# [Manage privacy requirements of the Iowa Consumer Data Protection Act (ICDPA)](https://usercentrics.com/icdpa/) **Handle privacy notices, user opt-outs for data use, and evolving U.S. state privacy rules with the Usercentrics Consent Management Platform (CMP). Display a fully customizable cookie banner that supports Iowa's ICDPA requirements — designed to minimize disruption to analytics, ads, or revenue.** [Start free](https://usercentrics.com/free-trial/) · [Contact Sales](https://usercentrics.com/book-a-consultation/) --- ## What is the ICDPA? The Iowa Consumer Data Protection Act (ICDPA) is a comprehensive consumer privacy law that took effect on January 1, 2025. It gives Iowa residents more control over how their personal data is collected and used, and sets clear obligations for covered businesses. Like most U.S. state privacy laws, the ICDPA uses an opt-out approach for data sales, targeted advertising, and sensitive data processing. For children under 13, it requires verifiable parental consent before any data is collected or processed, in accordance with the Children's Online Privacy Protection Act (COPPA). [Common ICDPA questions and answers](https://usercentrics.com/knowledge-hub/iowa-consumer-data-protection-act-icdpa/) --- ## ICDPA at a glance **Key Takeaways** - The Iowa Consumer Data Protection Act (ICDPA) took effect on January 1, 2025. - Applies to: For-profit organizations that process personal data of at least 100,000 Iowa consumers, or process data of more than 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. - Iowa consumers have rights of access, deletion, portability, opt-out, and nondiscrimination. Children's data requires parental consent. - Businesses must provide clear privacy notices and respond to consumer rights requests within 90 days (extendable to 45 days when reasonably necessary). - Enforcement: Iowa Attorney General - Cure period: Businesses have the 90-day right to cure (no sunset) after notice before enforcement action --- REQUIREMENTS ## What does the ICDPA require from businesses? The ICDPA applies to for-profit organizations that control or process personal data of at least 100,000 Iowa consumers, or data of more than 25,000 consumers while deriving over 50 percent of gross revenue from data sales. Companies must provide a clear privacy notice, offer opt-out mechanisms for data sales and targeted advertising, and provide notice and opt-out options for sensitive data processing. Data belonging to children under 13 requires verifiable parental consent under COPPA. Businesses must respond to consumer rights requests within 90 days (extendable by 45), and controllers must implement reasonable security measures. --- RISKS ## What are the risks of ignoring the ICDPA? Failing to meet ICDPA requirements can result in enforcement by the Iowa Attorney General. Gaps in consent management, opt-out mechanisms, or required privacy notices can increase legal risk, disrupt advertising and data-driven revenue, and erode customer trust. Although the ICDPA applies to organizations that meet specific thresholds, many businesses operate across multiple states or countries and must comply with other privacy laws. Aligning with ICDPA standards can support broader privacy compliance readiness. As privacy expectations continue to rise across the U.S., inadequate data practices may also lead to reputational harm, lower customer engagement, and lost business opportunities. **How a cookie banner helps your website perform** **Reliable tracking you can trust** Analytics and ads behave predictably based on real user choices. A well-configured cookie banner helps prevent broken tracking, data gaps, and last-minute fixes — your insights stay dependable. **Less work, fewer surprises** Automatic cookie scanning and updates can keep your banner accurate as your site and legal requirements change. Less manual upkeep, fewer headaches, and more time for your team to focus on growth. **A better first impression** A clear, customized cookie banner keeps your visitors informed and gives them clear choices. The result: less friction, more trust, and reduced legal risk from the start. **Protect revenue as privacy rules change** A flexible cookie banner and consent management platform helps you adapt as privacy expectations and state laws evolve — and as your company grows. You stay in control of tracking and monetization without scrambling to rework setups or risking interruptions. > "Honestly, it was click, click, click, done." > > Kathryn Fletcher — Web Application Development Manager, Gilson [Read full review](https://usercentrics.com/resources/case-study-gilson/) **Get your websites and apps ready for Iowa privacy rules** Make it easy to provide website visitors and app users with clear notice and real choice — without disrupting analytics or ads. Try Usercentrics for free to manage legal and