Iowa Consumer Data Protection Act (Part One) — What Consumer Rights are Granted? featured image

Iowa Consumer Data Protection Act (Part One) — What Consumer Rights are Granted?

by John DiGiacomo

Partner

Internet Law

The State of Iowa joined a growing list of states that have enacted consumer data protection statutes. As of early 2024, 12 states have passed such legislation, and at least another dozen states are considering enacting their own version of these statutes. The Iowa version is called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025.

In this three-part article, the consumer data protection compliance lawyers at Revision Legal discuss the rights provided to consumers by the ICDPA, what the Act means for businesses that collect consumer data in Iowa, and why the ICDPA can be seen as the weakest and the least protective of the current consumer data protection statutes.  In Part One, we look at what consumer data protection rights are granted and protected by the ICDPA.

What consumer rights are granted by the ICDPA?

Like most consumer data protection statutes, the ICDPA gives consumers various rights. Among these are the right to notice, to give consent and opt-out in some circumstances, to know what data is collected and processed, to have personal data deleted, to obtain a copy of their personal data (in a portable format), to appeal adverse decisions by controllers, to non-retaliation and non-discrimination for exercising rights under the ICDPA, and more.

What notices are required by the ICDPA?

With respect to notices, the ICDPA mandates companies to provide notice of the following:

  • The categories of personal data processed by the controller
  • The purpose of processing personal data
  • How consumers may exercise their consumer rights under the ICDPA, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • The categories of personal data that the controller shares with third parties, if any
  • The categories of third parties, if any, with whom the controller shares personal data

The notice provided must be “reasonably accessible, clear, and meaningful…” In addition, an additional notification is required if the controller sells a consumer’s personal data to third parties or engages in targeted advertising. If either of these applies, the “controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”

What data is protected?

As with all the other statutes, the consumer data that is being protected is “personal data.” This is defined as any data that can be used to identify a specific natural person. More specifically, “personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” A subcategory of “personal data” includes “sensitive data,” which includes data about racial or ethnic origin, religious beliefs, health issues, sexual orientation, citizenship status, genetic data, biometric data, precise geolocation, and more.

However, as with many of these statutes, the ICDPA includes a number of explicitly excluded categories of data, including:

  • Personal data collected when the person is acting in a commercial or employment capacity — the latter includes when a person is applying for a job
  • Data collected and processed by exempt entities like the State, governmental subdivisions, financial institutions, etc.
  • Health care data
  • De-identified data
  • Aggregate data
  • Publicly available information
  • Research data
  • Data related to credit rating

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case