As discussed in Part One of this series, Iowa has recently enacted a consumer data protection statute called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025. In Part Two, the consumer data protection compliance lawyers at Revision Legal discuss what the ICDPA means for businesses that collect consumer data in Iowa.

To whom does the ICDPA apply?

The ICDPA applies to any business which conducts business in Iowa or which targets consumers in Iowa and which meets either of the following data collection/processing thresholds:

• Controls or processes data of 100,000 or more consumers
• Controls/processes data of at least 25,000 consumers and generates over fifty percent of their gross annual revenue from the sale of personal data

There are a large number of exceptions for various types of entities that do not have to comply with the ICDPA. These include the State of Iowa, its political subdivisions, financial institutions, not-for-profit entities, research institutions, and more.

To what data does the ICDPA apply?

The ICDPA applies to “consumer data” and does not apply to any data collected or processed when a person is acting in a commercial or employment capacity. The data that is protected includes “personal data,” including the subcategory of “sensitive data.” “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” “Sensitive data” includes data about racial or ethnic origin, religious beliefs, sexual orientation, biometric data, precise geolocation, and more.

However, the ICDPA has a very long list of data to which the Act does not apply. Thus, “personal data” does not include de-identified, aggregate data, publicly available information, data that a consumer makes public or consents to be made public, data used exclusively for internal use by a controller, research data, data related to credit ratings, and much more.

What affirmative duties are imposed on businesses by the ICDPA?

As with many consumer data protection statutes, various duties and requirements are imposed on covered businesses. These include:

• Controllers must have reasonable data and cyber-security procedures and protocols in place to prevent unauthorized access and theft of personal data — the level of security must be in accordance with the volume and nature of the data collected, stored, and processed
• Controllers can only process personal data if the processing is “reasonably necessary and proportionate to the purposes” disclosed
• Contracts must be signed between controllers and processors that comply with the ICDPA, including provisions that require processors to agree to be bound by the ICDPA with respect to matters like maintaining the confidentiality of personal data, etc.
• Provide the required disclosures to consumers — the information to be disclosed includes the categories of personal data collected/processed, the purpose for the collection/processing, etc.
• Provide additional disclosures if a covered business sells personal data to any third parties or engages in targeted advertising
• Provide consumers with information about how to exercise their rights under the ICDPA, including opt-out rights, the right to obtain a copy of their personal data, the right to have personal data deleted, etc.
• Provide a mechanism for appealing any adverse decision by a controller with respect to the right being exercised by a consumer
• Policies and procedures must in put in place to prevent retaliation and discrimination against consumers who exercise their rights under the ICDPA

Notably, the ICDPA does NOT require any sort of data protection assessment report. The Iowa statute is unique in not requiring this.

Enforcement of the ICDPA

There is no private right of action for consumers under the ICDPA. The Iowa Attorney General’s Office is tasked with enforcement of the ICDPA. The Attorney General must provide a written notice to an alleged violator which is allowed a 90-day cure period. If violations are not cured, fines can be imposed of up to $7,500 per violation.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.