Iowa Consumer Data Protection Act (Part One) — What Consumer Rights are Granted? featured image

Iowa Consumer Data Protection Act (Part One) — What Consumer Rights are Granted?

by John DiGiacomo

Partner

Internet Law

The State of Iowa joined a growing list of states that have enacted consumer data protection statutes. As of early 2024, 12 states have passed such legislation, and at least another dozen states are considering enacting their own version of these statutes. The Iowa version is called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025.

In this three-part article, the consumer data protection compliance lawyers at Revision Legal discuss the rights provided to consumers by the ICDPA, what the Act means for businesses that collect consumer data in Iowa, and why the ICDPA can be seen as the weakest and the least protective of the current consumer data protection statutes.  In Part One, we look at what consumer data protection rights are granted and protected by the ICDPA.

What consumer rights are granted by the ICDPA?

Like most consumer data protection statutes, the ICDPA gives consumers various rights. Among these are the right to notice, to give consent and opt-out in some circumstances, to know what data is collected and processed, to have personal data deleted, to obtain a copy of their personal data (in a portable format), to appeal adverse decisions by controllers, to non-retaliation and non-discrimination for exercising rights under the ICDPA, and more.

What notices are required by the ICDPA?

With respect to notices, the ICDPA mandates companies to provide notice of the following:

  • The categories of personal data processed by the controller
  • The purpose of processing personal data
  • How consumers may exercise their consumer rights under the ICDPA, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • The categories of personal data that the controller shares with third parties, if any
  • The categories of third parties, if any, with whom the controller shares personal data

The notice provided must be “reasonably accessible, clear, and meaningful…” In addition, an additional notification is required if the controller sells a consumer’s personal data to third parties or engages in targeted advertising. If either of these applies, the “controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”

What data is protected?

As with all the other statutes, the consumer data that is being protected is “personal data.” This is defined as any data that can be used to identify a specific natural person. More specifically, “personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” A subcategory of “personal data” includes “sensitive data,” which includes data about racial or ethnic origin, religious beliefs, health issues, sexual orientation, citizenship status, genetic data, biometric data, precise geolocation, and more.

However, as with many of these statutes, the ICDPA includes a number of explicitly excluded categories of data, including:

  • Personal data collected when the person is acting in a commercial or employment capacity — the latter includes when a person is applying for a job
  • Data collected and processed by exempt entities like the State, governmental subdivisions, financial institutions, etc.
  • Health care data
  • De-identified data
  • Aggregate data
  • Publicly available information
  • Research data
  • Data related to credit rating

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side

Let's Discuss Your Case