The State of Iowa joined a growing list of states that have enacted consumer data protection statutes. As of early 2024, 12 states have passed such legislation, and at least another dozen states are considering enacting their own version of these statutes. The Iowa version is called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025.

In this three-part article, the consumer data protection compliance lawyers at Revision Legal discuss the rights provided to consumers by the ICDPA, what the Act means for businesses that collect consumer data in Iowa, and why the ICDPA can be seen as the weakest and the least protective of the current consumer data protection statutes.  In Part One, we look at what consumer data protection rights are granted and protected by the ICDPA.

What consumer rights are granted by the ICDPA?

Like most consumer data protection statutes, the ICDPA gives consumers various rights. Among these are the right to notice, to give consent and opt-out in some circumstances, to know what data is collected and processed, to have personal data deleted, to obtain a copy of their personal data (in a portable format), to appeal adverse decisions by controllers, to non-retaliation and non-discrimination for exercising rights under the ICDPA, and more.

What notices are required by the ICDPA?

With respect to notices, the ICDPA mandates companies to provide notice of the following:

• The categories of personal data processed by the controller
• The purpose of processing personal data
• How consumers may exercise their consumer rights under the ICDPA, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
• The categories of personal data that the controller shares with third parties, if any
• The categories of third parties, if any, with whom the controller shares personal data

The notice provided must be “reasonably accessible, clear, and meaningful…” In addition, an additional notification is required if the controller sells a consumer’s personal data to third parties or engages in targeted advertising. If either of these applies, the “controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”

What data is protected?

As with all the other statutes, the consumer data that is being protected is “personal data.” This is defined as any data that can be used to identify a specific natural person. More specifically, “personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” A subcategory of “personal data” includes “sensitive data,” which includes data about racial or ethnic origin, religious beliefs, health issues, sexual orientation, citizenship status, genetic data, biometric data, precise geolocation, and more.

However, as with many of these statutes, the ICDPA includes a number of explicitly excluded categories of data, including:

• Personal data collected when the person is acting in a commercial or employment capacity — the latter includes when a person is applying for a job
• Data collected and processed by exempt entities like the State, governmental subdivisions, financial institutions, etc.
• Health care data
• De-identified data
• Aggregate data
• Publicly available information
• Research data
• Data related to credit rating

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.