Iowa Consumer Data Protection Act (ICDPA) – everything you should know

When does the Iowa Consumer Data Protection Act come into effect?

Iowa became the sixth state in the United States to enact a consumer privacy law, which is scheduled to take effect on January 1, 2025. The law was passed on March 29, 2023, providing organizations with approximately two years to get ready for compliance.

Although an earlier comprehensive privacy law attempt in Iowa failed in 2020, the importance of data privacy has gained significant traction since then. Compared to some other state-level privacy laws in the US, Iowa’s data privacy law is considered to be more favorable to businesses. This is also true of the Utah Consumer Privacy Act (UCPA).

What is the ICDPA?

The Iowa Consumer Data Protection Act (ICDPA) safeguards the privacy rights of Iowa’s three million residents and establishes obligations for companies operating in the state or offering goods and services to Iowa residents. These organizations handle personal data as part of their business operations. Similar to states like California, Iowa defines a consumer as a resident who is engaged in non-commercial and non-employment activities.

The ICDPA follows an opt-out approach, which is also employed by other states that have enacted comprehensive data privacy regulations thus far. This means that businesses subject to the law must inform consumers about the data they collect and process, including the types of data, purposes of processing, sharing with third parties, and more. Businesses must provide consumers with the option to decline data collection and processing. They and any third-party entities involved in data processing are required to implement reasonable security measures and safeguards.

Understanding the terms of the Iowa Consumer Data Protection Act

Iowa’s privacy law, like those in other states, centers around a number of key concepts and the rights and responsibilities of a number of entities, which are fairly standard in privacy regulations. It is important that definitions strike a balance of clarity and comprehensiveness, while still being flexible for implementation and regulatory enforcement over time as technologies change.

What is considered personal data under the ICDPA?

The definition of personal data employed by the ICDPA is relatively common and follows established standards: “any information that is linked or reasonably linkable to an identified or identifiable natural person”. The ICDPA does not consider publicly available information, aggregated data, or de-identified data as part of its coverage. 

What is considered sensitive data under the ICDPA?

According to the ICDPA, sensitive data refers to any information that discloses personal details such as:

• racial or ethnic origin
• religious beliefs
• mental or physical health diagnosis
• sexual orientation
• citizenship or immigration status
• genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
• personal data collected from a known child
• precise geolocation data (defined as accurate within a radius of 1750 feet/533.5 meters)

Particularly, this kind of information carries greater risk of harm to an individual if misused.

Who qualifies as a controller according to the ICDPA?

Businesses engaged in the collection and processing of personal data are likely to fall under the classification of controllers, which the ICDPA defines as “a person that, alone or jointly with others, determines the purpose and means of processing personal data”.

Who qualifies as a processor according to the ICDPA?

Third-party entities working for the controller — which determines collection, processing, and sharing — involved in the processing activities will be identified as the processor, which refers to “a person that processes personal data on behalf of a controller”. 

What is considered a sale under the ICDPA?

A sale of data is defined as the “exchange of personal data for monetary consideration by the controller to a third party”. Several notable exclusions to the definition of sale of personal data include disclosure of personal data:

• to a processor that processes the personal data on behalf of the controller
• to a third party for purposes of providing a product or service requested by the consumer or the parent of a child
• to an affiliate of the controller
• that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience
• to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Compliance rules introduced in the Iowa data privacy act

Who needs to follow the ICDPA?

The ICDPA has three primary compliance threshold criteria for organizations:

• control or process the personal data of at least 100,000 Iowa consumers during a calendar year,

or 

• control or process the personal data of at least 25,000 Iowa consumers during a calendar year, and derive more than 50% of their gross revenue from the sale of personal data

In contrast to certain states, such as California, the privacy law in Iowa does not establish a revenue threshold. This implies that companies will be obligated to adhere to the regulation, regardless of their annual gross revenues surpassing a specific dollar threshold (e.g., US $25 million), even if they do not meet the criteria based on the number of consumers whose data is processed. 

Without this threshold, businesses of any size or value must comply with the Iowa privacy law if they meet the specified thresholds for personal data or personal data combined with revenue percentage.

Exemptions to the Iowa data protection law

The exemptions outlined in the Iowa data privacy regulation align closely with other existing privacy laws in the United States, primarily relying on existing federal laws. They include:

• Health Insurance Portability and Accountability Act (HIPAA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act
• Driver’s Privacy Protection Act
• Farm Credit Act

Additional exemptions found within the Iowa data privacy act include health records, research data involving human subjects that are already covered by federal laws or standards, and data processed or maintained for employment-related purposes.

Exempted institutions include:

• state government entities
• financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
• institutions of higher education
• nonprofit organizations

What are consumers’ rights under the Iowa Consumer Data Protection Act

The new data protection law grants consumers four primary rights. In the case of known children, their parents or legal guardians can exercise these rights concerning the processing of their personal data.

