Iowa Consumer Data Protection Act

Iowa is the sixth U.S. state to enact a consumer privacy law, and it did so as part of a wave of new state privacy laws emerging in early 2023.

What is the Iowa Consumer Data Protection Act (ICDPA)?

The Iowa Consumer Data Protection Act (ICDPA) is a state law designed to protect consumer privacy. It holds businesses accountable by mandating specific privacy requirements and by granting consumers a range of rights. In addition, the law prescribes penalties for non-compliance. The ICDPA was signed into law on March 28, 2023, and it is set to take effect on January 1, 2025, giving businesses ample time to prepare for its application.

Does the ICDPA apply to your business?

The ICDPA applies to businesses operating in Iowa or those targeting Iowa consumers that meet at least one of the following criteria:

• They control or process the personal data of at least 100,000 consumers, or
• They control or process the personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.

Are There Exemptions from the ICDPA?

Certain entities, even if they meet the criteria for applicability, are exempt from the ICDPA. These include:

• Government agencies
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
• Nonprofit organizations
• Higher education institutions

In addition to these organizational exemptions, the ICDPA does not apply to the following types of data:

• Personal data that is already protected under existing federal laws such as HIPAA, the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the Driver's Privacy Protection Act, and the Farm Credit Act.
• Health records.
• Data associated with human subjects research that is covered by federal law or other relevant standards.
• Data that is processed or maintained for employment purposes.

What is Personal Data Under the ICDPA?

Under the ICDPA, personal data refers to any information that could identify an individual. This can include elements like personal names, email addresses, phone numbers, as well as details about browsing and purchase behavior, among others. However, the law specifies that de-identified or aggregated data, which cannot be linked back to an individual, does not qualify as personal data.

What is Sensitive Personal Data Under the ICDPA?

The ICDPA distinguishes between personal data and sensitive personal data, providing enhanced protection for the latter. Sensitive personal data includes any of the following:

• Personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnoses, or citizenship or immigration status.
• Genetic or biometric data that is processed with the intent to uniquely identify an individual.
• Personal data collected from a known child.
• Precise geolocation data.

What are ICDPA Controllers and Processors and What are Their Duties?

Controllers are companies that make decisions regarding data collection, processing, use, storage, etc. Processors are companies that handle these tasks on behalf of the controllers.

For example, if you run an ecommerce store, you are the data controller, while the third-party tools you use to process personal data (such as tools for email communication, targeted ad delivery on social media, or website usage tracking) are your data processors.

If you run a SaaS business, you can act as a controller when you use data for your own business and as a processor for businesses using your SaaS.

Controller duties include:

• Processing personal data only for the purposes for which it has been collected.
• Processing only personal data for which the consumer has been informed about the right to opt out.
• Processing only the minimum amount of data required for the processing purpose.
• Implementing technical and organizational measures for data security and confidentiality.
• Obtaining explicit consent for processing sensitive data.
• Providing consumers with privacy notices.
• Responding to valid consumer requests.
• Entering into a contract with each processor.

Processor duties include:

• Processing data on behalf of the controller only based on a written contract.
• Assisting the controller in responding to data requests.
• Ensuring the security of data.

What Is a Data Processing Agreement, and Why Do We Need It?

A Data Processing Agreement is the contract between the controller and the processor and is obligatory for personal data processing. It must include the following at minimum:

• Instructions for processing.
• Duration of processing.
• The nature and purpose of processing.
• Types of data subjects involved.
• Rights and duties of both parties, particularly regarding:
  - Data confidentiality
  - Deletion and return of data
  - Hiring subcontractors, and
  - Proving compliance
  

What is an ICDPA-Compliant Privacy Notice?

To ensure compliance with the ICDPA and other relevant laws, it is crucial to inform your users about how you handle their personal data. This information should be provided in your privacy notice, also known as a privacy policy.

According to the ICDPA, your privacy policy should include:

• The categories of personal data processed by the controller (may include sensitive data, if applicable).
• The purposes for which personal data is processed.
• Guidance on how consumers can exercise their consumer rights, including the process for appealing a controller's decision regarding a consumer's request, as well as a description of the methods available for submitting requests.
• If applicable, the categories of personal data shared with third parties.
• If applicable, the categories of third parties with whom personal data is shared.

Do I Need to Obtain Consent from Consumers for Data Processing?

You don’t generally need to obtain consumers’ consent to comply with the ICDPA, with the exception of processing children’s data. You can obtain consent for this according to the methods described in COPPA, which involves obtaining parental consent for the processing of a known child’s data.

For collecting and processing sensitive data, you need to inform the consumer at the point of collection and offer them the opportunity to opt out. In all other cases, you don’t need consent. You are free to process personal data until the consumer opts out of the processing or requests deletion of their data.

Do We Need to Respect Universal Opt-Out Mechanisms?

The ICDPA does not require businesses to respond to universal opt-out mechanisms, such as Global Privacy Controls (GPC). You can choose to honor GPC signals at your own discretion, or you can require consumers to submit opt-out requests in other ways.

What are ICDPA Personal Data Rights and Requests?

Consumer rights under the ICDPA align with those you might find in other states, with Texas taking a more detailed approach. Consumers have the following rights:

• Right to confirm processing.
• Right to access.
• Right to portability.
• Right to deletion.
• Right to opt out of the sale of data.

Consumers exercise these rights through ICDPA requests, holding you accountable and maintaining control over their data. They can submit a request at any time, and you must respond within 90 days.

Who Enforces the ICDPA and How Much Are the Fines?

The Iowa Attorney General enforces the ICDPA. If they believe that you have violated the law or are about to, they can issue an investigative demand, potentially leading to penalties.

If you violate the ICDPA, you will be granted a 90-day cure period to amend your practices and rectify the violations. Failure to do so may result in civil penalties of up to $7,500 per violation.

Keep in mind, a violation of one consumer’s rights equates to one violation. If the rights of 100 consumers are violated, this amounts to 100 violations, potentially leading to a penalty of up to $750,000. Fines can accumulate rapidly.