In this article

Sign up for our newsletter

Share this article

Hi all, and happy Thursday. Pop quiz.  

Which U.S. state:  

  • Produces the most corn in the nation,  
  • Is the future birthplace of Star Trek’s Captain Kirk, and  
  • May soon become the sixth state to adopt comprehensive data privacy legislation? 

The answer is Iowa

Senate File 262 recently passed the Iowa Senate and Iowa House without opposition and, as of this writing, awaits Governor Kim Reynolds’ signature. Given the overwhelming bipartisan support for the bill, it seems likely that Governor Reynolds will sign Senate File 262 into law. 

The bill broadly maps to other state privacy laws, that it trends toward the more business-friendly side, like Utah’s privacy law. As an example, “sales” of user data are narrowly defined as an exchange for monetary compensation and does not include other valuable considerations, as is the case in other data privacy laws. It also gives businesses 90 days to respond to data subject access requests (DSARs) rather than the typical 45-day period seen in U.S. laws. Most notably, it features a non-sunsetting right to cure—businesses will always be given notice and opportunity to fix violations before being penalized. 

It’s still early in 2023, and Iowa’s bill is just one of many under consideration. It seems likely we’ll be seeing even more U.S. states enact data privacy legislation this year—unless the American Data Privacy Protection Act (ADPPA) makes yet more progress. Time will tell! 



P.S. We’ll be in Washington, D.C., to attend the International Association of Privacy Professionals (IAPP) Global Summit this April 4th and 5th!

If you’re attending, come say hi! You can schedule a meeting here (and you might win a $500 Airbnb gift card, too 💰🌴). 

Top privacy stories of the week


Data Act: EU parliamentarians back new rules for fair access to and use of industrial data 

Members of the European Parliament have introduced draft legislation referred to as the Data Act, which would remove barriers to accessing data for the development of specific services, particularly AI technologies. The legislation was adopted with 500 votes to 23, with 110 abstentions, although it has a long path ahead before it becomes law. 

Read more 

Iowa is about to get its own privacy law 

Iowa is on the cusp of enacting its own comprehensive data privacy law, making it the sixth state to do so. All that remains in the legislative process is Iowa Governor Kim Reynolds’s signature or veto. If signed, the law will go into effect on January 1, 2025. 

Read more 

EU privacy regulators coordinate to assess compliance with the GDPR rules on data protection officers 

The European Data Protection Board (EDPB) announced a coordinated investigation of data protection officers (DPOs) in businesses subject to the GDPR. EDPB officials plan on sending questionnaires to DPOs to determine whether a formal investigation is warranted, investigating identified DPOs, and following up pending the results of their investigations. 

Read more 

Austrian data protection authority declares Meta’s tracking tools to be illegal 

The Austrian Data Protection Authority (DSB) has determined that Meta’s tracking pixel violates the GDPR and the EU’s ruling on international data transfers. The decision comes on the heels of a number of complaints from data advocacy group noyb (or “none of your business”) 

Read more 

TikTok plasters DC with ads before skeptical lawmakers confront CEO 

TikTok engaged in a PR blitz leading up to its chief executive officer testifying today. CEO Shou Chew is scheduled to appear before the House Energy and Commerce Committee on Thursday to discuss the social media app’s plan to house U.S. data with Oracle in order to prevent undue access by Chinese officials. 

Read more 

CFPB launches inquiry into the business practices of data brokers 

The Consumer Financial Protection Bureau (CFPB) has launched an inquiry into companies whose primary business is the buying and selling of individuals’ personal information. Few consumers directly interact with these data brokers, yet many of the systems that collect consumers’ personal information pass that info onto data brokers, either directly or indirectly. The inquiry aims to determine whether the Fair Credit Reporting Act regulates these entities appropriately. 

Read more 

OpenAI shuts down ChatGPT to fix bug exposing user chat titles 

OpenAI temporarily shut down its popular ChatGPT service on Monday morning after receiving reports of a bug that allowed some users to see the titles of other users’ chat histories. The bug raises concern over how secure and private users’ chats with ChatGPT really are. 

Read more 

Osano blog: What is an employee privacy policy? Does my company need one? 

With the CPRA, more businesses are required to honor employee data subject access requests (DSARs) than ever before. In this blog, we break down why businesses need to respond to employee DSARs, why this necessitates an employee privacy policy and more. 

Read more 

Come meet us in D.C. on April 4th and 5th for a chance to win a $500 Airbnb gift card! 

Osano will be attending the International Association of Privacy Professionals (IAPP) Global Summit in Washington, D.C., on April 4th and 5th. If you’re planning on attending, come say hi! If you come to booth #318 at the IAPP Global Summit, we’ll enter you into a raffle to win a $500 Airbnb gift card. Looking forward to connecting in person! 

Schedule a meeting here 

If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you. 

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article