Iowa Consumer Data Protection Act (Part Two) — What Requirements are Imposed on Businesses? featured image

Iowa Consumer Data Protection Act (Part Two) — What Requirements are Imposed on Businesses?

by John DiGiacomo

Partner

Internet Law

As discussed in Part One of this series, Iowa has recently enacted a consumer data protection statute called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025. In Part Two, the consumer data protection compliance lawyers at Revision Legal discuss what the ICDPA means for businesses that collect consumer data in Iowa.

To whom does the ICDPA apply?

The ICDPA applies to any business which conducts business in Iowa or which targets consumers in Iowa and which meets either of the following data collection/processing thresholds:

  • Controls or processes data of 100,000 or more consumers
  • Controls/processes data of at least 25,000 consumers and generates over fifty percent of their gross annual revenue from the sale of personal data

There are a large number of exceptions for various types of entities that do not have to comply with the ICDPA. These include the State of Iowa, its political subdivisions, financial institutions, not-for-profit entities, research institutions, and more.

To what data does the ICDPA apply?

The ICDPA applies to “consumer data” and does not apply to any data collected or processed when a person is acting in a commercial or employment capacity. The data that is protected includes “personal data,” including the subcategory of “sensitive data.” “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” “Sensitive data” includes data about racial or ethnic origin, religious beliefs, sexual orientation, biometric data, precise geolocation, and more.

However, the ICDPA has a very long list of data to which the Act does not apply. Thus, “personal data” does not include de-identified, aggregate data, publicly available information, data that a consumer makes public or consents to be made public, data used exclusively for internal use by a controller, research data, data related to credit ratings, and much more.

What affirmative duties are imposed on businesses by the ICDPA?

As with many consumer data protection statutes, various duties and requirements are imposed on covered businesses. These include:

  • Controllers must have reasonable data and cyber-security procedures and protocols in place to prevent unauthorized access and theft of personal data — the level of security must be in accordance with the volume and nature of the data collected, stored, and processed
  • Controllers can only process personal data if the processing is “reasonably necessary and proportionate to the purposes” disclosed
  • Contracts must be signed between controllers and processors that comply with the ICDPA, including provisions that require processors to agree to be bound by the ICDPA with respect to matters like maintaining the confidentiality of personal data, etc.
  • Provide the required disclosures to consumers — the information to be disclosed includes the categories of personal data collected/processed, the purpose for the collection/processing, etc.
  • Provide additional disclosures if a covered business sells personal data to any third parties or engages in targeted advertising
  • Provide consumers with information about how to exercise their rights under the ICDPA, including opt-out rights, the right to obtain a copy of their personal data, the right to have personal data deleted, etc.
  • Provide a mechanism for appealing any adverse decision by a controller with respect to the right being exercised by a consumer
  • Policies and procedures must in put in place to prevent retaliation and discrimination against consumers who exercise their rights under the ICDPA

Notably, the ICDPA does NOT require any sort of data protection assessment report. The Iowa statute is unique in not requiring this.

Enforcement of the ICDPA

There is no private right of action for consumers under the ICDPA. The Iowa Attorney General’s Office is tasked with enforcement of the ICDPA. The Attorney General must provide a written notice to an alleged violator which is allowed a 90-day cure period. If violations are not cured, fines can be imposed of up to $7,500 per violation.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side

Let's Discuss Your Case