Iowa Consumer Data Protection Act (Part Three) — Why The ICDPA Can Be Considered The Weakest of the Consumer Data Protection Acts? featured image

Iowa Consumer Data Protection Act (Part Three) — Why The ICDPA Can Be Considered The Weakest of the Consumer Data Protection Acts?

by John DiGiacomo

Partner

Internet Law

As discussed in Parts One and Two of this series, Iowa has recently enacted a consumer data protection statute called the “Iowa Consumer Data Protection Act” (“ICDPA”). The Act comes into effect on January 1, 2025. Below, the consumer data protection compliance lawyers at Revision Legal discuss why the ICDPA can be seen as the weakest and least protective of the current data consumer protection statutes.

Let’s take a detailed look at one example. Most consumer data protection statutes allow consumers to “opt out” of having their personal or sensitive data sold or used for targeted advertising. Typically, a clear and conspicuous “opt-out” button must be made available, allowing consumers to easily exercise their “opt-out” rights.

The ICDPA does not require this, and it seems that the ICDPA permits a cumbersome process for invoking “opt-out” rights. For example, section 715D.4 states that “[i]f a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.” Section 715D.3 states that a “consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to the controller …” Taken together, these provisions allow a controller to omit an “easy-click” button and require a consumer to “submit a request” for opting out. For obvious reasons, a “less easy” option for opting opt will reduce the number of consumers who exercise their opt-out rights.

Here are a few other examples of why the ICDPA can be deemed the weakest of the consumer data protection statutes:

  • No “opt-in” requirement for cookie use or any effort to incentivize obtaining an “opt-in” — under the European data protection regulations, there must be an affirmed “opt-in” for cookies; other US statutes incentive asking for “opting-in” by excluding cookie-collected data as “personal data”
  • “Sale of personal data” is defined in the ICDPA to mean the “exchange of personal data for monetary consideration by the controller to a third party” — this is a very weak definition; more protective statutes include concepts like obtaining “anything of value” in exchange for data and the idea that a “sale” can include “the sharing” of data
  • No requirement for controllers to prepare data protection assessment reports
  • No data protection when a person is “acting in a commercial or employment context,” including applying for a job — employers generally request a great deal of personal data when seeking job applicants
  • The ICPDA grants immunity for controllers and processors for third-party violations of the ICDPA as long as the controllers or processors did not know in advance that the third party was going to use/process the shared/sold data in violation of the ICDPA — this is unique to the ICDPA
  • Consumer “consent” is defined to include “any other unambiguous affirmative action,” which arguably includes any “negative” action like closing or ignoring a pop-up window
  • And more

Contact T]the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side