Iowa Consumer Data Protection Act (ICDPA): An Overview

Iowa was the sixth state in the US to pass a consumer privacy law, with an effective date of January 1, 2025. As of March 29th, when the law was passed, organizations have a little less than two years to prepare for compliance.

The state’s first attempt at a comprehensive privacy law failed in 2020, but the topic of data privacy has gained momentum since. Iowa’s data privacy law can be seen as more business-friendly than some other state-level US privacy laws to date, which has also been said about the Utah Consumer Privacy Act (UCPA).

The Iowa Consumer Data Protection Act (ICDPA) protects the privacy rights of Iowa’s three million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Iowa residents. In the course of doing business these organizations process consumers’ personal data. Like other states, e.g. California, Iowa defines a consumer as a resident of the state who is acting in a “noncommercial and nonemployment context”.

The ICDPA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to comply with the law must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing. They and any third parties they engage for data processing must also implement reasonable security and protections.

Personal data

The ICDPA uses a fairly standard definition of personal data: “any information that is linked or reasonably linkable to an identified or identifiable natural person”. It excludes publicly available information, aggregated data, or de-identified data.

Sensitive data

This covers more specific categories of personal data, including that which reveals:

• racial or ethnic origin
• religious beliefs
• mental or physical health diagnosis
• sexual orientation
• citizenship or immigration status
• genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
• personal data collected from a known child
• precise geolocation data (defined as accurate within a radius of 1750 feet/533.5 meters)

Controller

Businesses that collect and process personal data will likely qualify as controllers, which the ICDPA defines as “a person that, alone or jointly with others, determines the purpose and means of processing personal data”.

Processor

For businesses that share personal data for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Iowa privacy act as “a person that processes personal data on behalf of a controller”.

Sale

This is defined as the “exchange of personal data for monetary consideration by the controller to a third party”. Several notable exclusions to the definition of sale of personal data include disclosure of personal data:

• to a processor that processes the personal data on behalf of the controller
• to a third party for purposes of providing a product or service requested by the consumer or the parent of a child
• to an affiliate of the controller
• that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience
• to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

The ICDPA has two primary compliance threshold criteria for organizations:

• control or process the personal data of at least 100,000 Iowa consumers during a calendar year,

or

• control or process the personal data of at least 25,000 Iowa consumers during a calendar year, and derive more than 50% of their gross revenue from the sale of personal data

Unlike some states, e.g. California, Iowa’s privacy law will not have a revenue threshold. That means that companies otherwise would be required to comply with the regulation if their annual gross revenues exceeded a certain dollar threshold, e.g. US $25 million, even if they did not meet the threshold of the number of consumers’ whose data was processed.

Without this threshold, businesses of any size/value that meet the Iowa privacy law’s personal data or personal data plus revenue percentage thresholds must comply with the law.

The exemptions in the Iowa data privacy act are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:

• Health Insurance Portability and Accountability Act (HIPAA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act
• Driver’s Privacy Protection Act
• Farm Credit Act

Other exemptions include health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.

Additional exempted institutions include:

• state government entities
• financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
• institutions of higher education
• nonprofit organizations

Consumers have four main rights under the new data protection law. Parents or legal guardians of known children can invoke a child’s rights regarding processing of personal data.

• Right to access: confirmation if the controller is processing the consumer’s personal data and access to that data, with some exceptions
• Right to delete: any personal data the controller has that was provided by the consumer
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right to opt out: of sale of personal data

The most notable rights that are not included are:

• Right to correction
• Right to opt out of automated decision-making
• Right to opt out of profiling
• Opt in for processing of sensitive personal data
• Private right of action (consumers’ ability to sue the controller in the event of a violation)

Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. The controller must include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.

After a consumer request is received, the controller has 90 days to respond. There are some limited reasons that they can decline, including if the consumer’s identity cannot be reasonably verified. If there are extenuating circumstances preventing fulfilling the request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.

Notably, the Iowa data privacy law does not require organizations to have data protection operations or to perform privacy risk assessments.

Purpose limitation

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “reasonably necessary” (relevant, adequate, and limited) and proportional to those purposes.

Data security

Controllers must protect the “confidentiality, integrity and availability” of personal data by implementing reasonable “administrative, technical, and physical” data security measures. These measures should be appropriate to the nature and volume of personal data being processed.

Consent requirements

Like other US states that have passed privacy laws, Iowa uses an opt-out model, so user consent is not required before collecting and processing data in many cases, including for the processing of sensitive personal data. Consumers must be given clear notice about processing and be able to opt out of sale.

