Recently, Iowa became the sixth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado, Utah and Connecticut. Although privacy laws have existed in the U.S. for decades, until recently they were limited to certain industries, jurisdictions or data types. The Iowa law continues the growing movement worldwide to protect an individual’s general right to privacy.

While the patchwork of privacy laws in the U.S. may seem overwhelming, clear patterns have emerged regarding how companies can comply. State lawmakers and attorneys general communicate with each other on how to implement and enforce privacy laws, as well as with their European counterparts under the General Data Protection Regulation. For example, Colorado revised the final regulations implementing its privacy law to bring them in line with California’s privacy regulations, in response to public comments that an earlier version would prove unnecessarily burdensome for businesses that operate in both states.

Iowa’s privacy law doesn’t contain many surprises for privacy professionals. California still offers the most consumer protection, and if a business complies with the California Consumer Privacy Act, becoming compliant with the other five state privacy laws should not require much more effort.[1] Companies should also note that California’s privacy law applies to its 40 million residents, while Virginia, Utah, Connecticut and Iowa have just over 3 million residents each.

We will continue to monitor the latest developments in this ongoing legislative movement. Please reach out to the Kramer Levin privacy team for additional assistance on how to comply with emerging privacy laws.

Click here to download and print a PDF of the table below.


[1] The final regulations implementing the California Consumer Privacy Act took effect on March 29, 2023.