operational risk as privacy expectations evolve. [Start free](https://usercentrics.com/free-trial/) --- ## Talk to our privacy experts Usercentrics helps businesses in Iowa give visitors clear notice and meaningful choice — without slowing down websites or apps, analytics, or advertising. Whether you're preparing for ICDPA requirements or managing multiple U.S. and global privacy laws, we'll help you protect your business and find the right setup. - Stable tracking and marketing performance as privacy rules evolve - Automated setup and updates that minimize ongoing maintenance - Manage legal and operational risk with a single, scalable platform [Contact sales](https://usercentrics.com/book-a-consultation/) --- ## Learn more Checklist · May 29, 2025 **[Iowa Consumer Data Protection Act (ICDPA) Checklist](https://usercentrics.com/resources/icdpa-checklist/)** Our ICDPA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates. Article · Feb 7, 2025 **[U.S. data privacy laws by state: rights and requirements](https://usercentrics.com/knowledge-hub/us-data-privacy-laws-by-state/)** In 2025 more US state privacy laws will come into effect than in any previous year, though federal legislation remains stalled. We compare what US state-level data privacy laws mean for consumers and businesses. Article · Apr 29, 2026 **[COPPA Compliance: Key Requirements for 2026](https://usercentrics.com/knowledge-hub/coppa-compliance/)** Compliance with the Children's Online Privacy Protection Act (COPPA) is required for any business handling the personal information of children under age 13 in the United States. This article discloses the key provisions of COPPA to help organizations take the necessary steps to achieve and maintain compliance and build trust with families. --- ## Frequently asked questions ### Does the ICDPA apply to my business? The ICDPA applies to for-profit organizations that conduct business in Iowa or produce products or services targeted at Iowa residents, and that meet at least one of the following thresholds: they control or process the personal data of 100,000 or more Iowa consumers per year, or they control or process data of at least 25,000 Iowa consumers and derive over 50% of their gross annual revenue from the sale of personal data. Notably, unlike some other state privacy laws, the ICDPA has no minimum annual revenue threshold — so smaller businesses that handle significant data volumes may still be covered. ### Which organizations are exempt from the ICDPA? Several categories of entities and data types are exempt. Exempt organizations include government agencies, nonprofit organizations, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Data regulated under federal laws such as HIPAA, the Fair Credit Reporting Act (FCRA), and the Driver's Privacy Protection Act is also excluded. Employment-related data and data used in business-to-business contexts are not covered either. ### What rights do Iowa consumers have under the ICDPA? Iowa residents have the right to confirm whether a business is processing their personal data and to access that data. They can request deletion of personal data they have provided, obtain a portable copy of their data in a usable format, and opt out of the sale of their personal data. Consumers also have the right to not be discriminated against for exercising these rights. It is worth noting that the ICDPA does not grant consumers a right to correct inaccurate data — a right that exists in several other state privacy laws — nor does it include an explicit right to opt out of profiling. ### How does the ICDPA handle sensitive personal data? Unlike many other state privacy laws that require opt-in consent before processing sensitive data, the ICDPA follows an opt-out model. Businesses must provide clear notice that sensitive data is being processed and give consumers a straightforward way to opt out. Sensitive data under the ICDPA includes information such as racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data. ### How does the ICDPA protect children's data? Businesses must obtain verifiable consent from a parent or legal guardian before collecting personal data from children under the age of 13. This aligns with the requirements of the federal Children's Online Privacy Protection Act (COPPA). ### How long do I have to respond to a consumer rights request? Enforcement authority rests exclusively with the Iowa Attorney General's Consumer Protection Division. Violations can result in civil penalties of up to USD 7,500 per violation. Before any penalties are imposed, businesses receive a 90-day cure period after written notice — the most generous cure period of any U.S. state privacy law. If a violation is not remedied within that window, or if a business breaches a written commitment to cure, the Attorney General may pursue legal action and seek reimbursement for