Overview
The Iowa Consumer Data Protection Act (ICDPA) is a comprehensive state privacy law designed to give Iowa residents greater control over their personal data while setting compliance requirements for businesses. Signed into law on March 29, 2023, the ICDPA takes effect on January 1, 2025.
The law is business-friendly compared to privacy laws in California (CPRA) and Colorado (CPA), but still grants core privacy rights to consumers.
Who Must Comply?
The ICDPA applies to businesses operating in Iowa or targeting Iowa residents and meet one of the following criteria:
β Process personal data of at least 100,000 Iowa consumers annually
β Process personal data of at least 25,000 Iowa consumers and derive 50%+ of revenue from selling personal data
Exemptions:
The law does not apply to:
π« Government agencies
π« Nonprofits
π« Financial institutions subject to GLBA
π« HIPAA-covered entities
π« Higher education institutions
Key Consumer Rights Under ICDPA
β Right to Access β Consumers can request a copy of their personal data.
β Right to Delete β Consumers can request the deletion of personal data they provided.
β Right to Data Portability β Consumers can receive their data in a portable format.
β Right to Opt-Out β Consumers can opt out of:
- Targeted advertising
- Sale of personal data
π No Right to Correct Data β Unlike CPRA and CPA, the ICDPA does not include a right to correct inaccurate data.
π No Right to Opt-Out of Profiling β The ICDPA does not include opt-outs for profiling-based decision-making.
Business Compliance Requirements
β Opt-In Consent for Sensitive Data β Businesses must obtain explicit consent before processing:
π Racial/ethnic origin
π Religious beliefs
π Biometric data
π Health conditions
π Childrenβs data
β Clear Privacy Policy β Companies must publish transparent privacy policies detailing data collection and use.
β Data Security Measures β Businesses must implement reasonable security safeguards to protect personal data.
β No Universal Opt-Out Requirement β Unlike California (CPRA) and Colorado (CPA), businesses do not need to recognize Global Privacy Control (GPC) signals.
Real-World Enforcement Cases
The Iowa Attorney General is responsible for enforcing the ICDPA, with penalties of up to $7,500 per violation.
π 90-Day Cure Period for Violations β Businesses have 90 days to fix violations before fines are imposed, which is longer than most state privacy laws.
Since the ICDPA does not take effect until January 1, 2025, major enforcement cases have not yet occurred, but companies failing to provide opt-out options are likely to face early penalties.
π Comparison with Other State Privacy Laws
The Iowa ICDPA is less restrictive than laws in California, Colorado, and Virginia because:
β
No Universal Opt-Out Mechanism Required β Businesses are not required to honor global privacy requests.
β
No Right to Correct Data β Consumers cannot request corrections to personal information.
β
Longer Compliance Grace Period (90 days) β Businesses have more time to fix violations.
Future of ICDPA Regulation
π Potential expansion of consumer rights in future amendments.
π Stronger enforcement actions expected in 2025.
π Possible updates to align with federal privacy laws if enacted.
Iowaβs ICDPA is a moderate privacy law that balances consumer rights with business flexibility, making it one of the least restrictive state privacy laws.
