Iubenda logo
Start generating

Documentation

Table of Contents

Newly Enacted Iowa Consumer Data Protection Act (ICDPA)

Effective Date: January 1, 2025

Iowa has formally joined the ranks of US states adopting comprehensive data privacy legislation, with the Iowa Consumer Data Protection Act (ICDPA) set to take effect on January 1, 2025. This legislation aims to safeguard the personal data of over 3 million Iowa residents and align with privacy practices seen in other states such as Colorado, Virginia, Utah, and Connecticut.

This guide provides a breakdown of the ICDPA, covering its scope, key definitions, consumer rights, and business responsibilities.

Scope and Applicability

The ICDPA applies to entities that:

  1. Conduct business in Iowa or offer products or services targeted at Iowa residents; and
  2. During a calendar year, either:
  • Control or process the personal data of at least 100,000 consumers; or
  • Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Important Note: Unlike some state privacy laws, there is no revenue threshold for applicability. The ICDPA does not apply to non-profits, certain state entities, higher education institutions, or data covered under specific federal laws (e.g., HIPAA).

Definition of Sensitive Data

Sensitive data under the ICDPA includes:

  1. Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship/immigration status.
  2. Genetic or biometric data.
  3. Personal data collected from a known child (any individual younger than 13).
  4. Precise geolocation data

Key Consumer Rights Under the ICDPA

Iowa residents have the following rights under the ICDPA:

  1. Access and Confirmation: Consumers can confirm whether a business is processing their personal data and access that data.
  2. Data Portability: Consumers can obtain a copy of their personal data in a portable and, to the extent technically practicable, readily usable format that enables data transfer to another controller.
  3. Deletion: Consumers can request the deletion of their personal data.
  4. Opt-Out Right: Consumers can opt out of the sale of their personal data.
  5. Non-Discrimination: Consumers must not be discriminated against for exercising their rights.

How Consumers Can Exercise Their Rights

Request Process:
Consumers must submit requests through the methods specified by the business in its privacy notice. Businesses cannot require consumers to create an account to submit a request; however, if a consumer has an existing account, businesses may ask them to use it for submissions.

Authorized Agents: Parents and legal guardians can submit requests on behalf of children or other individuals.

Response Time:

  • Initial Response: Controllers must respond to consumer requests within 90 days.
  • Extension: One 45-day extension is allowed when necessary, provided the consumer is informed of the delay within the initial period.
  • Frequency: Consumers are entitled to request information twice within any 12-month period free of charge.

Appeal Process:
Businesses must have an appeal process similar to the request process, and responses to appeals must be provided within 60 days. If an appeal is denied, businesses must provide a mechanism (e.g., an online link) for consumers to contact the Iowa Attorney General’s office.

Business Responsibilities and Deadlines

Processing of Sensitive Data:
Businesses cannot process sensitive data without giving clear notice and allowing consumers to opt out. The processing of children’s data must align with the Children’s Online Privacy Protection Act (COPPA) and requires opt-in consent.

Privacy Notice Requirements:
Businesses must provide an accessible and comprehensive privacy notice that includes:

  1. Categories of personal data processed.
  2. Purposes for processing the data.
  3. Categories of personal data shared with third parties and relevant categories of those third parties.
  4. Methods for consumers to exercise their rights, including how to submit appeals.
  5. Clear disclosure of any sale of personal data or targeted advertising practices and how consumers can opt out.

Data Security:
Controllers must adopt reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data.

Contracts with Processors:
Businesses must enter into agreements with data processors that align with ICDPA compliance standards. This may involve updating existing data processing addendums to include references to the ICDPA.

Enforcement and Penalties

Enforcement:
The Attorney General has exclusive enforcement authority. Businesses have 90 days to cure any violations after receiving written notice.

Penalties:
Non-compliance can result in civil penalties of up to $7,500 per violation, payable to the consumer education and litigation fund.

Exemptions

The ICDPA exempts certain data and entities, such as:

  • Data regulated by federal laws (e.g., HIPAA-compliant data).
  • State and municipal entities.
  • Financial institutions subject to the Gramm-Leach-Bliley Act.
  • Non-profit organizations.
  • Higher education institutions.

The Iowa Consumer Data Protection Act marks a significant step in state-led data privacy initiatives, providing consumers with enhanced rights and requiring businesses to adopt rigorous privacy practices. 

To ensure compliance, entities must update their privacy policies, data processing agreements, and consumer response procedures well ahead of the January 1, 2025, enforcement date.

Mitigate risks and demonstrate commitment to protecting your consumers’ privacy

Take action now