Iowa’s Consumer Data Protection Act

The Iowa Consumer Data Protection Act (ICDPA) unanimously passed the state legislature and was, signed into law on March 28, 2023, with an effective date of January 1, 2025. The law is considered very business friendly, with a 90-day right to cure period that doesn’t sunset, a 90-day allowance for responding to privacy rights requests, and an opt-out right that only includes sale, among other business-friendly provisions.

Book a Free Consultation

What You Need to Know About Iowa’s Privacy Law

To Whom Does ICDPA Apply?

The ICDPA applies to for-profit entities that:

  1. Conduct business in or provide commercial products or services that are targeted to residents of Iowa (Consumers), and 
  2. Annually controls or processes the personal information of either:
    1. 100,000 unique residents; or
    2. 25,000 unique residents and derives over 50% of gross revenue from sale of personal information.
Where Does Iowa’s Law NOT Apply?

Exempt Entities: Exempt entities include:

  • Non-profits;
  • State government entities;
  • Higher education Institutions;
  • HIPAA-covered entities and business associates; and
  • GLBA-covered entities.

Exempt Data: ICDPA exempts a long list of personal information, including but not limited to:

  • Protected Health Information (PHI) under HIPAA;
  • Data covered by the Gramm-Leach-Bliley Act;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: The ICDPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;

In addition, the ICDPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of the ICDPA

What Constitutes PI under the ICDPA?

The ICDPA covers “personal data,” also called personal information or PI, which Iowa defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.” The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI?

Iowa’s definition of sensitive PI includes the following, except to the extent such data is used in order to avoid discrimination on the bases of a protected class that would violate a federal or state anti-discrimination law:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical health diagnosis;
  • Sexual orientation;
  • Citizenship or immigration status.

It then also includes:

  • Genetic or biometric data processed for identification purposes;
  • PI collected from a known child; and
  • Precise geolocation data.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, Iowa requires it to take reasonable measures to ensure the data cannot be associated with an individual. Notably, Iowa does not require what most other state’s do for de-identified data, that controllers publicly commit to maintaining such data without an attempt to re-identify it. The obligations on sharing it with processors are also somewhat watered down, requiring controllers to monitor processors’ contractual obligations related to pseudonymous data but not explicitly requiring the controller to include prohibitions on re-identifying the information in such contracts.

Iowa also exempts pseudonymous data from all privacy rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is Consent Needed to Process Sensitive PI?

In a word: NO!

However, controllers must present consumers with clear notice and opportunity to opt-out of the processing of their sensitive PI prior to processing it.

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13). COPPA verifiable parental consent is sufficient, but not required.

What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • The categories of PI processed;
  • The purpose for processing PI;
  • The categories of third parties with which PI is shared;
  • The categories of PI that are shared with third parties;
  • The methods for a consumer to exercise their rights (see below) and appeal a decision on their rights request; and
  • Description of targeted advertising and selling activities including a procedure for opting out of the processing for these purposes.
What Constitutes “Sale” of PI?

Iowa uses the more limited definition of ‘sale’ as the exchange for monetary consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will Iowa’s Law Be Enforced?

The Iowa attorney general (AG) has sole enforcement authority. Under the Iowa law the AG may bring an enforcement action after providing a 90-day notice (the longest on record) and an opportunity for the business to cure the alleged violation(s). This cure period does not sunset. Actions can be brought that seek injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $7,500 plus attorney’s fees, investigative costs, and any other relief the court determines appropriate.

Privacy Rights

 

The privacy rights created under Iowa’s consumer privacy law generally align with those provided under other state laws. If the Iowa law applies to your business, consumers have the following rights:

  • Right to know whether a business is processing their PI;
  • Right to access their PI;
  • Right to delete PI collected from them;
  • Right to obtain a copy of PI provided by them (data portability); and
  • Right to opt out of the sale of PI.

Iowa provides a generous timeframe for businesses to respond to privacy rights requests; responses must be provided within 90 days of receipt unless the business has been unable to authenticate a request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge twice a year.

Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer “without undue delay” (time period not defined) and provide the reason for the denial as well as instructions for how to appeal the decision.

The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide the consumer with an online method to file a complaint with the Attorney General.

 

Universal Opt Out

 

The ICDPA does not require controllers to recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their personal information, to websites through their web browser or other technologies.

Privacy Impact Assessments

 

Iowa has no requirement for privacy or data protection assessments.

 

Vendor Contracts

 

Iowa requires a contract that dictates how vendors (also called service providers or processors) may process PI. Contracts must have instructions for processing data, the nature and purpose of processing, the type of data that is subject to processing, the duration of processing and specify the rights and obligations of both parties. In addition, the contract must require that the processor:

  • Ensure that each person who processes PI is subject to a duty of confidentiality;
  • Delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
  • Make available all information necessary to demonstrate the processor’s compliance with its obligations;
  • Provide the opportunity for the controller to object to any sub-processors;
  • And pass along the same obligations to any subcontractors in a written contract.

The ICDPA does not require that vendors provide or make themselves available for audits.

 

Data Minimization

 
Iowa has no requirement for data minimization.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation