Iowa Consumer Data Protection Act (ICDPA): The Quick Guide for the Iowa Privacy Law

The Iowa Consumer Data Privacy Law (ICDPA) is the comprehensive privacy law of the state of Iowa. You may need to comply with it, so here are the most important details about the law.

Iowa: The Sixth State to Enact a Comprehensive Data Protection Law

The Iowa Consumer Data Protection Act (ICDPA) is comprehensive state legislation that focuses on protecting consumer privacy in the state of Iowa. This law places a significant responsibility on businesses, requiring them to comply with detailed privacy duties.

Moreover, it empowers consumers by granting them a variety of rights concerning their personal data.

The ICDPA further outlines strict penalties for businesses that fail to comply with these regulations. This important piece of legislation was officially enacted on March 28, 2023. It is scheduled to become effective on January 1, 2025, providing a substantial period for businesses to align their practices with the new requirements. That's enough time for you to get familiar with the duties and prepare for compliance. So, keep reading.

Does the Iowa Consumer Data Protection Act apply to you?

The ICDPA applies to businesses targeting Iowa residents that meet at least one of the following criteria:

• They control or process the personal data of at least 100,000 consumers, or
• They control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.

Some entities are exempt by default from the ICDPA. These include:

• Nonprofit organizations
• Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
• Government agencies
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Higher education institutions

In addition to these organizational exemptions, the ICDPA does not apply to the types of data already protected by industry-specific laws, such as:

• Personal data that is already protected under existing federal laws such as HIPAA, the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the Driver's Privacy Protection Act, and the Farm Credit Act.
• Health records.
• Data from human subjects research that is covered by federal law or other relevant standards.
• Employment data.

Having said that, the ICDPA applies to commercial businesses processing personal information that also meet the thresholds.

Iowa Data Privacy Law Basics

Each business that meets the criteria mentioned above has to learn some basic ICDPA concepts. All of them are already present in other laws.

Personal data. Personal data is defined as any kind of information that has the potential to identify a person. This includes individual names, email addresses, telephone numbers, and even specifics related to an individual's browsing and purchasing activities.

It's important to note, though, that the legislation clarifies that data that has been de-identified or aggregated and thus cannot be traced back to a specific individual is not considered personal data under this law.

Sensitive personal data. The ICDPA further clarifies what sensitive data is, as a subcategory of personal data. It includes the following categories of personal data:

• Personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnoses, or citizenship or immigration status.
• Genetic or biometric data that is processed with the intent to uniquely identify an individual.
• Personal data was collected from a known child.
• Precise geolocation data.

Sensitive data has a special regime under the law.

Controllers. These are the businesses that are subject to the law and must abide by it. They make the decisions on data collection and processing, including why to process data, means of processing personal data, what categories to process, etc.

Processors. These are the people who process personal data on behalf of the business. For example, if your website processes personal information through Google Tag Manager, then Google is your processor.

Consumers. These are the persons whose data is being processed, also known as data subjects under other laws.

ICDPA Duties for Businesses

There are two types of businesses under the Iowa privacy law: controllers and processors. They both have some duties.

Controller duties include:

• Only processing personal data for the specific purposes for which it was collected. This means that data should not be used in a way that is not explicitly stated or understood at the time of collection, ensuring transparency and trust with consumers.
• Limiting data processing to the minimum necessary amount for the intended purpose. This approach minimizes the risk of data breaches and protects consumer privacy by avoiding excessive collection or storage of data.
• Ensuring personal data is processed only when consumers are aware of their opt-out rights. It's crucial to inform consumers about their rights to opt out of the sale of data, ensure compliance with privacy regulations, and respect consumer choices.
• Issuing privacy notices to consumers. These notices should clearly articulate how and why personal data is being used, providing consumers with essential information about their data rights and the company's data practices.
• Promptly honoring valid consumer requests. This includes requests for data access, correction, deletion, or portability, demonstrating a commitment to consumer rights and regulatory compliance.
• Establishing a contractual agreement with every data processor. Such agreements should outline the responsibilities and expectations for both parties, ensuring that data processors handle data in a manner that is compliant with privacy laws and company policies.
• Adopting technical and organizational safeguards for the security and confidentiality of data. Implementing robust security measures protects against data breaches and unauthorized access, maintaining the integrity and confidentiality of personal data.
• Securing explicit consent before processing any sensitive data. This involves obtaining clear, informed consent from individuals before handling sensitive information like health records, financial data, or other personal details, ensuring ethical and lawful processing.

Unlike under other state privacy laws, ICDPA-covered controllers are not obliged to respond to universal opt-out mechanisms (Global Privacy Controls).

Processor duties include:

• Processing data exclusively for the controller, based on a formal written agreement. This ensures that the processor acts under the direct authority and instructions of the controller, maintaining a clear and legally binding understanding of their role and responsibilities.
• Assisting the controller in managing responses to data requests. This involves providing the necessary support to handle and fulfill consumer inquiries and requests related to their personal data promptly and efficiently, thereby upholding consumer rights and regulatory obligations.
• Ensuring data security and protection. Implementing robust security measures to safeguard data against unauthorized access, disclosure, alteration, and destruction is crucial to maintaining the integrity and confidentiality of personal data and building trust with consumers.

ICDPA Rights for Consumers

for instance, adopts a more intricate approach. The rights afforded to consumers under the ICDPA are comprehensive and include:

• Right to confirm processing. Consumers have the authority to inquire if their personal data is being processed, allowing them to stay informed about the use of their information, including with whom their data is shared.
• Right to access. This right enables consumers to view the data that a business holds about them, ensuring transparency in data handling.
• Right to portability. Consumers can request a transfer of their data from one service provider to another, promoting flexibility and freedom in their choices.
• Right to correction. Consumers may request that their inaccurate data be corrected.
• Right to deletion. This empowers consumers to request the removal of their personal data from a company's records, offering control over their digital footprint.
• Right to opt out of the sale of data. Consumers can prohibit businesses from selling their personal information, safeguarding their privacy, and giving them a say in how their data is utilized.

These rights are exercised through ICDPA consumer requests. By submitting these requests, consumers hold businesses accountable and maintain control over their personal data.

When a consumer submits a request, the business must respond within a 90-day timeframe. Not responding on time may lead to ICDPA penalties.

ICDPA v. Other US State Consumer Privacy Laws

The ICDPA is very similar to other US state privacy laws. Its counterparts include the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, the California Consumer Privacy Act, and the California Privacy Rights Act, as well as the data protection laws of Colorado, Texas, Connecticut, Indiana, and other US states that have passed comprehensive data privacy legislation.

It promotes the opt-out principle as opposed to the EU's General Data Protection Regulation, which promotes the opt-in principle. Unlike the EU law, Iowa's privacy law allows data processing until the consumer opts out of the processing or sale of data.