Iowa Becomes Sixth State To Pass An Internet Privacy Law
While there's a lot of talk about how getting privacy legislation right is hard (it is), or that doing it wrong could pose many problems (it could), that should never derail attention from the real reason the U.S. has no federal privacy law in 2023: Congress is blisteringly, comically corrupt. And with numerous, deep-pocketed industries lobbying it in unison, quality federal privacy law never had a chance.
The end result is pretty obvious: just an endless parade of hacks, breaches, scandals, and other misadventures in which extremely sensitive U.S. consumer data is over-collected, secured poorly, and routinely abused. An environment in which companies and execs face fleetingly inconsistent accountability, if they see any accountability at all.
And as a consumer all you get for your trouble is another round of useless free credit reporting" from companies that are also routinely sloppy with consumer data.
In response to federal corruption, dysfunction, and apathy, states have filled the vacuum with their own privacy laws of varying quality. This week Iowa became the sixth state to pass its own privacy law (S.F. 262), on the heels of similar pushes in California, Virginia, Utah, Connecticut and Colorado. As it currently stands, Iowa's law most closely relates to Utah's SB 277.
There's a few differences from other state efforts, such as in the way Iowa consumers need to opt out of the most sensitive types of data collection (financial, mental health, etc.):
Iowa's framework differs, however, from a few others since it requires covered entities to provide a clear notice of data usage and opt-out option for sensitive data - which it defines as racial or ethnic origin, religious beliefs, mental or physical diagnosis, sexual orientation, citizenship or immigration status. Colorado, Connecticut and Virginia have opt-in requirements.
Of course passing laws is one challenge. Having state AGs actually enforce them at any real scale is another matter. Especially given the increasingly industry-friendly court system and the unlimited budgets of corporate legal and lobbying coalitions. Still, the alternative is waiting for Congress to function.
While corporations and some partisans will lament how states are creating a discordant collection of patchwork legislation" (they're right!), this is a problem directly created by U.S. industry itself, which has lobbied relentlessly against any federal privacy law. When they do support federal privacy laws, they're usually ghost written by the lawyers of the biggest corporations and so full of loopholes as to be useless.
U.S. failures on privacy mirror countless other efforts at reform that can't move forward due to congressional corruption. Particularly in the realm of consumer protection (see: telecom), where states are also having to cobble together imperfect solutions to problems the federal government could have tackled decades ago were we interested in lobbying and campaign finance reform (we're not).
But for every state that at least pretends to care about consumer privacy and consumer protection, there are two or three states in which protecting consumers from consolidated corporate power is a non-starter, leaving millions of U.S. consumers shit out of luck. As authoritarians and self-serving partisans assault the regulatory state and court system, this all gets worse without a meaningful sea change.