IA, US · AI law tracker
HF 2048 — IA, US
HF 2048 is an AI governance legislation from IA, currently introduced. The bill introduces new obligations for companies to obtain consent and provide specific disclosures prior to processing personal data, explicitly mentioning AI training and automated decision-making [2]. AIGI tracks 1 primary-source update on this bill; the most recent was published on 2026-01-14.
Status & timeline
- Regulatory stage
- introduced
- Bill status
- introduced
- Authority / governing body
- Iowa Legislature
- Chamber
- house
- Document type
- legislation
Next deadline: No fixed deadline — currently introduced as a bill.
Subscriber only
Full obligation matrix
| Actor | Obligation | Deadline | Source |
|---|---|---|---|
| Company | Disclose to an individual in a clear and conspicuous manner the purposes for which personal data will be used, including whether it will be used for automated decision making or artificial intelligence training, prior to processing. | prior to processing | — |
| Company | Disclose to an individual in a clear and conspicuous manner the types of personal data intended to be processed prior to processing. | prior to processing | — |
| Company | Disclose to an individual in a clear and conspicuous manner the types of persons with whom personal data will be shared or sold prior to processing. | prior to processing | — |
| Company | Disclose to an individual in a clear and conspicuous manner whether the individual will be compensated for providing personal data and in what form, prior to processing. | prior to processing | — |
| Company | Obtain consent from an individual to process their personal data by offering a clear means to affirmatively provide consent, prior to processing. | prior to processing | — |
| Company | Not use deceptive or manipulative means to obtain an individual's consent. | N/A | — |
| Company | Collect only the personal data reasonably necessary to achieve the purposes disclosed. | N/A | — |
| Company | Allow an individual to revoke consent to process their data in a manner no more burdensome than obtaining it. | N/A | — |
| Company | Cease all processing of an individual’s personal data within thirty calendar days of receiving notice of consent revocation. | 30 days | — |
| Company | Implement and maintain administrative, technical, and physical practices that ensure the security of personal data, appropriate for its volume, nature, and sensitivity. | N/A | — |
| Company | Not process personal data in a manner the individual has not consented. | N/A | — |
| Company | Not deny or downgrade an individual’s service solely because the individual exercised a right granted under the chapter. | N/A | — |
Subscriber only
Enforcement risk score
25
/ 100
Announced regulation; enforcement footprint still forming.
Subscriber only
Role-based compliance checklist
- privacy_officer Review current data processing activities to identify if personal data of 5,000 or more Iowa residents is processed annually.
- general_counsel Assess current privacy policies and terms of service for alignment with explicit disclosure requirements for data use, including AI training and automated decision-making.
- product_manager Ensure all consent mechanisms provide clear, affirmative means for individuals to grant consent and avoid deceptive or manipulative practices.
- data_scientist Verify that personal data collection aligns with data minimization principles, collecting only data reasonably necessary for disclosed purposes.
- engineering Develop or enhance systems to allow individuals to easily revoke consent and to cease processing of their personal data within 30 calendar days of revocation. (30 days)
- ciso Evaluate and update administrative, technical, and physical security practices for personal data to ensure appropriateness for its volume, nature, and sensitivity.
- compliance_officer Establish procedures for responding to individual requests for confirmation of data processing, data summaries, corrections, and deletions.
- hr_director Review any automated decision-making processes used in HR (e.g., for eligibility or risk scoring) to ensure compliance with disclosure and consent requirements.
Subscriber only
Vendor impact assessment
- Vendor risk class
- high
- Procurement categories
- hr_tech, customer_service_ai, fraud_detection, marketing_personalization, security_tooling, other
Vendors providing services that involve processing personal data of Iowa residents (especially 5,000+) must be prepared to demonstrate robust consent management, transparent data use disclosures (including for AI), data minimization, security practices, and support for individual data rights. Failure to comply could expose customers to significant civil penalties and private actions.
Sample vendor questions
- How do you ensure plain language disclosure of data use, especially for AI training or automated decision-making?
- What are your mechanisms for obtaining clear, affirmative consent from individuals, and how do you prevent manipulative practices?
- What processes do you have in place for data minimization, collecting only necessary data for disclosed purposes?
- How do you facilitate individual requests for consent revocation, data access, correction, and deletion, and what is your timeline for cessation of processing?
- Describe your administrative, technical, and physical security measures for personal data, appropriate for its volume, nature, and sensitivity.
Intelligence briefs (1)
legislation introduced 1/14/2026
Iowa Bill HF 2048 Introduces New Personal Data Processing Requirements
The bill introduces new obligations for companies to obtain consent and provide specific disclosures prior to processing personal data, explicitly mentioning AI training and automated decision-making [2].
This expands the scope of personal data processing regulations to specifically address AI system deployment and training activities in Iowa.
Deadline: No fixed deadline — currently introduced as a bill.
Primary source →Frequently asked questions
- What is HF 2048?
- Iowa House File 2048 (HF 2048) introduces new personal data processing requirements for companies operating in the state, establishing definitions for “automated decision making” and “company” [1]. The bill mandates explicit consent, comprehensive disclosures including intended use for automated decision-making or AI training, and robust data security practices [2]. It also grants individuals rights over their personal data and establishes enforcement mechanisms for violations. Primary source →
- Why does HF 2048 matter?
- This expands the scope of personal data processing regulations to specifically address AI system deployment and training activities in Iowa. Primary source →
- Who does HF 2048 affect?
- Companies conducting business in Iowa that process personal data of 5,000 or more individuals residing in the state annually are within scope [1]. This affects deployers utilizing personal data for purposes such as automated decision-making, profiling, risk scoring, eligibility determinations, or artificial intelligence training [2]. Organizations in sectors like finance, healthcare, marketing, and human resources that leverage AI systems interacting with personal data will need to review their compliance frameworks. Primary source →
- What are the key dates for HF 2048?
- No fixed deadline — currently introduced as a bill. Primary source →
- What is the current status of HF 2048?
- As of the last published update, HF 2048 is at the "introduced" stage, with bill status "introduced". Primary source →
- Where can I find the primary source for HF 2048?
- The primary source for the most recent update is at https://www.legis.iowa.gov/publications/search/document?fq=id:1595260&q=artificial+intelligence. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →
Related
Stay informed