Iowa Consumer Data Protection Act (Part Two) — What Requirements are Imposed on Businesses? featured image

Iowa Consumer Data Protection Act (Part Two) — What Requirements are Imposed on Businesses?

by John DiGiacomo

Partner

Internet Law

As discussed in Part One of this series, Iowa has recently enacted a consumer data protection statute called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025. In Part Two, the consumer data protection compliance lawyers at Revision Legal discuss what the ICDPA means for businesses that collect consumer data in Iowa.

To whom does the ICDPA apply?

The ICDPA applies to any business which conducts business in Iowa or which targets consumers in Iowa and which meets either of the following data collection/processing thresholds:

  • Controls or processes data of 100,000 or more consumers
  • Controls/processes data of at least 25,000 consumers and generates over fifty percent of their gross annual revenue from the sale of personal data

There are a large number of exceptions for various types of entities that do not have to comply with the ICDPA. These include the State of Iowa, its political subdivisions, financial institutions, not-for-profit entities, research institutions, and more.

To what data does the ICDPA apply?

The ICDPA applies to “consumer data” and does not apply to any data collected or processed when a person is acting in a commercial or employment capacity. The data that is protected includes “personal data,” including the subcategory of “sensitive data.” “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” “Sensitive data” includes data about racial or ethnic origin, religious beliefs, sexual orientation, biometric data, precise geolocation, and more.

However, the ICDPA has a very long list of data to which the Act does not apply. Thus, “personal data” does not include de-identified, aggregate data, publicly available information, data that a consumer makes public or consents to be made public, data used exclusively for internal use by a controller, research data, data related to credit ratings, and much more.

What affirmative duties are imposed on businesses by the ICDPA?

As with many consumer data protection statutes, various duties and requirements are imposed on covered businesses. These include:

  • Controllers must have reasonable data and cyber-security procedures and protocols in place to prevent unauthorized access and theft of personal data — the level of security must be in accordance with the volume and nature of the data collected, stored, and processed
  • Controllers can only process personal data if the processing is “reasonably necessary and proportionate to the purposes” disclosed
  • Contracts must be signed between controllers and processors that comply with the ICDPA, including provisions that require processors to agree to be bound by the ICDPA with respect to matters like maintaining the confidentiality of personal data, etc.
  • Provide the required disclosures to consumers — the information to be disclosed includes the categories of personal data collected/processed, the purpose for the collection/processing, etc.
  • Provide additional disclosures if a covered business sells personal data to any third parties or engages in targeted advertising
  • Provide consumers with information about how to exercise their rights under the ICDPA, including opt-out rights, the right to obtain a copy of their personal data, the right to have personal data deleted, etc.
  • Provide a mechanism for appealing any adverse decision by a controller with respect to the right being exercised by a consumer
  • Policies and procedures must in put in place to prevent retaliation and discrimination against consumers who exercise their rights under the ICDPA

Notably, the ICDPA does NOT require any sort of data protection assessment report. The Iowa statute is unique in not requiring this.

Enforcement of the ICDPA

There is no private right of action for consumers under the ICDPA. The Iowa Attorney General’s Office is tasked with enforcement of the ICDPA. The Attorney General must provide a written notice to an alleged violator which is allowed a 90-day cure period. If violations are not cured, fines can be imposed of up to $7,500 per violation.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side