The Iowa Consumer Data Protection Act (ICDPA) is Iowa’s newly enacted data privacy law designed to protect consumer data. It’s a landmark law that aligns Iowa with other U.S. states prioritizing privacy, ensuring that businesses processing consumer information adhere to strict data practices. Effective January 1, 2025, the ICDPA reflects the growing trend of state-driven data protection laws.

This comprehensive guide will cover everything businesses need to know about the ICDPA, from compliance requirements to consumer rights and enforcement policies.

What is the Iowa Consumer Data Protection Act (ICDPA)?

The Iowa Consumer Data Protection Act (ICDPA) is a state privacy act aimed at enhancing data privacy protections for Iowa residents. It requires businesses that collect and process personal data to follow specific compliance guidelines to protect consumers' information. The ICDPA’s enactment makes Iowa the sixth state to implement a comprehensive data privacy law for protecting consumer rights. With data protection concerns on the rise, the ICDPA provides an important framework for transparency, consumer empowerment, and business accountability.

Why Does the ICDPA Matter?

The ICDPA is Iowa’s answer to this call, building on the privacy standards set by other states like California, Virginia, and Colorado.

As data breaches and privacy concerns mount, laws like the ICDPA help build consumer trust and ensure that companies practice responsible data handling. Businesses complying with the ICDPA stand to benefit from enhanced reputations, reduced regulatory risk, and improved customer loyalty. The ICDPA, with its detailed data protection law provisions, ensures that organizations engaging with Iowa consumers meet high standards for privacy compliance.

How Do You Know if the Iowa Data Protection Law Applies to Your Business?

The ICDPA applies to businesses meeting either of the following criteria:

1. Data Volume: Businesses controlling or processing the personal data of at least 100,000 Iowa residents.
2. Revenue: Businesses controlling or processing personal data of at least 25,000 Iowa residents and deriving over 50% of gross revenue from selling personal data.

Exemptions to the ICDPA Coverage

While many businesses in Iowa fall under this data privacy act, there are key exemptions:

• Government Agencies: State and federal agencies are not covered by the ICDPA.
• Financial Institutions: Organizations under the Gramm-Leach-Bliley Act (GLBA) are exempt due to overlapping financial privacy laws.
• Healthcare Entities: Covered entities under HIPAA do not need to comply, as HIPAA already governs their data protection practices.
• Nonprofit Organizations: Nonprofits are also exempt, allowing them to focus on their core mission without additional privacy compliance burdens.
• Higher Education Institutions: Colleges and universities are not subject to the ICDPA, though they may still need to comply with federal student privacy laws, like FERPA.

Additionally, certain types of data are excluded from the ICDPA’s scope, such as:

• Health records and data related to human subjects research governed by federal standards.
• Employment-related data maintained by employers for internal use.
• Data already protected under specific federal laws, including the Children’s Online Privacy Protection Act (COPPA), the Driver’s Privacy Protection Act, and the Fair Credit Reporting Act (FCRA).

What Is Personal Data Under the ICDPA?

Personal data refers to information that can directly or indirectly identify a data subject or an individual, such as names, addresses, email addresses, and data reflecting browsing behavior. Importantly, de-identified or aggregated datathat cannot link back to an individual is not considered personal data under the ICDPA.

The ICDPA protects personal data, which it defines as information that directly or indirectly identifies an individual. This includes names, contact details, IP addresses, browsing history, and purchase behaviors. Unlike some state privacy laws, the ICDPA also requires extra precautions for sensitive data such as racial or ethnic information, health details, genetic or biometric data, and data related to children’s privacy.

What Is Sensitive Personal Data Under the ICDPA?

Sensitive data is a subcategory of personal data requiring higher protection due to its nature. Under the ICDPA, sensitive data includes:

• Racial or ethnic origin, religious beliefs, health diagnoses
• Citizenship or immigration status
• Genetic and biometric data uniquely identifying an individual
• Children’s data and precise geolocation data

What Obligations Do Businesses Have Under the Iowa Data Privacy Law?

Businesses subject to the ICDPA fall into two categories—Controllers and Processors—each with specific obligations to ensure compliance.

What Are the Duties of a Controller?

Controllers are entities that determine the purposes and means of data processing. Their responsibilities under the ICDPA include:

• Purpose Limitation: Process personal data only for purposes for which it was collected, promoting transparency and preventing data misuse.
• Data Minimization: Limit data collection to the minimum necessary to achieve processing purposes, reducing risks associated with excess data storage.
• Consumer Notification: Inform consumers about their opt-out rights, ensuring that they understand their options regarding data sales.
• Explicit Consent: Obtain explicit consent before processing sensitive data, like health information or children’s data.
• Privacy Notices: Provide comprehensive privacy notices detailing data use, consumer rights, and how to submit data-related requests.
• Data Security: Implement technical and organizational safeguards to protect data confidentiality and integrity.
• Respond to Consumer Requests: Timely address consumer requests, including those for data access, correction, deletion, and portability.
• Data Processing Agreements: Establish contracts with processors that outline data processing terms and enforce compliance with data protection standards.

