Can I share personal information about my customers with third parties in Iowa? What are the requirements?

Yes, you can share personal information about your customers with third parties in Iowa, but it depends on the type of information and the purpose of the disclosure.

Personally Identifiable Information

If you are a government agency collecting, maintaining, and retrieving personally identifiable information, you must follow the rules described in [801 IAAC 6.12]^[1.1]. These rules describe the legal authority for the collection of that information, the means of storage of that information, and indicate whether a data processing system matches, collates, or permits the comparison of personally identifiable information in one record system with personally identifiable information in another record system.

Nonpublic Personal Financial Information

If you are a licensee collecting nonpublic personal financial information about a consumer, you must follow the rules described in [191 IAAC 90.9]^[3.2]. These rules prohibit you from disclosing any nonpublic personal financial information about a consumer to a nonaffiliated third party except as otherwise authorized in these rules. To disclose such information, you must provide the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt out of the disclosure before the licensee discloses the information to the nonaffiliated third party.

There are exceptions to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing, as described in [191 IAAC 90.12]^[3.3]. If you provide nonpublic personal financial information to a nonaffiliated third party to perform services for you or functions for you on your behalf, you do not need to comply with the opt-out requirements if you provide the initial notice and enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information.

Personal Information Protected

If you are a public agency, you must not release, publicize, or otherwise disclose personal information in the possession of the public agency without the express, written permission of every member, supporter, volunteer, and donor of the tax-exempt entity identified in the information and the tax-exempt entity, as described in [IACO 22A.2]^[2.1].

Requirements for Sharing Personal Information with Third Parties in Iowa

To share personal information with third parties in Iowa, you must follow the rules described in the relevant documents, depending on the type of information and the purpose of the disclosure. In general, you must provide notice to the consumer and a reasonable opportunity to opt out of the disclosure before sharing nonpublic personal financial information with nonaffiliated third parties. However, there are exceptions to this requirement for service providers and joint marketing. If you are a government agency or a fair board, your records are generally open for public inspection and copying, unless otherwise provided by rule or law.

[191 IAAC 90.14]^[3.1] provides other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information.

Therefore, you must ensure that you comply with the relevant rules and regulations before sharing personal information about your customers with third parties in Iowa.

Source(s):

• [1.1] Personally identifiable information.
• [2.1] Personal information protected.
• [3.1] Other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information.
• [3.2] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [3.3] Exception to opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.

Jurisdiction

Iowa

• Privacy