights Act, also known as Proposition 24. Adopted by the California Privacy Protection Agency (CPPA), the first-of-its-kind state agency specifically dedicated to privacy, the rules became effective immediately. By statute, however, California's Office of Attorney General cannot initiate enforcement efforts until July 1. (Once officially processed, those rules, which substantively are unchanged from the drafts voted on by the CPPA in February, will be available here.)
- On March 15, the Colorado Attorney General's Office announced that it had filed with the Colorado Secretary of State's Office final versions of its rules implementing the Colorado Privacy Act. Like the statute itself, those rules will go into effect on July 1.
At the federal level, meanwhile, the American Data Privacy and Protection Act, the first bill of its kind to make it out of congressional committee, remains in limbo. However, there have been two House Commerce Committee hearings on the topic of privacy thus far in 2023.
The first, entitled "Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy," was held by the Innovation, Data, and Commerce Subcommittee on March 1.
The second, a full Committee hearing entitled "TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms," took place on March 23.
In a media appearance shortly thereafter, Chair Cathy McMorris Rodgers (R-WA) stated that the testimony of TikTok CEO Shou Chew puts "more urgency on us passing a national data privacy law to protect [America] from the next technological tool or weapon that China may put together'" and that "[w]e need a national data privacy standard … and that's what Ranking Member Pallone and I have worked on and we're going to introduce this Congress because we need to take action."