investigation and litigation costs. There is no private right of action under the ICDPA, meaning consumers cannot sue businesses directly. ### Does the ICDPA apply retroactively? No, the ICDPA took effect on January 1, 2025, and does not apply retroactively. However, businesses that were already subject to other state or international privacy laws — such as the GDPR, CCPA, or VCDPA — are likely well-positioned to meet ICDPA requirements, as many of the core obligations overlap. ### Does a cookie banner help with ICDPA compliance? Yes, a consent management platform (CMP) with a cookie banner is a practical way to meet several ICDPA obligations at once. It allows businesses to inform visitors about data collection at the point of interaction, provide clear opt-out mechanisms for the sale of personal data, and document user choices. An up-to-date, well-configured banner also makes it easier to adapt as privacy requirements evolve across multiple U.S. states. --- ## Products - [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/) - [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) - [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) - [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) - [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/) - [Preference Manager](https://usercentrics.com/preference-management/) - [Audience Unlocker](https://usercentrics.com/audience-unlocker/) - [Integrations](https://usercentrics.com/integrations/) - [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/) - [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/) - [ROAS Calculator](https://usercentrics.com/roas-calculator/) ## Solutions - [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/) - [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/) - [Migration](https://usercentrics.com/migration/) - [Media & Publishing](https://usercentrics.com/media-publishing/) - [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/) - [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/) - [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/) - [Gaming](https://usercentrics.com/gaming/) - [Education](https://usercentrics.com/education/) - [Automotive](https://usercentrics.com/automotive/) - [Travel & Hospitality](https://usercentrics.com/travel/) ## Regulations & Frameworks - [GDPR (EU)](https://usercentrics.com/gdpr/) - [GDPR (UK)](https://usercentrics.com/uk-gdpr/) - [CCPA (California)](https://usercentrics.com/ccpa/) - [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/) - [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/) - [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/) - [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) - [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/) - [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/) - [View all regulations](https://usercentrics.com/regulations-and-frameworks/) ## Resources - [Blog](https://usercentrics.com/knowledge-hub/) - [Whitepapers](https://usercentrics.com/whitepapers/) - [Checklists](https://usercentrics.com/checklists/) - [Courses](https://courses.usercentrics.com/) - [Case Studies](https://usercentrics.com/case-studies/) - [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/) - [Events](https://usercentrics.com/webinar/) - [CONSENTED Podcast](https://usercentrics.com/consented/) - [Guides](https://usercentrics.com/guides/) - [Release Notes](https://releases.usercentrics.com/en) - [Developer Documentation](https://usercentrics.com/docs/) - [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/) - [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/) ## Company - [About Us](https://usercentrics.com/about-us/) - [Press](https://usercentrics.com/press/) - [Our Offices](https://usercentrics.com/contact/) - [Trust Center](https://trust.usercentrics.com/) - [Careers](https://usercentrics.com/career/) - [Open Positions](https://apply.workable.com/usercentrics/) - [Diversity & Inclusion](https://usercentrics.com/dei/) ## Support - [General Support](https://support.usercentrics.com/hc/en-us) - [Contact Sales](https://usercentrics.com/book-a-consultation/) - [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new) - [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing) - [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340) - [Partner Login](https://partnerportal.usercentrics.com/) - [Partner Program](https://usercentrics.com/partner-program-overview/) - [Affiliate Program](https://usercentrics.com/affiliates/) ## Legal - [Terms & Conditions](https://usercentrics.com/terms-and-conditions/) - [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/) - [Privacy Policy](https://usercentrics.com/privacy-policy/) - [Legal Notice](https://usercentrics.com/legal-notice/) - [Legal Documents](https://usercentrics.com/legal-documents/) - [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/) © 2026 Usercentrics GmbH