Iowa Governor Kim Reynolds signed Senate File 262 on March 28, 2023, making Iowa the sixth state with a comprehensive consumer data privacy law. The Iowa Consumer Data Protection Act (ICDPA) takes effect January 1, 2025.
Applicability
The ICDPA applies to entities that during a calendar year:
- Control or process personal data of at least 100,000 Iowa consumers; or
- Control or process personal data of at least 25,000 Iowa consumers and derive more than 50% of gross revenue from the sale of personal data
Exemptions: The ICDPA exempts financial institutions subject to the Gramm-Leach-Bliley Act, nonprofits, institutions of higher education, HIPAA-covered entities and business associates, and data processed solely for completing a payment transaction. Business-to-business and employee data are also excluded from coverage.
Consumer Rights
Iowa consumers have the following rights:
| Right | Description |
|---|---|
| Access | Right to confirm whether a controller is processing their personal data and to access that data |
| Deletion | Right to delete personal data provided by or obtained about the consumer |
| Portability | Right to obtain a portable copy of their personal data |
| Opt-Out of Sale | Right to opt out of the sale of personal data |
Note: Iowa’s law does not include a right to correct inaccurate personal data, a right present in most other state comprehensive privacy laws.
Response Timeline: Controllers must respond to data subject requests within 90 days (with a possible 45-day extension) and provide an appeals process. Consumers may file complaints with the AG after exhausting the controller’s appeals process.
Sensitive Data
Controllers must provide notice and an opportunity to opt out before processing sensitive personal data (not opt-in consent, unlike some other state laws). Sensitive data includes:
- Data revealing racial or ethnic origin, religious beliefs, mental/physical health conditions, sexual orientation or immigration status
- Genetic data
- Biometric data processed for unique identification
- Precise geolocation data
- Children’s data subject to COPPA
Security Requirements
Controllers must implement reasonable technical, administrative, and physical security measures appropriate to the volume and nature of the personal data at issue.
Processor Obligations
Data processors must:
- Assist controllers in responding to data subject requests
- Provide breach notification assistance
- Enter into subcontractor agreements consistent with the data processing agreement
- Maintain data processing agreements with controllers that include required provisions
Enforcement
The Iowa AG has exclusive enforcement authority. There is a 90-day cure period before the AG may bring an action. Civil penalties may reach up to $7,500 per violation with no cap on total civil penalties.
Iowa does not have a private right of action under this law.
Takeaways
Iowa’s privacy law is notable for its simplicity and relatively limited consumer rights compared to states like California, Colorado, and Virginia. Organizations subject to the ICDPA that have already built compliance programs for other state privacy laws will generally find that those programs cover most of Iowa’s requirements. The most notable gap to address is the absence of a right-to-correct obligation. Organizations should confirm whether their DSR processes unnecessarily include a correction workflow for Iowa consumers.
Need privacy guidance?
Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.
Contact Us