Iowa was the sixth state in the US to pass a consumer privacy law, with an effective date of January 1, 2025. As of March 29th, when the law was passed, organizations have a little less than two years to prepare for compliance.<\/p>\n
The state\u2019s first attempt at a comprehensive privacy law failed in 2020, but the topic of data privacy has gained momentum since. Iowa\u2019s data privacy law can be seen as more business-friendly than some other state-level US privacy laws to date, which has also been said about the Utah Consumer Privacy Act\u00a0<\/a>(UCPA).<\/p>\n\n\n The Iowa Consumer Data Protection Act<\/a> (ICDPA) protects the privacy rights of Iowa\u2019s three million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Iowa residents. In the course of doing business these organizations process consumers\u2019 personal data. Like other states, e.g. California, Iowa defines a consumer as a resident of the state who is acting in a \u201cnoncommercial and nonemployment context\u201d.<\/p>\n The ICDPA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to comply with the law must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing. They and any third parties they engage for data processing must also implement reasonable security and protections.<\/p>\n Personal data<\/strong><\/p>\n The ICDPA uses a fairly standard definition of personal data: \u201cany information that is linked or reasonably linkable to an identified or identifiable natural person\u201d<\/em>. It excludes publicly available information, aggregated data, or de-identified data<\/a>.<\/p>\n Sensitive data<\/strong><\/p>\n This covers more specific categories of personal data, including that which reveals:<\/p>\n Controller<\/strong><\/p>\n Businesses that collect and process personal data will likely qualify as controllers, which the ICDPA defines as \u201ca person that, alone or jointly with others, determines the purpose and means of processing personal data\u201d<\/em>.<\/p>\n Processor<\/strong><\/p>\n For businesses that share personal data for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Iowa privacy act as \u201ca person that processes personal data on behalf of a controller\u201d<\/em>.<\/p>\n Sale<\/strong><\/p>\n This is defined as the \u201cexchange of personal data for monetary consideration by the controller to a third party\u201d<\/em>. Several notable exclusions to the definition of sale of personal data include disclosure of personal data:<\/p>\n The ICDPA has two primary compliance threshold criteria for organizations:<\/p>\n or<\/strong><\/p>\n Unlike some states, e.g. California, Iowa\u2019s privacy law will not have a revenue threshold. That means that companies otherwise would be required to comply with the regulation if their annual gross revenues exceeded a certain dollar threshold, e.g. US $25 million, even if they did not meet the threshold of the number of consumers\u2019 whose data was processed.<\/p>\n Without this threshold, businesses of any size\/value that meet the Iowa privacy law\u2019s personal data or personal data plus revenue percentage thresholds must comply with the law.<\/p>\n The exemptions in the Iowa data privacy act are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:<\/p>\n Other exemptions include health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.<\/p>\n Additional exempted institutions include:<\/p>\n Consumers have four main rights under the new data protection law. Parents or legal guardians of known children can invoke a child\u2019s rights regarding processing of personal data.<\/p>\n The most notable rights that are not included are:<\/p>\n Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. The controller must include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.<\/p>\n After a consumer request is received, the controller has 90 days to respond. There are some limited reasons that they can decline, including if the consumer\u2019s identity cannot be reasonably verified. If there are extenuating circumstances preventing fulfilling the request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.<\/p>\n Notably, the Iowa data privacy law does not require organizations to have data protection operations or to perform privacy risk assessments.<\/p>\n Purpose limitation<\/strong><\/p>\n Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is \u201creasonably necessary\u201d (relevant, adequate, and limited) and proportional to those purposes.<\/p>\n Data security<\/strong><\/p>\n Controllers must protect the \u201cconfidentiality, integrity and availability\u201d of personal data by implementing reasonable \u201cadministrative, technical, and physical\u201d data security measures. These measures should be appropriate to the nature and volume of personal data being processed.<\/p>\n Consent requirements<\/strong><\/p>\n Like other US states that have passed privacy laws, Iowa uses an opt-out model, so user consent is not required before collecting and processing data in many cases, including for the processing of sensitive personal data. Consumers must be given clear notice about processing and be able to opt out of sale.