Partner
Iowa’s Consumer Data Protection Act, Iowa Code § 715D.1 et seq. (effective January 1, 2025), grants Iowa residents five core rights with respect to personal data collected by covered businesses. Unlike California’s CCPA, the Iowa law does not require businesses to respond to requests to opt out of automated decision-making, and there is no right to data portability in a machine-readable format beyond what the business already provides. These limitations make Iowa’s law one of the weaker state privacy statutes, but understanding your rights is still essential.
You have the right to confirm whether a covered controller is processing your personal data. Submit a verifiable consumer request using the mechanism disclosed in the controller’s privacy notice. The controller has 90 days to respond — significantly longer than the 45-day window under Connecticut’s CTDPA or California’s CCPA.
You have the right to access the personal data the controller has collected about you in a reasonably accessible format. Unlike some other state laws, the Iowa CDPA does not require controllers to provide data in a portable, machine-readable format that enables transfer to another service provider.
You have the right to correct inaccuracies in your personal data. The controller must consider the nature and purpose of the processing in determining whether a correction is appropriate and must act within the 90-day response period.
You have the right to request deletion of personal data you provided or that was collected about you. Note that Iowa’s deletion right applies to data ‘you provided’ — a narrower framing than Connecticut’s CTDPA, which covers all personal data held by the controller.
You have the right to opt out of (1) the sale of your personal data and (2) the processing of your personal data for targeted advertising. The Iowa CDPA does not create an opt-out right for profiling with significant legal effects — a gap that distinguishes it from Connecticut, Colorado, and Virginia.
If a covered business denies your request and the internal appeal process does not resolve the issue, file a complaint with the Iowa Attorney General’s Consumer Protection Division at consumer.iowa.gov. The AG will investigate and, if a violation is found, issue a cure notice. If the controller fails to cure within 90 days, the AG may seek civil penalties of up to $7,500 per violation. No private lawsuit is available under Iowa law.
If you are an Iowa resident with questions about your privacy rights — or a business seeking to understand Iowa CDPA compliance obligations — contact Revision Legal at revisionlegal.com/contact or visit our Privacy Law practice page.
The State of Iowa joined a growing list of states that have enacted consumer data protection statutes. As of early 2024, 12 states have passed such legislation, and at least another dozen states are considering enacting their own version of these statutes. The Iowa version is called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025.
In this three-part article, the consumer data protection compliance lawyers at Revision Legal discuss the rights provided to consumers by the ICDPA, what the Act means for businesses that collect consumer data in Iowa, and why the ICDPA can be seen as the weakest and the least protective of the current consumer data protection statutes. In Part One, we look at what consumer data protection rights are granted and protected by the ICDPA.
What consumer rights are granted by the ICDPA?
Like most consumer data protection statutes, the ICDPA gives consumers various rights. Among these are the right to notice, to give consent and opt-out in some circumstances, to know what data is collected and processed, to have personal data deleted, to obtain a copy of their personal data (in a portable format), to appeal adverse decisions by controllers, to non-retaliation and non-discrimination for exercising rights under the ICDPA, and more.
What notices are required by the ICDPA?
With respect to notices, the ICDPA mandates companies to provide notice of the following:
The notice provided must be “reasonably accessible, clear, and meaningful…” In addition, an additional notification is required if the controller sells a consumer’s personal data to third parties or engages in targeted advertising. If either of these applies, the “controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”
What data is protected?
As with all the other statutes, the consumer data that is being protected is “personal data.” This is defined as any data that can be used to identify a specific natural person. More specifically, “personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” A subcategory of “personal data” includes “sensitive data,” which includes data about racial or ethnic origin, religious beliefs, health issues, sexual orientation, citizenship status, genetic data, biometric data, precise geolocation, and more.
However, as with many of these statutes, the ICDPA includes a number of explicitly excluded categories of data, including:
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?