Effective Date: January 1, 2025
Iowa has formally joined the ranks of US states adopting comprehensive data privacy legislation, with the Iowa Consumer Data Protection Act (ICDPA) set to take effect on January 1, 2025. This legislation aims to safeguard the personal data of over 3 million Iowa residents and align with privacy practices seen in other states such as Colorado, Virginia, Utah, and Connecticut.
This guide provides a breakdown of the ICDPA, covering its scope, key definitions, consumer rights, and business responsibilities.
The ICDPA applies to entities that:
Important Note: Unlike some state privacy laws, there is no revenue threshold for applicability. The ICDPA does not apply to non-profits, certain state entities, higher education institutions, or data covered under specific federal laws (e.g., HIPAA).
Sensitive data under the ICDPA includes:
Iowa residents have the following rights under the ICDPA:
Request Process:
Consumers must submit requests through the methods specified by the business in its privacy notice. Businesses cannot require consumers to create an account to submit a request; however, if a consumer has an existing account, businesses may ask them to use it for submissions.
Authorized Agents: Parents and legal guardians can submit requests on behalf of children or other individuals.
Appeal Process:
Businesses must have an appeal process similar to the request process, and responses to appeals must be provided within 60 days. If an appeal is denied, businesses must provide a mechanism (e.g., an online link) for consumers to contact the Iowa Attorney General’s office.
Processing of Sensitive Data:
Businesses cannot process sensitive data without giving clear notice and allowing consumers to opt out. The processing of children’s data must align with the Children’s Online Privacy Protection Act (COPPA) and requires opt-in consent.
Privacy Notice Requirements:
Businesses must provide an accessible and comprehensive privacy notice that includes:
Data Security:
Controllers must adopt reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data.
Contracts with Processors:
Businesses must enter into agreements with data processors that align with ICDPA compliance standards. This may involve updating existing data processing addendums to include references to the ICDPA.
Enforcement:
The Attorney General has exclusive enforcement authority. Businesses have 90 days to cure any violations after receiving written notice.
Penalties:
Non-compliance can result in civil penalties of up to $7,500 per violation, payable to the consumer education and litigation fund.
The ICDPA exempts certain data and entities, such as:
The Iowa Consumer Data Protection Act marks a significant step in state-led data privacy initiatives, providing consumers with enhanced rights and requiring businesses to adopt rigorous privacy practices.
To ensure compliance, entities must update their privacy policies, data processing agreements, and consumer response procedures well ahead of the January 1, 2025, enforcement date.