The data protection law of Iowa, the Iowa Consumer Data Protection Act (ICDPA) or Senate File 262, aims to regulate the processing of the personal data of its residents. It confers rights to consumers, obligates businesses, and prescribes penalties for violation.
Effective date: January 1, 2025
Official legal text: Senate File 262
What is the Iowa Consumer Data Protection Act?
ICDPA, the sixth privacy law of the US was signed into law on March 28, 2023. The law lays down consumer rights, obligations of businesses, privacy notice requirements, and other related provisions. Even though it is similar to other US privacy laws, there are notable differences in the response and cure periods.
The law does not classify categories of sensitive data that are used to prevent discrimination against the protected class as sensitive. Another significant distinction is that businesses are required to provide opt-outs for sensitive data rather than opt-in like in many laws.
It is interesting to note that there is no right to correct under ICDPA. It also doesn’t mention profiling or data protection assessments, which are common in many US privacy laws.
The Iowa Attorney General is responsible for enforcing the act, with fines imposed for each violation.
If you are a business that targets residents of Iowa, this article will help you declutter the complexities of ICDPA.
Jump to
Tips for ICDPA ComplianceWho does the Iowa Consumer Data Protection Act (ICDPA) apply to?
The law applies to for-profit businesses in Iowa or elsewhere that target their products toward the residents of the state and satisfy any of the following criteria in a year:
- Controls/processes the personal data of 100,000 consumers or more.
- Controls/processes the personal data of at least 25,000 consumers and gains 50% or more of their gross annual revenue from the sale of personal data.
Who is exempted under the Iowa Consumer Data Protection Act (ICDPA)?
ICDPA does not apply to the following entities:
- State or other political subdivisions
- Financial institutions covered under Gramm-Leach-Bliley Act
- Entities subjected to HIPAA
- Entities covered by the Health Information Technology for Economic and Clinical Health Act
- Non-profit organizations
- Higher education institutions
Some data are also exempted from the applicability like the protected health information covered under HIPAA, personal data covered under the Driver’s Privacy Protection Act, credit-related information subjected to the Fair Credit Reporting Act, etc.
What is personal data under the Iowa Consumer Data Protection Act (ICDPA)?
Any information that can be used to identify a discreet individual is considered personal data. For instance, your contact information.
ICDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person”.
Publicly available information, aggregated data, and de-identified data are not personal data under the act.
What is publicly available information under ICDPA?
The following information constitutes publicly available information:
- Information published through government records.
- Information publicized by the consumer or by the person to whom the consumer revealed it, provided it was made available to the general audience.
De-identified data: Data kept in a way such that it cannot be used to identify an individual is de-identified data. Here, the direct or indirect identifiers that can link personal data to an individual are either removed or not included.
Aggregate data: Information that relates to a group of individuals and not to an individual is called aggregate data. For example, “10,000 residents of Iowa visited the XYZ website on Monday” is aggregate data. Here the data relates to a group of people and not to a specific person.
What is sensitive data under the Iowa Consumer Data Protection Act (ICDPA)?
Sensitive data encompasses a spectrum of personal data that can result in significant harm if compromised.
The following information of a consumer is considered sensitive data under ICDPA:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship/ immigration status
(The above categories of personal data will not be treated as sensitive if they are used only as needed to prevent discrimination against a protected class.)
- Genetic or biometric data
- Personal data of a known child (<13 years of age)
- Precise geolocation data
What are the obligations of businesses under the Iowa Consumer Data Protection Act (ICDPA)?
Let’s look at some of the obligations businesses have under the Act:
Implement security measures
Implement security safeguards at technical, physical, and administrative levels to protect the confidentiality of the data and to prevent any breaches including unauthorized access.
Ensure that the measures taken are proportional to the volume and nature of the data you maintain.
Data minimization and purpose limitation
The law obligates businesses to limit the collection of personal data to what is required to fulfill the disclosed purpose. For this, the nature of the processing, purpose of processing, etc should be considered.
Similarly, limit the processing of personal data to what is necessary and reasonable for the specific purpose.
Handling sensitive data
If you process sensitive data of consumers, provide the consumers with clear notice about it along with an option to opt out. Note that, unlike some US privacy laws such as TDPSA, consent is not required to process sensitive information.
Before processing children’s (below the age of 13 years) sensitive data adhere to COPPA and obtain verifiable parental consent.
Practice non-discrimination
Do not retaliate against the consumers for exercising their consumer rights. Denying goods, reducing their quality, or increasing their prices might imply discrimination. You are not required to provide goods/services to consumers that require personal data that you do not collect or maintain.
Businesses can also give products at different prices/rates, levels, selection of goods, or even chargeless based on the consumer’s participation in loyalty, premium, discount programs, etc or opt-outs of certain information that is required to offer the product.
Privacy notice
Provide a clear privacy notice to your consumers that includes the following details:
- Categories of personal data processed by your business.
