And now it’s got one more notable achievement under its belt buckle.
In 2023, Iowa became one of several states to enact legislation to protect consumer data privacy rights.
The ICDPA has many similarities to the Utah Consumer Privacy Act (UCPA), although ICDPA is considered more business-friendly due to its less stringent requirements and its lenient “cure” periods to resolve violations.
But regardless of how “business-friendly” the law may appear, companies will still have to take steps to ensure compliance.
Learn more about each state’s regulations with RCA’s state privacy law map.
Does the Law Apply to You?
How to Prepare for the ICDPA
When Does the ICDPA NOT Apply?
Like many of the recently enacted state privacy laws, Iowa expands the definition of sensitive data to include the usual elements, such as:
Iowa also includes:
Concerning sensitive data, Iowa takes a narrower approach to the rights individuals have.
ICDPA requires only that businesses provide an opt-out opportunity in the context of processing of sensitive data.
Iowa follows the lead of Utah and Virginia in defining ‘sale’ narrowly to include only exchange for money or monetary consideration.
Individual Rights Under the ICDPA
The individual rights created under ICDPA align with those provided under other state laws.
If ICDPA applies to your business, you must allow consumers to:
Iowa provides the most generous timeframe we have seen among the states thus far for responding to Individual Rights Requests; responses must be provided within 90 days of receipt of request unless the business has been unable to authenticate a request, with a permissible 45-day extension in limited circumstances.
Responses must be provided free of charge at least twice a year. If the business declines to take a requested action, the consumer must be notified in writing, along with instructions for appeal.
As we have seen with other recent state privacy laws, including Montana, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide an online mechanism, if available, or another method for contacting the Iowa State Attorney General to submit a complaint.
Pseudonymous Data
Like Virginia, Montana, and other recent state laws, a business does not need to include pseudonymous data in its response to Individual Rights Requests.
Under the ICDPA, ‘pseudonymous data’ is defined as “personal data that cannot be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.”
One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a unique, random ID.
Only the physician and other medical staff know the actual identity of the participants; other entities participating in the research (including the sponsor/manufacturing company, labs, and other supporting entities) have only the participant ID connected to the study data.
This approach can be adopted by other types of organizations, especially those that already assign identifiers through, for example:
Unlike many of the recent state privacy laws, Iowa does not include a requirement to conduct Data Protection or Privacy Impact Assessments.
Vendor Contracts
ICDPA requires that a contract be in place that dictates what vendors must do with respect to processing personal data. Contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” In addition, the contract must require that the processor:
The ICDPA does not require that vendors provide or make themselves available for audits.
Like the most recent state laws, including Colorado, Connecticut, and Montana, the ICDPA specifies that it should not be construed to restrict a business’s collection, use, or retention of personal data for:
Like almost all state privacy laws, including Utah, Virginia, Colorado, Connecticut, and Montana, the Attorney General in Iowa has the sole enforcement authority.
RCA’s top priority is delivering actionable, business-friendly privacy strategies to help you achieve ICDPA compliance and establish yourself as a consumer-friendly privacy leader.
