Six states now have data privacy laws on the books, with Iowa as the latest. What this means for collision repair shop owners is the need for end-user license agreements and data collection/use consumer disclosures sooner rather than later, if not already in place.
Iowa’s passage of SF 262 lays out standards and practices for types of data that can be collected and consumer rights in data processing.
“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Gov. Kim Reynolds. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”
“Personal data” is defined in the new law as “any information that is linked or reasonably linkable to an identified or identifiable natural person” and doesn’t include de-identified data (data that cannot reasonably be linked to an identified or identifiable natural person,” aggregate data, or publicly available information.
The law applies to Iowa businesses that control or process the personal data of at least 100,000 consumers, or at least 25,000 with over 50% of gross revenue from the sale of personal data.
Under the law, consumers can find out what businesses have access to or are using their data, ask for their data to be deleted, receive a copy of collected data, and opt out of their data being sold. The controller — the person or business that determines how the data is processed — has 90 days to respond.
The bill requires controllers to “adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.”
Controllers are prohibited from processing sensitive data collected from a consumer for a nonexempt purpose without the consumer receiving notice and the opportunity to opt out of such processing.
California, Colorado, Virginia, Utah, and Connecticut have also passed comprehensive privacy laws. Seven other states — Vermont, Oklahoma, Kentucky, New Hampshire, Hawaii, Montana, and Indiana — are currently considering data privacy bills.
In California, voters enacted PII regulations through Proposition 24, known as the California Privacy Rights Act (CPRA), in 2020 which began Jan. 1, 2023.
According to the California Privacy Protection Agency that includes:
- “The right to correct inaccurate personal information that a business has about them;
- “The right to limit the use and disclosure of sensitive personal information collected about them; and
Colorado’s law and the Virginia Consumer Data Protection Act are nearly identical to Iowa’s. Colorado also gives consumers the right to opt out of targeted advertising. The law was effective in Virginia on Jan. 1 of this year. Colorado’s will take effect on July 1, 2024.
Laws in Utah, effective last year, and Connecticut, effective July 1, 2023, are also similar to California’s. Connecticut’s, however, provides for a universal opt-out option to consumers across several websites at once.
In 2018, Vermont became the first state to enact legislation regulating “data brokers,” businesses that collect and sell or license consumers’ personal information to third parties. In January of this year, state lawmakers introduced H. 121, meant to beef up the law and add that consumers can opt out of the collection or selling of data and can request their data be deleted.
In March, the Oklahoma House of Representatives passed the Oklahoma Computer Data Privacy Act (HB 1030) for the third consecutive year. If passed by the full legislature, the act would apply to Oklahoma businesses that collect consumers’ personal information and meet one or more of the following criteria: have an annual gross income exceeding $15 million; buy, sell, or receive shares of the personal information of at least 50,000 consumers, households, or devices; or derive 25% or more of the business’s annual revenue from selling consumers’ information.
The act would require businesses, among other tasks, to write privacy policies in plain language, including what types of data are collected, how it’s collected, and how consumers can opt out.
Kentucky’s SB 15, passed by the Senate in March, would apply to businesses that control or process personal data of at least 25,000 consumers, or derive more than 40% of gross revenue from the sale of personal data. It would allow consumers the right to opt out of targeted advertising, tracking, and the sale or sharing of their personal data. If signed into law, it would take effect Jan. 1, 2025.
Last year, Kentucky enacted model provisions written by the National Association of Insurance Commissioners (NAIC) to protect consumer data that is provided to insurance carriers.
New Hampshire’s SB 255 was passed by the Senate in March. It’s currently in the House Judiciary Committee and a hearing will be held on it April 19. The bill covers similar opt-out options for consumers in other states and requires controllers to “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
Hawaii’s Consumer Data Protection Act (SB 974 SD 2) would allow consumers to opt out of targeted advertising, the sale of personal data, or profiling for the provision of loans or services including insurance. The Senate has passed the bill and the House passed first reading in March.
Montana’s Consumer Data Privacy Act (SB 384) would apply to controllers that process data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or 25,000 consumers when more than 25% of gross revenue is collected from selling personal data. Controllers would be required to confirm to consumers whether or not they have collected their data, unless doing so would reveal a trade secret. Consumers would also be able to opt out of targeted advertising, the sale of their personal data in certain circumstances, and profiling.
The bill has passed in the Senate and remains in the House. Consumer Reports (CR) said in March that it’s against the legislation because, while similar to Connecticut’s stronger bill, “it strips out key protections contained in that law, including the ability for consumers to opt out using an opt-out preference signal, making it a substantially weaker effort.”
“The bill in its current form would not do enough to protect Montana consumers’ personal information, or to rein in major tech companies like Google and Facebook,” CR wrote. “The bill needs to be substantially improved before it is enacted; otherwise, it would risk locking in industry-friendly provisions that avoid actual reform.”
Indiana’s Senate has passed SB 5, which would apply to state businesses that control or process personal data of at least 100,000 consumers or at least 25,000 with over 50% of gross revenue from the sale of personal data. Consumers would also be able to opt out of targeted advertising, the sale of their personal data in certain circumstances, and profiling. If passed, it would take effect Jan. 1, 2026.
The federal government has also considered data and PII privacy legislation. Last year, the U.S. House considered the first bipartisan and bicameral bill to protect consumer data collection and privacy across nearly all sectors, including automakers and car dealers.
“After failed efforts over many decades, the ‘American Data Privacy and Protection Act’ (the Act) is the first bipartisan, bicameral national comprehensive privacy and data security proposal with support from leaders on the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee,” wrote Rep. Frank Pallone (D-N.J.) in a June 10, 2022 memorandum.
The bill didn’t make it out of committee.
Featured image credit: kutubQ/iStock