A Detailed Comparison: Iowa CDPA vs. Other State Laws

The Iowa Consumer Data Protection Act has drawn significant criticism from privacy advocates and legal scholars as the least protective of the major state comprehensive privacy statutes enacted through 2024. A head-to-head comparison illustrates why.

Iowa CDPA vs. California CCPA/CPRA

• Portability right: California requires controllers to provide data in a portable, machine-readable format; Iowa has no portability requirement.
• Profiling opt-out: California’s CPRA requires an opt-out right for automated decision-making with significant effects; Iowa has no such right.
• Private right of action: California consumers can sue directly for data breach damages; Iowa consumers have no private right of action.
• Regulatory body: California established the California Privacy Protection Agency (CPPA) with dedicated staff and a $10M+ annual budget; Iowa relies on the Attorney General’s office with no dedicated privacy staff.
• Employee and B2B data: California’s exemptions for employee and B2B data expired; Iowa retains a broad exemption for data collected ‘in a commercial or employment context.’

Iowa CDPA vs. Connecticut CTDPA

• Cure period: Iowa provides a 90-day cure right indefinitely; Connecticut’s cure right expired December 31, 2024.
• Sensitive data consent: Connecticut requires opt-in consent for all sensitive data processing; Iowa limits the consent requirement to processing not ‘necessary to provide a requested product or service.’
• Automated decision appeals: Connecticut requires a human-review appeals process for automated decisions; Iowa has no equivalent requirement.
• Data protection assessments: Connecticut requires DPAs for high-risk processing; Iowa does not.

Iowa CDPA vs. Colorado CPA

• Universal opt-out: Colorado requires recognition of universal opt-out mechanisms (like the Global Privacy Control) without delay; Iowa adopted a similar requirement but with a later effective date and broader exceptions.
• Profiling right: Colorado gives consumers the right to opt out of profiling with significant legal effects; Iowa does not.
• Data protection assessments: Colorado requires written DPAs for targeted advertising, data sales, and profiling; Iowa requires none.

The ‘Commercial or Employment Context’ Exemption: How Broad Is It?

The Iowa CDPA’s exemption for data collected when a person is ‘acting in a commercial or employment context’ is one of its most significant gaps. Under this exemption, personal data collected from job applicants, employees, business contacts, and anyone interacting with a business in a B2B capacity is entirely excluded from CDPA protections. This means an employee in Iowa has essentially no state privacy rights with respect to the personal data their employer collects — including monitoring of work computers, tracking of location during work hours, or collection of biometric data for timekeeping purposes.

California closed this loophole: CPRA protections now extend to employee and job applicant data. Connecticut’s CTDPA also does not contain an equivalent blanket employment exemption. Iowa’s retention of this carve-out effectively leaves the employment data-privacy gap open for Iowa employees.

Practical Implications: What Iowa Businesses Should Know

Despite its relative weakness, the Iowa CDPA still creates meaningful compliance obligations for covered businesses. If your business is subject to CCPA, CTDPA, or CPA compliance, Iowa CDPA compliance will likely be achieved as a byproduct of meeting those higher standards.

Businesses exclusively Iowa-based face the lightest regulatory burden of any state with a comprehensive privacy law. However, that burden could change quickly: Iowa’s legislature may strengthen the law in future sessions, and federal privacy legislation — if enacted — could preempt state law and impose uniform obligations nationwide.

Revision Legal advises businesses of all sizes on state-by-state privacy compliance. Contact us at revisionlegal.com/contact or visit our Privacy Law practice page.

As discussed in Parts One and Two of this series, Iowa has recently enacted a consumer data protection statute called the “Iowa Consumer Data Protection Act” (“ICDPA”). The Act comes into effect on January 1, 2025. Below, the consumer data protection compliance lawyers at Revision Legal discuss why the ICDPA can be seen as the weakest and least protective of the current data consumer protection statutes.

Let’s take a detailed look at one example. Most consumer data protection statutes allow consumers to “opt out” of having their personal or sensitive data sold or used for targeted advertising. Typically, a clear and conspicuous “opt-out” button must be made available, allowing consumers to easily exercise their “opt-out” rights.

The ICDPA does not require this, and it seems that the ICDPA permits a cumbersome process for invoking “opt-out” rights. For example, section 715D.4 states that “[i]f a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.” Section 715D.3 states that a “consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to the controller …” Taken together, these provisions allow a controller to omit an “easy-click” button and require a consumer to “submit a request” for opting out. For obvious reasons, a “less easy” option for opting opt will reduce the number of consumers who exercise their opt-out rights.

Here are a few other examples of why the ICDPA can be deemed the weakest of the consumer data protection statutes:

• No “opt-in” requirement for cookie use or any effort to incentivize obtaining an “opt-in” — under the European data protection regulations, there must be an affirmed “opt-in” for cookies; other US statutes incentive asking for “opting-in” by excluding cookie-collected data as “personal data”
• “Sale of personal data” is defined in the ICDPA to mean the “exchange of personal data for monetary consideration by the controller to a third party” — this is a very weak definition; more protective statutes include concepts like obtaining “anything of value” in exchange for data and the idea that a “sale” can include “the sharing” of data
• No requirement for controllers to prepare data protection assessment reports
• No data protection when a person is “acting in a commercial or employment context,” including applying for a job — employers generally request a great deal of personal data when seeking job applicants
• The ICPDA grants immunity for controllers and processors for third-party violations of the ICDPA as long as the controllers or processors did not know in advance that the third party was going to use/process the shared/sold data in violation of the ICDPA — this is unique to the ICDPA
• Consumer “consent” is defined to include “any other unambiguous affirmative action,” which arguably includes any “negative” action like closing or ignoring a pop-up window
• And more

Contact T]the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.