Homepage

Iowa’s New Privacy Policy Law: Everything You Need To Know If You Have a Website

Written by Stacey Cooper
Categories: Custom Programming Development Websites Wordpress

4 min. read

Privacy on the internet will always be a hot topic amongst the government and policy makers as the worldwide web continues to grow. As professionals working within the website and internet industry, it’s important that we stay on top of any new changes or updates to legalities of owning a website. This past year, a new privacy policy law was passed for the state of Iowa that will impact business owners on how personal data obtained from their website should be handled. 

Privacy policies are incredibly important to have on a website. Not only do they help you avoid legal action taken by the government (or an individual or agency), but they also provide transparency to your customers. An updated, comprehensive privacy policy shows that your business is focused on the protection of their consumers. 

Let’s dive into this new Iowa privacy law including the effective date, what it entails, who it affects, and what you can do to make sure you are staying compliant.

Iowa SF262

Effective Jan 1, 2025, Iowa SF262 is a new privacy policy law that includes consumer data protection, provides civil penalties, and includes date provisions. 

In 2023, Governor Kim Reynolds signed this into action, making it mandatory for qualifying Iowa business owners with websites to have a privacy policy.

Who Does Iowa SF262 Apply To?

This new law applies to any individual who is conducting business in Iowa or produces products or services that target residents of Iowa, meeting one of the following requirements:

  • Controls or processes the personal data of at least 25,000 Iowa residents and derives over 50% of gross revenue from the sale of personal data per year.
  • Controls or processes the personal data of at least 100,000 Iowa residents per year; or 

Who Does Iowa SF262 NOT Apply To?

This privacy policy law specifically does not apply to employee data and nonprofit organizations.

What is Considered Personal Data?

Now that we know who this privacy policy law affects, let’s go through how Iowa defines personal data. This is important to know, especially if you are someone who meets the requirements for compliance. According to Iowa SF262, personal data is “any information that is linked or reasonably linkable to an identified or identifiable natural person.

With website data, personal data can be anything from names, phone numbers, and emails to IP addresses and physical addresses. It can be reasonably assumed that any data collected through online form functionalities or website analytics is considered personal.

Requirements of the Iowa SF262 Privacy Policy Law

When updating your privacy policy to ensure its compliance, it’s important to be sure you include everything that is required of this new law. If not updated correctly, you may be at risk for legal action taken against you and your business. 

Your website’s privacy policy must include the following disclosures

  1. The categories of personal data processed by the business; 
  2. The purpose for processing the data; 
  3. How an individual may exercise their privacy rights and how they may appeal a decision made with regard to their privacy rights request; 
  4. The categories of personal data that are shared with third parties; 
  5. The categories of third parties with whom the personal data is shared; 
  6. Whether personal data is sold or used for targeted advertising and how an individual may exercise the right to opt out of sales of personal data and targeted advertising. 

Beyond these new additions to your privacy policy, you must also ensure that yours is clear and accessible on your website. Don’t intentionally “hide” your privacy policy from users within your website. We recommend displaying it as a link to a page within the footer on your website. That way, it’s easily accessible across every page of your website and doesn’t clutter the main content on your website.

What Happens if I Fail To Comply With Iowa SF262?

This law includes a 90-day period of a right to fix a violation. If the violation is not fixed by the allotted number of days, the Iowa Attorney General could impose penalties of up to $7,500 per violation. Defined in this specific law, “per violation” may mean a website visitor whose privacy rights were infringed upon or per violation. This means that each user visit to your website, while your privacy policy is not compliant, counts as a separate violation with a potential penalty of $7,500 per occurrence.

For example, if you did not fix your privacy policy after your 90-day period and you 10 users visited your website, you could face a penalty of up to $75,000. 

Update Your Website’s Privacy Policy To Avoid Iowa Legal Action

Webspec partners with Termaggedon, an organization that makes it easy to implement privacy policies on your website, updating them as needed. If you are a client of Webspec and have a privacy policy, then yours has been updated to reflect the requirements of Iowa SF262. 


If you are not a current client of Webspec, or are worried about whether or not your site is compliant, let’s talk! We’ll sit down with you to evaluate your business size, get to know your business, and determine whether or not a privacy policy is needed.

This field is for validation purposes and should be left unchanged.
Stacey Cooper

Stacey Cooper

Originally a native of Wisconsin, Stacey Cooper moved to Des Moines to attend Drake University. She graduated with communication and graphic design degrees, but quickly learned she wanted to work in technology. Stacey has seven years of experience in website and eCommerce project management. Her team leading and organizational skills will make you want Stacey on your project. When she’s not in the office keeping her team organized or getting to know her clients, she loves to travel and hike with her husband.

Questions about what you’re reading?Feel free to contact us