1. Right to Access:Consumers have the right to confirm whether the controller is processing their personal data and to access that data, subject to certain exceptions.
2. Right to Deletion: Consumers have the right to request the deletion of any personal data held by the controller that was provided by the consumer.
3. Right to Data Portability: Consumers have the right to obtain a copy of their previously provided personal data, in a readily usable format, from the controller, with some exceptions.
4. Right to Opt Out: Consumers have the right to choose to opt out of the sale of their personal data.

The most notable rights that are not included are:

• Right to correction (of inaccurate or outdated data)
• Right to opt out of automated decision-making 
• Right to opt out of profiling 
• Opt in for processing of sensitive personal data
• Private right of action (consumers’ ability to sue the controller in the event of a violation)

What impact does the new Iowa data privacy act have on businesses?

Controllers are obligated to inform consumers of their rights and provide mechanisms for consumers to exercise those rights by submitting a verifiable request to the company. The privacy notice or policy page on the controller’s website must include clear instructions on how consumers can exercise their rights.

Upon receiving a consumer request, the controller must respond within 90 days. There are limited grounds on which the request can be declined, such as if the consumer’s identity cannot be reasonably verified. In exceptional circumstances, if there are valid reasons that hinder the fulfillment of the request, the response period can be extended by up to 45 days after notifying the consumer.

It is important to note that the Iowa data privacy law does not mandate organizations to establish data protection operations or conduct privacy risk assessments.

Rules for purpose limitation under the ICDPA

Controllers are permitted to process personal data for the purpose(s) they have disclosed, provided that the processing is considered “reasonably necessary.” This means that the processing must be relevant, adequate, and limited in scope, aligning proportionately with the stated purposes. 

Rules for data security under the ICDPA

Controllers are required to safeguard the confidentiality, integrity, and availability of personal data by implementing reasonable data security measures, encompassing administrative, technical, and physical safeguards. These measures should be suitable for the nature and volume of the personal data being processed.

Rules concerning consent under the ICDPA

Similar to other states in the US that have enacted privacy laws, Iowa uses an opt-out model, which means that in many cases, user consent is not required before collecting and processing data, including sensitive personal data. However, consumers must receive clear notice regarding the data processing and have the ability to opt out of the sale of their personal information.

Regarding children, the ICDPA follows the Children’s Online Privacy Protection Act (COPPA), aligning with several other states. Before processing any personal data of a user known to be under 13 years old, consent from the parent or guardian of the child must be obtained. This requirement applies to all children’s personal data, as Iowa’s data privacy regulation automatically classifies children’s personal data as “sensitive.”

Nondiscrimination rules under the ICDPA

Controllers are strictly prohibited from engaging in unlawful discrimination against consumers, including processing personal data that violates any other state or federal discrimination laws. Furthermore, controllers are not allowed to discriminate against consumers for exercising their rights under the ICDPA. For instance, a consumer cannot be denied access to a website simply because they have opted out of personal data collection.

However, it is worth noting that certain website features or functions may require the activation of specific cookies. If a consumer chooses not to opt in to the use of such cookies due to concerns about personal data collection, it is possible that the website may not function optimally. It is important to understand that this situation does not constitute discriminatory behavior.

Controllers have the option to offer voluntary incentives, such as discounts, for consumers who willingly participate in certain activities, like loyalty programs or newsletter subscriptions, which involve the collection and processing of personal data. However, it is crucial that these incentives are reasonable, as data protection authorities tend to view disproportionate incentives as potential bribes and disapprove of such practices.

Transparency requirements under the ICDPA

Controllers are obliged to provide consumers with clear and easily accessible information concerning the processing of their data. This information is typically presented on the company’s website through a privacy notice or policy. In compliance with the ICDPA, the provided information must include the following details:

• purpose(s) for processing personal data 
• categories of personal data processed by the controller 
• categories of personal data that the controller shares with third parties, if any 
• categories of third parties with whom the controller shares personal data, if any
• how consumers may exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)

Statutes concerning third party contracts under the ICDPA

Controllers must establish contractual agreements with third-party processors that contain explicit information: 

• instructions about processing personal data
• type(s) of data to be processed
• nature and purpose(s) of processing
• duration of processing
• retention, deletion, and access to personal data
• rights and duties of both entities, including subcontractor accountability

Is the universal opt-out signal included in the ICDPA?

Similar to the Virginia Consumer Data Protection Act (VCDPA), the Iowa Consumer Data Protection Act does not specifically mention the Global Privacy Control (GPC) or any other opt-out mechanism. In contrast, California’s laws do incorporate this signal, which aims to establish a standardized approach to user consent online. By utilizing the GPC, consumers can create a unified set of their personal data privacy consent preferences. 

