The Iowa Consumer Data Protection Act (ICDPA): What You Need to Know | CHEQ


In the final week of March, Iowa Governor Kim Reynolds signed the Iowa Consumer Data Privacy Act into law, making the Hawkeye state the sixth US state to pass a comprehensive data privacy law, after California, Utah, Colorado, Connecticut, and Virginia. 

The Iowa Consumer Data Protection Act (ICDPA) is designed to give consumers greater transparency and control over their personal data while maintaining a more business-friendly approach compared to some other states’ laws. The law is similar in content to the Virginia Consumer Data Protection Act (VCDPA) and has considerable overlap with both Virginia’s law, and other VCDPA-based laws in Connecticut, Indiana, Montana, and Texas. The law will go into effect on January 1, 2025. 

In this blog, we’ll cover the scope of the Iowa Consumer Data Protection Act, the rights it grants to Iowa citizens, regulatory requirements for businesses, and how the law will be enforced.

For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.

Who does the Iowa Consumer Data Protection Act Apply to?

The ICDPA applies to any business that either:

  • Controls or processes the personal data of at least 100,000 Iowa consumers per year, or
  • Controls or processes the personal data of at least 25,000 consumers per year and derives more than 50% of its gross revenue from the sale of personal data.

Certain types of data and entities are exempt, including data regulated by the Fair Credit Reporting Act, financial institutions and affiliates, data subject to the federal Gramm-Leach-Bliley Act, entities complying with HIPAA regulations, nonprofit organizations, and institutions of higher education.

What Rights does the Iowa Consumer Data Protection Act provide for Iowa citizens?

Iowa’s privacy law grants citizens of the state several new rights, largely based on the rights put forth by the EU’s General Data Protection Regulation (GDPR) in 2018. Below, we examine several rights common among US data privacy laws, whether Iowa’s law provides them, and the specific requirements for each right. 

Right to Access

Iowan consumers have the right to confirm whether a controller is processing their personal data and to access that data.

No Right to Correction

There is no right to correction under the ICDPA, a notable omission which makes Iowa one of just two states, along with Utah, that does not grant the right to correction in its consumer data protection law. 

Right to Deletion

The law gives consumers the right to deletion of their personal data. However, this right is limited to data obtained from the consumer. 

Right to Data Portability

Consumers have the right to access a copy of the personal data they’ve shared with the controller, unless that data is currently under protection due to a security breach, or was earlier submitted to the controller. 

Right to Opt-Out of Data Processing

Iowa’s privacy law does not explicitly give consumers the right to opt out of data processing, but the law does grant the right to opt out of the sale of consumer data. Furthermore, the law requires businesses to clearly and conspicuously disclose the use of personal data for targeted advertising (such as in a privacy notice) and provide consumers with a means of opting out of such activity. However, the law makes exceptions for pseudonymous data, which is defined as any personal data that “…cannot be attributed to a specific natural person without the use of additional information…”

What are the Regulatory Requirements for Businesses?

Privacy Notice Requirements

Businesses subject to Iowa law are required to provide consumers with clear and conspicuous notice of their data collection and processing practices. This notice must include the categories of personal data collected, the purposes for which the data is collected and processed, the categories of third parties with whom the data is shared, and the consumer’s rights under the law. Businesses must also provide this notice at or before the time of data collection and must update it annually.

Consent Management Requirements

As demonstrated by the ‘right to opt out,’  Iowa’s law follows the opt-out consent model common to US laws. Unlike most state-level privacy laws, Iowa’s law does not require an opt-in for sensitive data processing but does require a notice of such activity and an opportunity to opt-out. 

Data Security Requirements

The ICDPA requires that businesses must implement and maintain reasonable administrative, technical, and physical security measures to protect the personal data they collect, process, and store. 

Data Protection Assessment Requirements

There is no requirement for data protection assessments under the ICDPA.

Data Collection and Purpose Limitation Requirements 

Businesses are required to limit their collection, use, retention, and disclosure of personal data to what is reasonably necessary to achieve the purposes for which the data was collected or subsequently authorized by the consumer. 

Non-Discrimination Requirements

Businesses may not process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer and may not discriminate against a consumer for exercising any of their consumer rights. 

How will the law be enforced?

The ICDPA will be enforced by the state Attorney General, who may bring an action against a covered entity for a violation of the law and seek an injunction, restitution, and other relief deemed appropriate. The ICDPA provides for a tiered system of penalties for violations of the law, with a maximum penalty of $7,500 per violation. 

If a business is found to be in violation of the law, it has a 90-day “cure period” to rectify the issue. This “cure period” is perpetual, making the ICDPA more lenient than some other state laws. 

Get Compliant with CHEQ Privacy

State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Iowa’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.

With CHEQ Privacy and Compliance Enforcement, you can set up geo-targeted opt-out of sale links for consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. A simple line of JavaScript added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.

Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.

Latest Posts

Ready to secure your
Go-to-Market efforts?

GET started