Applicability Thresholds: Does the Iowa CDPA Apply to You?

The Iowa Consumer Data Protection Act, Iowa Code § 715D.1 et seq., applies to persons who conduct business in Iowa or produce products or services targeted to Iowa residents AND, during the preceding calendar year: (1) controlled or processed personal data of 100,000 or more Iowa residents, OR (2) controlled or processed personal data of 25,000 or more Iowa residents and derived more than 50% of gross revenue from the sale of personal data. The 50% revenue threshold is notably higher than the 25% threshold in Connecticut’s law — another indication of Iowa’s more business-friendly approach.

Data Minimization and Purpose Limitation

Under § 715D.3(2), controllers must adhere to data minimization principles. Personal data collected must be ‘adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.’ Controllers must not process data for secondary purposes that are not compatible with the disclosed primary purpose unless the controller obtains the consumer’s consent. Using customer purchase data to build a separate behavioral profile for resale — without disclosing that secondary use — violates the purpose-limitation requirement.

Sensitive Data: Iowa’s Definition and Requirements

The Iowa CDPA defines ‘sensitive data’ to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or gender identity, immigration or citizenship status, genetic or biometric data processed for unique identification, personal data of a known child, and precise geolocation (within a 1,750-foot radius).

Unlike Connecticut’s law, which requires affirmative opt-in consent for all sensitive data, Iowa requires opt-in consent only for sensitive data processing that is not ‘necessary to provide a requested product or service.’ This exception creates ambiguity that controllers should resolve by obtaining affirmative consent for sensitive data as a matter of best practice.

Processor Agreements Under the Iowa CDPA

The Iowa CDPA requires controllers to execute written agreements with processors that bind the processor to process data only on the controller’s instructions. Under § 715D.5, processor agreements must address: (1) the nature and purpose of the processing, (2) the type of data and duration of processing, (3) the processor’s obligation to assist the controller in responding to consumer requests, (4) the processor’s obligation to notify the controller of any breach, and (5) the processor’s obligation to delete or return data at the end of the relationship.

No Data Protection Assessment Requirement: What It Means in Practice

The Iowa CDPA is unique among state privacy laws in that it does not require controllers to prepare data protection assessments (DPAs) before engaging in high-risk processing activities. Every other major state privacy law — California, Colorado, Connecticut, Virginia, Texas, Montana, and others — requires some form of risk assessment for processing sensitive data, conducting targeted advertising, or engaging in high-risk profiling.

For businesses that operate in multiple states, this does not mean DPAs are unnecessary. If you are subject to the CTDPA (Connecticut), the CPA (Colorado), or the CCPA/CPRA (California), you still need DPAs under those laws. The Iowa exemption simply means you do not need a separate Iowa-specific DPA — but a risk assessment remains essential as part of your cross-state compliance program.

Building a Multi-State Privacy Compliance Program

For businesses that collect personal data from residents of multiple states, a patchwork approach to compliance is inefficient and error-prone. A better approach is to design a unified compliance program that meets the highest standard applicable across all states where you do business. Key elements include:

• A unified privacy notice that discloses all required information for California, Connecticut, Colorado, Virginia, and Iowa residents
• A single consumer request intake process that routes requests to the appropriate team and tracks deadlines under each applicable law
• A data processing inventory (data map) that documents every category of data collected, its source, its purpose, how it is shared, and its retention period
• Processor agreements with all vendors that meet the most demanding requirements across all applicable laws
• An opt-out mechanism that recognizes browser-based opt-out preference signals
• Annual privacy program audits and updates as new state laws take effect

Revision Legal helps businesses build efficient, cross-state privacy compliance programs. Contact us at revisionlegal.com/contact or visit our Privacy Law practice page.

As discussed in Part One of this series, Iowa has recently enacted a consumer data protection statute called the “Iowa Consumer Data Protection Act” (“ICDPA”). See here for the text of ICDPA. The Act comes into effect on January 1, 2025. In Part Two, the consumer data protection compliance lawyers at Revision Legal discuss what the ICDPA means for businesses that collect consumer data in Iowa.

To whom does the ICDPA apply?

The ICDPA applies to any business which conducts business in Iowa or which targets consumers in Iowa and which meets either of the following data collection/processing thresholds:

• Controls or processes data of 100,000 or more consumers
• Controls/processes data of at least 25,000 consumers and generates over fifty percent of their gross annual revenue from the sale of personal data

There are a large number of exceptions for various types of entities that do not have to comply with the ICDPA. These include the State of Iowa, its political subdivisions, financial institutions, not-for-profit entities, research institutions, and more.

To what data does the ICDPA apply?

The ICDPA applies to “consumer data” and does not apply to any data collected or processed when a person is acting in a commercial or employment capacity. The data that is protected includes “personal data,” including the subcategory of “sensitive data.” “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” “Sensitive data” includes data about racial or ethnic origin, religious beliefs, sexual orientation, biometric data, precise geolocation, and more.

However, the ICDPA has a very long list of data to which the Act does not apply. Thus, “personal data” does not include de-identified, aggregate data, publicly available information, data that a consumer makes public or consents to be made public, data used exclusively for internal use by a controller, research data, data related to credit ratings, and much more.

What affirmative duties are imposed on businesses by the ICDPA?

As with many consumer data protection statutes, various duties and requirements are imposed on covered businesses. These include:

• Controllers must have reasonable data and cyber-security procedures and protocols in place to prevent unauthorized access and theft of personal data — the level of security must be in accordance with the volume and nature of the data collected, stored, and processed
• Controllers can only process personal data if the processing is “reasonably necessary and proportionate to the purposes” disclosed
• Contracts must be signed between controllers and processors that comply with the ICDPA, including provisions that require processors to agree to be bound by the ICDPA with respect to matters like maintaining the confidentiality of personal data, etc.
• Provide the required disclosures to consumers — the information to be disclosed includes the categories of personal data collected/processed, the purpose for the collection/processing, etc.
• Provide additional disclosures if a covered business sells personal data to any third parties or engages in targeted advertising
• Provide consumers with information about how to exercise their rights under the ICDPA, including opt-out rights, the right to obtain a copy of their personal data, the right to have personal data deleted, etc.
• Provide a mechanism for appealing any adverse decision by a controller with respect to the right being exercised by a consumer
• Policies and procedures must in put in place to prevent retaliation and discrimination against consumers who exercise their rights under the ICDPA

Notably, the ICDPA does NOT require any sort of data protection assessment report. The Iowa statute is unique in not requiring this.

Enforcement of the ICDPA

There is no private right of action for consumers under the ICDPA. The Iowa Attorney General’s Office is tasked with enforcement of the ICDPA. The Attorney General must provide a written notice to an alleged violator which is allowed a 90-day cure period. If violations are not cured, fines can be imposed of up to $7,500 per violation.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.