Iowa Consumer Data Protection Act (ICDPA)

Iowa Consumer Data Protection Act (ICDPA)

Overview

The Iowa Consumer Data Protection Act (ICDPA), codified as Iowa Code Chapter 715D (SF 262), was signed into law on March 28, 2023, and became effective January 1, 2025. Iowa follows a business-friendly model with fewer consumer rights than most states (no right to correct or right to portability), a 90-day cure period (the longest among state privacy laws), and AG-only enforcement. The ICDPA is considered one of the least restrictive comprehensive state privacy laws.

Applicability (§715D.2)

The ICDPA applies to persons that conduct business in Iowa or produce products or services targeted to Iowa consumers AND during a calendar year:

1. Control or process personal data of at least 100,000 Iowa consumers; OR
2. Control or process personal data of at least 25,000 Iowa consumers AND derive more than 50% of gross revenue from the sale of personal data.

Exemptions (§715D.3):

• State and local government entities
• GLBA-covered financial institutions (entity-level)
• HIPAA covered entities and business associates (entity-level)
• Nonprofit organizations
• Institutions of higher education
• Data governed by GLBA, HIPAA, FERPA, FCRA, DPPA, COPPA, Farm Credit Act

Liberty Commerce Inc. Assessment: Liberty Commerce Inc. processes personal data of approximately 52,000 Iowa consumers. It does not meet either threshold but maintains monitoring as part of its multi-state privacy compliance program.

Consumer Rights (§715D.4)

Three Consumer Rights

Iowa provides fewer rights than most comprehensive state privacy laws:

1. Right to Access (§715D.4(1)(a)): Confirm whether controller is processing personal data and access that data
2. Right to Delete (§715D.4(1)(b)): Delete personal data provided by or obtained about the consumer
3. Right to Opt Out (§715D.4(1)(c)):
   • Sale of personal data
   • Targeted advertising

Notable omissions:

• No right to correct inaccuracies
• No right to data portability
• No right to opt out of profiling

Response Requirements (§715D.5)

• Respond within 90 days (longest response window among state privacy laws)
• No extension provision — the 90-day period is the full window
• At least one free response per 12 months
• Appeal: controller must establish an internal appeals process and respond within 60 days
• If appeal denied: inform consumer of right to contact the AG

Sensitive Data (§715D.1(24))

Categories

1. Racial or ethnic origin
2. Religious beliefs
3. Mental or physical health diagnosis
4. Sexual orientation
5. Citizenship or immigration status
6. Genetic data
7. Biometric data for identification
8. Personal data of a known child
9. Precise geolocation data

Consent Requirement

Processing sensitive data requires opt-in consent before processing. Iowa follows the Virginia model requiring clear affirmative consent.

Controller Obligations (§715D.4)

1. Purpose limitation: Processing limited to what is adequate, relevant, and reasonably necessary
2. Data minimization: Collection limited to what is adequate, relevant, and reasonably necessary for disclosed purposes
3. Data security: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices
4. Non-discrimination: Shall not process personal data in violation of state and federal antidiscrimination laws
5. Sensitive data consent: Opt-in consent required before processing
6. Privacy notice: Clear and reasonably accessible privacy notice

Privacy Notice Requirements (§715D.4(6))

• Categories of personal data processed
• Purpose for processing personal data
• How consumers may exercise their rights
• Categories of personal data shared with third parties
• Categories of third parties with whom data is shared

Data Protection Assessments

Iowa does NOT require data protection assessments (DPIAs). This is a notable omission compared to most comprehensive state privacy laws. However, organizations subject to multiple state laws should conduct DPIAs as required by other applicable jurisdictions.

Processor Requirements (§715D.5)

Processing must be governed by a contract that includes:

• Instructions for processing
• Nature, purpose, and duration of processing
• Type of personal data and categories of consumers
• Rights and obligations of both parties
• Confidentiality requirements
• Return or deletion of data upon termination
• Cooperation with assessments
• Sub-processor requirements

Enforcement (§715D.6)

Attorney General Authority

• Exclusive enforcement — no private right of action
• AG investigates and brings actions under Iowa Consumer Fraud Act (Iowa Code Chapter 714H)

90-Day Cure Period (§715D.6(2))

• AG must provide written notice of alleged violation
• Controller has 90 days to cure the violation
• If cured and express written statement provided: AG may not bring action
• No sunset provision — the 90-day cure period is permanent
• This is the longest cure period among state privacy laws

Penalties

• Civil penalties up to $7,500 per violation
• Injunctive relief
• Costs and attorney fees

Comparison: Iowa vs. Other State Privacy Laws

Implementation Timeline

Key Regulatory References

• Iowa Code Chapter 715D (ICDPA)
• Iowa Code Chapter 714H (Iowa Consumer Fraud Act — enforcement)
• Iowa AG Consumer Protection Division guidance