Iowa became the sixth U.S. state to pass comprehensive data protection legislation allowing residents control over how their personal information is accessed and shared.

The Iowa privacy bill (SF 262) was signed into law by Gov. Kim Reynolds on Tuesday. The legislation is set to take effect Jan. 1, 2025.

“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Reynolds in a press release. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”

Iowa joins California, Colorado, Connecticut, Utah, and Virginia in passing comprehensive consumer privacy laws while Congress continues to stall on the subject. The laws of the other five states each take effect this year, with California’s representing new amendments to the California Consumer Privacy Act (CCPA) that took effect in 2020.

The Iowa privacy bill applies to companies conducting business in the state or providing services targeted to its residents that process the personal data of at least 100,000 consumers or derive at least 50 percent of revenue from the sale of the personal data of at least 25,000 consumers. Certain types of data, including health records protected under the Health Insurance Portability and Accountability Act (HIPAA) and data authorized for use in research, are not covered.

Like other state laws, the bill provides residents the right to access personal data being processed by a company, delete personal data they’ve provided, obtain a copy of their personal data being processed, and opt out of the sale of their data. Businesses are required to respond to consumer requests within 90 days.

The Iowa attorney general will be tasked with enforcing the law. If the AG decides to issue a finding, companies will have 90 days to resolve the issues cited to avoid an enforcement action.

The AG may level penalties of $7,500 per violation.