Skip to content

Manage privacy requirements of the Iowa Consumer Data Protection Act (ICDPA)

Handle privacy notices, user opt-outs for data use, and evolving U.S. state privacy rules with the Usercentrics Consent Management Platform (CMP). Display a fully customizable cookie banner that supports Iowa’s ICDPA requirements — designed to minimize disruption to analytics, ads, or revenue.

Start freeContact Sales

What is the ICDPA?

The Iowa Consumer Data Protection Act (ICDPA) is a comprehensive consumer privacy law that took effect on January 1, 2025. It gives Iowa residents more control over how their personal data is collected and used, and sets clear obligations for covered businesses.


Like most U.S. state privacy laws, the ICDPA uses an opt-out approach for data sales, targeted advertising, and sensitive data processing. For children under 13, it requires verifiable parental consent before any data is collected or processed, in accordance with the Children’s Online Privacy Protection Act (COPPA).

Common ICDPA questions and answers
  • The Iowa Consumer Data Protection Act (ICDPA) took effect on January 1, 2025.
  • Applies to: For-profit organizations that process personal data of at least 100,000 Iowa consumers, or process data of more than 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
  • Iowa consumers have rights of access, deletion, portability, opt-out, and nondiscrimination. Children’s data requires parental consent.
  • Businesses must provide clear privacy notices and respond to consumer rights requests within 90  days (extendable to 45  days when reasonably necessary).
  • Enforcement: Iowa Attorney General
  • Cure period: Businesses have the 90-day right to cure (no sunset) after notice before enforcement action

What does the ICDPA require from businesses?

The ICDPA applies to for-profit organizations that control or process personal data of at least 100,000 Iowa consumers, or data of more than 25,000 consumers while deriving over 50 percent of gross revenue from data sales.

Companies must provide a clear privacy notice, offer opt-out mechanisms for data sales and targeted advertising, and provide notice and opt-out options for sensitive data processing. 

Data belonging to children under 13 requires verifiable parental consent under COPPA. Businesses must respond to consumer rights requests within 90 days (extendable by 45), and controllers must implement reasonable security measures.

Bank icon with various currency coins falling in

What are the risks of ignoring the ICDPA?

Failing to meet ICDPA requirements can result in enforcement by the Iowa Attorney General. Gaps in consent management, opt-out mechanisms, or required privacy notices can increase legal risk, disrupt advertising and data-driven revenue, and erode customer trust.

Although the ICDPA applies to organizations that meet specific thresholds, many businesses operate across multiple states or countries and must comply with other privacy laws. Aligning with ICDPA standards can support broader privacy compliance readiness.

As privacy expectations continue to rise across the U.S., inadequate data practices may also lead to reputational harm, lower customer engagement, and lost business opportunities.

Analytics and ads behave predictably based on real user choices. A well-configured cookie banner helps prevent broken tracking, data gaps, and last-minute fixes — your insights stay dependable.

Automatic cookie scanning and updates can keep your banner accurate as your site and legal requirements change. Less manual upkeep, fewer headaches, and more time for your team to focus on growth.

A clear, customized cookie banner keeps your visitors informed and gives them clear choices. The result: less friction, more trust, and reduced legal risk from the start.

A flexible cookie banner and consent management platform helps you adapt as privacy expectations and state laws evolve — and as your company grows. You stay in control of tracking and monetization without scrambling to rework setups or risking interruptions.

“Honestly, it was click, click, click, done.”
— Web Application Development Manager, Gilson
Read full review
Get your websites and apps ready for Iowa privacy rules

Make it easy to provide website visitors and app users with clear notice and real choice — without disrupting analytics or ads. Try Usercentrics for free to manage legal and operational risk as privacy expectations evolve.

start free

Talk to our privacy experts

Usercentrics helps businesses in Iowa give visitors clear notice and meaningful choice — without slowing down websites or apps, analytics, or advertising. Whether you’re preparing for ICDPA requirements or managing multiple U.S. and global privacy laws, we’ll help you protect your business and find the right setup.

  • Stable tracking and marketing performance as privacy rules evolve
  • Automated setup and updates that minimize ongoing maintenance
  • Manage legal and operational risk with a single, scalable platform
Contact sales
Contact chat bubble at the bottom right corner of a chat illustration

Learn more

Checklist
Mar 17, 2026
Our ICDPA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.
Read more
Article
Feb 7, 2025
In 2025 more U.S. state privacy laws came into effect than in any previous year. Three more followed in 2026 and new ones continue to be passed. We compare what U.S. state-level data privacy laws mean for businesses and consumer rights in light of increasing regulation and enforcement.
Read more
Article
Mar 31, 2026
Compliance with the Children’s Online Privacy Protection Act (COPPA) is required for any business handling the personal information of children under age 13 in the United States. This article discloses the key provisions of COPPA to help organizations take the necessary steps to achieve and maintain compliance and build trust with families.
Read more

Frequently asked questions

The ICDPA applies to for-profit organizations that conduct business in Iowa or produce products or services targeted at Iowa residents, and that meet at least one of the following thresholds: they control or process the personal data of 100,000 or more Iowa consumers per year, or they control or process data of at least 25,000 Iowa consumers and derive over 50% of their gross annual revenue from the sale of personal data. Notably, unlike some other state privacy laws, the ICDPA has no minimum annual revenue threshold — so smaller businesses that handle significant data volumes may still be covered.

Several categories of entities and data types are exempt. Exempt organizations include government agencies, nonprofit organizations, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Data regulated under federal laws such as HIPAA, the Fair Credit Reporting Act (FCRA), and the Driver’s Privacy Protection Act is also excluded. Employment-related data and data used in business-to-business contexts are not covered either.

Iowa residents have the right to confirm whether a business is processing their personal data and to access that data. They can request deletion of personal data they have provided, obtain a portable copy of their data in a usable format, and opt out of the sale of their personal data. Consumers also have the right to not be discriminated against for exercising these rights.

It is worth noting that the ICDPA does not grant consumers a right to correct inaccurate data — a right that exists in several other state privacy laws — nor does it include an explicit right to opt out of profiling.

Unlike many other state privacy laws that require opt-in consent before processing sensitive data, the ICDPA follows an opt-out model. Businesses must provide clear notice that sensitive data is being processed and give consumers a straightforward way to opt out. Sensitive data under the ICDPA includes information such as racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data.

Businesses must obtain verifiable consent from a parent or legal guardian before collecting personal data from children under the age of 13. This aligns with the requirements of the federal Children’s Online Privacy Protection Act (COPPA).

Enforcement authority rests exclusively with the Iowa Attorney General’s Consumer Protection Division. Violations can result in civil penalties of up to USD 7,500 per violation. Before any penalties are imposed, businesses receive a 90-day cure period after written notice — the most generous cure period of any U.S. state privacy law. If a violation is not remedied within that window, or if a business breaches a written commitment to cure, the Attorney General may pursue legal action and seek reimbursement for investigation and litigation costs. There is no private right of action under the ICDPA, meaning consumers cannot sue businesses directly.

No, the ICDPA took effect on January 1, 2025, and does not apply retroactively. However, businesses that were already subject to other state or international privacy laws — such as the GDPR, CCPA, or VCDPA — are likely well-positioned to meet ICDPA requirements, as many of the core obligations overlap.

Yes, a consent management platform (CMP) with a cookie banner is a practical way to meet several ICDPA obligations at once. It allows businesses to inform visitors about data collection at the point of interaction, provide clear opt-out mechanisms for the sale of personal data, and document user choices. An up-to-date, well-configured banner also makes it easier to adapt as privacy requirements evolve across multiple U.S. states.