Iowa Consumer Data Protection Act (Part One) — What Consumer Rights are Granted? featured image

Iowa Consumer Data Protection Act (Part One) — What Consumer Rights are Granted?

by John DiGiacomo

Partner

Internet Law

The State of Iowa joined a growing list of states that have enacted consumer data protection statutes. As of early 2024, 12 states have passed such legislation, and at least another dozen states are considering enacting their own version of these statutes. The Iowa version is called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025.

In this three-part article, the consumer data protection compliance lawyers at Revision Legal discuss the rights provided to consumers by the ICDPA, what the Act means for businesses that collect consumer data in Iowa, and why the ICDPA can be seen as the weakest and the least protective of the current consumer data protection statutes.  In Part One, we look at what consumer data protection rights are granted and protected by the ICDPA.

What consumer rights are granted by the ICDPA?

Like most consumer data protection statutes, the ICDPA gives consumers various rights. Among these are the right to notice, to give consent and opt-out in some circumstances, to know what data is collected and processed, to have personal data deleted, to obtain a copy of their personal data (in a portable format), to appeal adverse decisions by controllers, to non-retaliation and non-discrimination for exercising rights under the ICDPA, and more.

What notices are required by the ICDPA?

With respect to notices, the ICDPA mandates companies to provide notice of the following:

  • The categories of personal data processed by the controller
  • The purpose of processing personal data
  • How consumers may exercise their consumer rights under the ICDPA, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • The categories of personal data that the controller shares with third parties, if any
  • The categories of third parties, if any, with whom the controller shares personal data

The notice provided must be “reasonably accessible, clear, and meaningful…” In addition, an additional notification is required if the controller sells a consumer’s personal data to third parties or engages in targeted advertising. If either of these applies, the “controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”

What data is protected?

As with all the other statutes, the consumer data that is being protected is “personal data.” This is defined as any data that can be used to identify a specific natural person. More specifically, “personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” A subcategory of “personal data” includes “sensitive data,” which includes data about racial or ethnic origin, religious beliefs, health issues, sexual orientation, citizenship status, genetic data, biometric data, precise geolocation, and more.

However, as with many of these statutes, the ICDPA includes a number of explicitly excluded categories of data, including:

  • Personal data collected when the person is acting in a commercial or employment capacity — the latter includes when a person is applying for a job
  • Data collected and processed by exempt entities like the State, governmental subdivisions, financial institutions, etc.
  • Health care data
  • De-identified data
  • Aggregate data
  • Publicly available information
  • Research data
  • Data related to credit rating

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side