- The purpose of processing the personal data.
- The process to exercise consumer rights and the process for appeal.
- Categories of personal data that may be shared with third parties.
- Categories of third parties with whom data may be shared.
The privacy notice should be meaningful, accessible, and easily understandable.
Disclosure
The law requires businesses to reveal to their consumers whether they sell their personal data or use it for targeted advertising. If your business does any of these, include the process to opt out of it in the disclosure.
Contractual relationship
Data processing is a complex process. It involves the consistent effort of data controllers like your business and the data processors who act on your behalf. This means data protection is a shared responsibility. Therefore have a contractual relationship with your data processors or any other parties involved.
Recognize the rights and obligations of each party, the nature and objectives of processing, duration of processing, etc in your contract.
Response plan
Your response plan is the easiest way to convince your data protection standards to your customers. Respond promptly to consumer requests and deliver them without unnecessary delay.
The law prescribes businesses to respond within 90 days, which can be extended to another 45 days if necessary. If there is a need for an extension, inform it to the consumer within the initial 90 days. Deliver the request free of charge twice a year.
The response period for appeals is 60 days. The denial of appeal should be accompanied by a way to submit a complaint to the attorney.
Data breach notification
Even though ICDPA does not expressly mention breach notifications, Businesses must report breaches under the Personal Information Security Breach Protection(715c). Data breaches that affect 250 or more residents of Iowa should be reported to the Attorney General’s Consumer Protection Division Director within 5 days.
What are the rights of consumers under the Iowa Consumer Data Protection Act (ICDPA)?
Under the Iowa Privacy Act, consumers have several rights that they can rightfully exercise when needed:
Right to confirm
Consumers have the right to confirm if businesses are processing their personal data.
Right to access
Consumers can access their personal data that is being processed by the business.
Right to delete
Consumers can request businesses to delete the personal information that was provided by them. In many US privacy laws, consumers can delete their personal data irrespective of the source.
Right to portability
Consumers can obtain a copy of their personal data in a portable and readable format.
The right is only limited to:
- The data that the consumer provided.
- The personal data not included in the definition of personal information under personal security breach protection.
Right to opt-out
The law confers a right to opt out of sale of their personal data to consumers. The law does not expressly confer a right to opt out of targeted advertising to consumers. However, businesses might still need to provide consumers with an option to opt out of it. This is because the law requires businesses to mention how consumers can exercise their right to opt out of targeted advertising in their disclosures. Additionally, businesses that use cookies to collect personal data for targeted advertising must inform consumers about this practice and provide them the option to opt out of such processing.
Manage cookie consent
without any hassle
Add a cookie consent banner, manage cookie consent and generate privacy notice to comply with Iowa Privacy Law
Try for free14-day free trialCancel anytime
What is the penalty for violating the Iowa Consumer Data Protection Act (ICDPA)?
The absolute enforcement authority of ICDPA is conferred upon the Attorney General of Iowa. Non-compliance with ICDPA might result in hefty penalties for each violation.
The law prescribes penalties of up to $7500 for each violation. The attorney can also seek a restraining order against violators.
Businesses will be given 90 days to cure the violation. After curing the violation, inform the attorney in writing. If not cured within that period, legal action might arise.
The attorney can also initiate legal action if there is a breach of the written statement given to the attorney informing the cure of the violation.
There is no private right of action under ICDPA.
Checklist for the Iowa Consumer Data Protection Act (ICDPA) compliance
- Practice data minimization and purpose limitation.
- Implement security safeguards.
- Provide a clear privacy notice.
- Provide required disclosures regarding the sale of personal data, targeted advertising, and processing of sensitive data.
- Provide opt-outs for processing sensitive data, sale of data, and targeted advertising.
- Have a contractual relationship with data processors.
- Have a prompt response plan.
- Do not retaliate against consumers for exercising their rights.
- Provide opt-in for minors and comply with COPPA.
CCPA vs ICDPA [Infographic]
FAQ on Iowa Consumer Data Protection Act
Iowa Consumer Data Protection Act is the new privacy law in Iowa. The act aims to ensure data security and confers consumer rights to its residents. It also imposes obligations upon businesses and prescribes penalties of up to $7500.
ICDPA becomes effective from Jan 1, 2025. Businesses must be ICDPA compliant within this date.
Iowa does not give a constitutional right to privacy to its people. However, there are data privacy laws like ICDPA to protect the privacy of its residents.
Consumers do not have the right to correct their personal data under ICDPA.
Businesses should provide information to consumers about how to opt out of targeted advertising, even though consumers do not have a right to opt out under ICDPA. This means that businesses should still offer opt-out options for targeted advertising.
The Iowa Consumer Data Protection Act is an opt-out model privacy law. Therefore it does not obligate businesses to obtain consent to process personal information of consumers. However, businesses should obtain verifiable consent to process the sensitive personal information of a child (COPPA regulations).