Where children are concerned, like a number of other states, the ICDPA follows the Children’s Online Privacy Protection Act (COPPA). Consent from any known child’s parent or guardian must be obtained before processing of any personal data of any user known to be under 13 years of age. This goes for all children’s personal data, as under Iowa’s data privacy regulation children’s personal data is classified as “sensitive” by default.

Nondiscrimination

Controllers are prohibited from unlawful discrimination against consumers, and from processing personal data if doing so is in violation of state or federal laws governing discrimination. Additionally, controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal data collection.

However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal data, the site may not work optimally. This is not discriminatory.

Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in operations like an organization’s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.

Transparency

Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company’s website in the privacy notice or policy. Under the ICDPA, this information must include:

• purpose(s) for processing personal data
• categories of personal data processed by the controller
• categories of personal data that the controller shares with third parties, if any
• categories of third parties with whom the controller shares personal data, if any
• how consumers may exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)

Third party contracts

Controllers must have contracts in place with third-party processors with clear information and:

• instructions about processing personal data
• type(s) of data to be processed
• nature and purpose(s) of processing
• duration of processing
• retention, deletion, and access to personal data
• rights and duties of both entities, including subcontractor accountability

Universal opt-out signal

Like with the Virginia Consumer Data Protection Act (VCDPA), the Iowa Consumer Data Protection Act does not make any reference to the Global Privacy Control (GPC) or other opt-out mechanism. California’s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.

In Iowa, the Attorney General has exclusive enforcement authority for the ICDPA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations to the Attorney General’s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.

There is a 90-day cure period when organizations can fix the issues and take steps to prevent recurrence. This is longer than the cure periods provided by other states, where 30 days is common, though Connecticut offers a 60-day cure period.

Organizations found to have violated the ICDPA also have to notify the Attorney General that they have taken these repair actions, and provide a statement that no further violations will occur. Once they have done this, and if no further issues come up, there won’t be further punitive action against them.

If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can initiate civil proceedings.

A controller or processor found to be in violation of Iowa’s data privacy regulation is subject to a fine of up to US $7,500 per violation, which is the same as California’s maximum fine under the California Privacy Rights Act (CPRA). These fines are paid into the fund for consumer education and litigation.

Iowa’s consumer privacy law reflects the opt out model, as do all other current US state-level data privacy laws. Under this model, controllers do not have to obtain user/data subject consent prior to collecting or processing personal data, including data classified as sensitive. The only exception is where the ICDPA follows the federal COPPA law regarding children’s personal data. Where the processing would be for a known child, consent of a parent or guardian does need to be obtained before any data collection or other form of processing.

Data subjects must be given the opportunity to opt out of data processing (sale or targeted advertising) at any point. Information about that must be provided on the website, typically under the privacy notice/policy page.

The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A Consent Management Platform (CMP) like Usercentrics’ also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. Iowa’s privacy law, and most data privacy regulations around the world, require this notification.

Because the United States does not have a single federal data privacy law, companies doing business across the country and/or with other countries may need to comply with multiple consumer privacy laws to protect data.

A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

This enables companies to achieve data privacy compliance with the Iowa Consumer Data Protection Act, as well as other current and upcoming regulations across the United States. For companies doing business internationally, using a Consent Management Platform also enables compliance with regulations like the GDPR, which has more strict consent management requirements than the laws in the US.

Organizations doing business in Iowa have until 2025 to prepare for compliance with the ICDPA, though that lead time is shorter than other states and regions have often had to prepare. If companies have already prepared for or achieved compliance with other US state-level laws, there will be less work to do. As always, a privacy by design approach will benefit all operations in an organization, whether specifically for regulatory compliance or not.

Achieving compliance will mainly be a matter of confirming the Iowa law’s specific requirements and having a solution in place to provide users with the necessary notifications and opt-out options. A Consent Management Platform will enable that.

Data privacy advocates have already called for strengthening Iowa’s data privacy regulation, and like other state-level laws, updates are likely over time, as these US regulations are all “version one”. With the exception of California, which implemented the CPRA to amend and expand the California Consumer Privacy Act (CCPA). The ICDPA does not include private right of action, so consumer class-action lawsuits will not be a potential influence on future amendments to Iowa’s privacy law as they may be in California.

Consulting qualified legal counsel and/or your organization’s data privacy expert is recommended to ensure responsibilities are met, even for regulations like Iowa’s that are considered “business-friendly”.

Beyond just meeting requirements, being proactive about protecting user privacy is a valuable business effort. It builds user trust and engagement, provides better user experiences, and strengthens customer relationships long-term, which leads to more high quality data for marketing operations and boosts revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.