These preferences can then be communicated to all websites or apps visited by the users, eliminating the need to set new preferences on each site. Implementing this mechanism also assists in adhering to consumer privacy laws applicable to each user, helping ensure compliance as needed.

California’s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.

Consequences of violating the Iowa data protection law

The enforcement authority for the ICDPA in Iowa lies solely with the Attorney General. It is important to highlight that the law does not grant consumers the ability to pursue private legal action (private right of action). However, consumers have the option to report suspected violations to the Attorney General’s office. In such cases, the Attorney General is required to provide written notice to the parties involved, listing the alleged violations.

Cure period and controller actions

Organizations under the ICDPA are granted a 90-day cure period, during which they have the opportunity to address and rectify any identified issues and implement measures to prevent future occurrences. This cure period is longer than cure periods typically provided by other states, where 30 days is commonly observed, although Connecticut allows for a 60-day cure period.

In addition to rectifying the violations, organizations found to have contravened the ICDPA must notify the Attorney General of the actions taken to remedy the situation. They must also provide a statement confirming their commitment to avoiding any future violations. Upon completing these steps and in the absence of any further issues, no further punitive action will be taken against them.

Financial implications of penalties

If, even after the cure period or after submitting their statement, the controller or any of their data processors continue to violate the Iowa data privacy regulation, the Attorney General has the authority to commence civil proceedings against them.

A controller or processor found to be in violation of Iowa’s data privacy regulation may face a fine of up to US $7,500 per violation. This maximum fine aligns with the fine stipulated by the California Privacy Rights Act (CPRA). The fines collected are directed towards the consumer education and litigation fund.

Tools to comply with the Iowa Consumer Data Protection Act

Iowa’s consumer privacy law follows the opt-out model, similar to other current state-level data privacy laws in the United States. Under this model, controllers are not required to obtain explicit user or data subject consent before collecting or processing personal data, including sensitive data, except when it comes to children’s personal data, which follows the federal COPPA law. In cases involving known children, the consent of a parent or guardian is necessary before any data collection or processing takes place.

Data subjects must be provided with the opportunity to opt out of data processing, such as the sale of personal data or targeted advertising, at any time. This information should be clearly stated on the website, typically within the privacy notice or policy page.

To facilitate the opt-out process, a mechanism can be implemented, such as a banner that is prominently displayed and includes a link or button. Consent management platforms (CMPs) like Cookiebot CMP can assist in automating the detection of cookies and other tracking technologies used on websites and apps. CMPs streamline the collection and provision of information to users regarding the categories of data being processed, specific services used by the controller and/or processor(s), and any third parties with whom data is shared. This notification is a requirement under Iowa’s privacy law, as well as many other data privacy regulations worldwide.

Due to the absence of a comprehensive federal data privacy law in the United States, companies operating across different states or with international jurisdictions may need to comply with multiple consumer privacy laws to safeguard data. CMPs can simplify this process by enabling customization and geotargeting of banners. Data processing, consent information, and choices specific to particular regulations can be presented based on the user’s geographical location. Geotargeting can also enhance clarity and user experience by presenting information in the user’s preferred language.

Learn more: Comparing US state-level data privacy laws

This enables compliance with the Iowa Consumer Data Protection Act, as well as the existing privacy laws in California and Virginia, along with the forthcoming ones in Connecticut, Colorado, and Utah. Moreover, for businesses engaged in international operations, employing a consent management platform facilitates adherence to regulations such as the GDPR, which impose stricter requirements for consent management compared to the US laws. This allows companies to achieve comprehensive data privacy compliance across multiple jurisdictions.

Getting ready for the Iowa Consumer Data Protection Act

Organizations conducting business in Iowa are given until 2025 to prepare for compliance with the ICDPA, although the preparation time is relatively shorter compared to other states and regions. Companies that have already established compliance with other state-level privacy laws will have less work to do. Adopting a privacy by design approach will benefit all aspects of an organization’s operations, regardless of regulatory requirements.

To achieve compliance, organizations need to understand the specific requirements of the Iowa law and have a solution in place to provide users with necessary notifications and opt-out options. Utilizing a consent management platform can facilitate this process.

It is worth noting that data privacy advocates have called for stronger regulations in Iowa, and similar to other state-level laws, updates to the ICDPA are likely in the future as these regulations are considered “version one.” However, unlike California, the ICDPA does not include a private right of action, meaning consumer class-action lawsuits will not directly influence future amendments to Iowa’s privacy law.

Consulting with qualified legal counsel or your organization’s data privacy expert is recommended to ensure compliance with responsibilities, even for regulations like Iowa’s that are perceived as “business-friendly.”

Going beyond mere compliance, taking proactive measures to protect user privacy is a valuable business endeavor. It fosters user trust and engagement, enhances user experiences, and strengthens long-term customer relationships, ultimately leading to higher quality data for marketing operations and increased revenue.

Usercentrics A/S (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.