What Are the Duties of a Processor?

Processors handle personal data on behalf of controllers. Their ICDPA obligations include:

• Processing under a Contract: Process data solely according to written agreements with controllers, ensuring clarity in roles and responsibilities.
• Consumer Data Requests: Assist controllers in responding to consumer data requests, ensuring prompt and efficient handling of inquiries.
• Data Protection: Enforce security measures that protect data from unauthorized access and breaches.

What Are the Data Subject Rights Under the Iowa Consumer Data Protection Act?

The ICDPA grants consumers several rights under the Iowa Consumer Data Protection Act:

1. Right to Confirm Processing: Consumers may inquire about whether their data is being processed.
2. Right to Access: Consumers can request access to personal data held by a business.
3. Right to Data Portability: Enables consumers to transfer their personal data to another service provider.
4. Right to Deletion: Consumers can request deletion of their data from company records, helping them control their digital footprint.
5. Right to Opt Out of the Sale of Personal Data: Empowers consumers to restrict businesses from selling or using their data for targeted advertising.

These rights give consumers control over their personal data, making businesses accountable and transparent in their data processing practices. Each request made by a consumer must be responded to within 90 days, and companies are required to document and securely handle all requests.

How Should Privacy Notices Be Structured for ICDPA Compliance?

Under the ICDPA, businesses must issue privacy notices to consumers, ensuring they understand how their personal data is collected, stored, and shared. A comprehensive privacy notice should include:

• Categories of Personal Data Processed: Inform consumers of the types of data collected, including sensitive data if applicable.
• Purpose of Data Processing: Clearly explain why data is collected and how it will be used.
• Consumer Rights and Instructions: Provide details on how consumers can exercise their rights, along with an appeal process for any denied requests.
• Third-Party Data Sharing: Disclose if personal data is shared with other entities and outline the categories of these third parties.

A well-drafted privacy notice is essential to maintain transparency and trust with consumers while also meeting regulatory requirements.

How Is the ICDPA Enforced?

The Iowa Attorney General is responsible for enforcing the ICDPA. The Attorney General has the authority to investigate complaints and can issue demands for further information if a violation is suspected.

What Are the Penalties for Non-Compliance with the ICDPA?

The ICDPA allows the Iowa Attorney General to impose penalties of up to $7,500 per violation after granting a 90-day cure period. Non-compliance with the law can lead to severe financial consequences, especially if violations impact multiple consumers.

For instance, a violation affecting the rights of 100 consumers could lead to penalties as high as $750,000, highlighting the importance of ensuring data privacy and protection for Iowa residents. Each consumer request is an opportunity to demonstrate compliance and uphold consumer trust.

Frequently Asked Questions (FAQs) on the ICDPA

What is the ICDPA's stance on consent?

The ICDPA does not require general consent for data processing. However, explicit consent is necessary for processing sensitive data and children’s data.

Do businesses need to honor Universal Opt-Out Mechanisms?

The ICDPA does not mandate response to Universal Opt-Out Mechanisms, such as Global Privacy Controls (GPC). Businesses can choose to honor these at their discretion.

How does ICDPA compare to GDPR?

The ICDPA promotes an opt-out model, allowing businesses to process data until consumers explicitly opt out. This contrasts with the GDPR’s opt-in model, where businesses need consent before processing data.

What are the other US state data protection laws and how does the Iowa one compare?

The Iowa Consumer Data Protection Act aligns closely with Virginia Consumer Data Protection Act (VCDPA) in offering opt-out rights and defining data protection obligations for businesses. Unlike California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which provide broader data privacy rights and mandate universal opt-out options, Iowa’s privacy law limits such requirements. Additionally, Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA) have similar frameworks, with Iowa’s approach focusing on consumer rights for access, deletion, and data portability without imposing universal opt-out mechanisms.

For more information, check out out blog on US Data Protection Laws here.

How Can Secure Privacy Help You Comply with the ICDPA?

Secure Privacy provides essential tools to simplify privacy compliance for businesses. Through our Consent Management Platform (CMP), your business can efficiently handle data requests, manage privacy notices, and ensure their processes meet the ICDPA’s requirements. Secure Privacy’s solutions offer benefits like automated privacy notices, data security measures, streamlined consumer request handling, among many other useful features.

Get started with Secure Privacy’s free trial today and take a proactive step toward privacy compliance and building consumer trust.