<\/p>\n Where children are concerned, like a number of other states, the ICDPA follows the Children\u2019s Online Privacy Protection Act<\/a> (COPPA). Consent from any known child\u2019s parent or guardian must be obtained before processing of any personal data of any user known to be under 13 years of age. This goes for all children\u2019s personal data, as under Iowa\u2019s data privacy regulation children\u2019s personal data is classified as \u201csensitive\u201d by default.<\/p>\n Nondiscrimination<\/strong><\/p>\n Controllers are prohibited from unlawful discrimination against consumers, and from processing personal data if doing so is in violation of state or federal laws governing discrimination. Additionally, controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal data collection.<\/p>\n However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal data, the site may not work optimally. This is not discriminatory.<\/p>\n Controllers can offer voluntary incentives like discounts for consumers\u2019 voluntary participation in operations like an organization\u2019s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.<\/p>\n Transparency<\/strong><\/p>\n Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company\u2019s website in the privacy notice or policy. Under the ICDPA, this information must include:<\/p>\n Third party contracts<\/strong><\/p>\n Controllers must have contracts in place with third-party processors with clear information and:<\/p>\n Universal opt-out signal<\/strong><\/p>\n Like with the Virginia Consumer Data Protection Act<\/a> (VCDPA), the Iowa Consumer Data Protection Act does not make any reference to the Global Privacy Control<\/a> (GPC) or other opt-out mechanism. California\u2019s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don\u2019t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.<\/p>\n\n\n In Iowa, the Attorney General has exclusive enforcement authority for the ICDPA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations to the Attorney General\u2019s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.<\/p>\n There is a 90-day cure period when organizations can fix the issues and take steps to prevent recurrence. This is longer than the cure periods provided by other states, where 30 days is common, though Connecticut offers a 60-day cure period.<\/p>\n Organizations found to have violated the ICDPA also have to notify the Attorney General that they have taken these repair actions, and provide a statement that no further violations will occur. Once they have done this, and if no further issues come up, there won\u2019t be further punitive action against them.<\/p>\n If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can initiate civil proceedings.<\/p>\n A controller or processor found to be in violation of Iowa\u2019s data privacy regulation is subject to a fine of up to US $7,500 per violation, which is the same as California\u2019s maximum fine under the California Privacy Rights Act<\/a> (CPRA). These fines are paid into the fund for consumer education and litigation.<\/p>\n\n\n Iowa\u2019s consumer privacy law reflects the opt out model, as do all other current US state-level data privacy laws. Under this model, controllers do not have to obtain user\/data subject consent prior to collecting or processing personal data, including data classified as sensitive. The only exception is where the ICDPA follows the federal COPPA law regarding children\u2019s personal data. Where the processing would be for a known child, consent of a parent or guardian does need to be obtained before any data collection or other form of processing.<\/p>\n Data subjects must be given the opportunity to opt out of data processing (sale or targeted advertising) at any point. Information about that must be provided on the website, typically under the privacy notice\/policy page.<\/p>\n The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A Consent Management Platform (CMP) like Usercentrics\u2019 also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and\/or processor(s), and third parties with whom data is shared. Iowa\u2019s privacy law, and most data privacy regulations around the world, require this notification.<\/p>\n Because the United States does not have a single federal data privacy law, companies doing business across the country and\/or with other countries may need to comply with multiple consumer privacy laws to protect data.<\/p>\n\n\nWhat is the Iowa data privacy act?<\/h2>\n
Definitions in the Iowa Consumer Data Protection Act<\/h4>\n
\n
\n
What is covered in the Iowa data privacy act?<\/h2>\n
Who has to comply with the Iowa Consumer Data Protection Act?<\/h4>\n
\n
\n
Exemptions to Iowa Consumer Data Protection Act compliance<\/h4>\n
\n
\n
Consumers\u2019 rights under the Iowa Consumer Data Protection Act<\/h2>\n
\n
\n
How does the new Iowa data protection act affect businesses?<\/h2>\n
How to comply with the Iowa data privacy act?<\/h4>\n
\n
\n
What happens if you break the Iowa data protection law?<\/h2>\n
Enforcement<\/h4>\n
Cure period and controller actions<\/h4>\n
Fines and penalties<\/h4>\n
The Iowa Consumer Data Protection Act and consent management<\/h2>\n