New US laws: Iowa and Indiana
On March 29, 2023, the State of Iowa, and on April 13, 2023 the state of Indiana, became the sixth and seventh states to enact a comprehensive state privacy law, following the footsteps of California, Virginia, Colorado, Connecticut and Utah.
The new privacy law in Iowa will take effect on January 1, 2025. Companies should assess the applicability of this new law and consider compliance.
1. A business that controls or processes personal data of at least 100,000 Iowa consumers during a calendar year,
2. A business that derives more than 50% of gross revenue from the sale of personal data, and/or
3. A business that does business in the state and makes USD25 million in annual revenue.
The new privacy law in Indiana will take effect on January 1, 2026.
Applicability test: Companies that do business in Indiana or produce products or services that are targeted to residents of Indiana and:
- Control or process the personal data of 100,000 customers or more; or
- Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.