Support Centre

Iowa

Summary

Law: An Act relating to consumer data protection (ICDPA)

Regulator: The Iowa Attorney General (AG)

Summary: On March 28, 2023, the Iowa State Governor signed the Act relating to consumer data protection (ICDPA) which will enter into effect on January 1, 2025. The ICDPA introduces obligations for data controllers and processors, including disclosure, and vendor management requirements. It also establishes new consumer rights such as the right to access, deletion, be informed (confirmation), and to opt out of targeted advertising and the sale of personal data. However, the ICDPA does not provide for the right to rectification of personal data and the right not to be subject to automated decision-making. Furthermore, the ICDPA provides the Iowa Attorney General (AG) with enforcement powers but does not provide a private right of action.

In addition, under §715C.1 et seq. of Title XVI of the Iowa Code, there is a requirement to notify personal data breaches of both electronic and paper records to affected consumers as well as to the AG when the information of more than 500 residents is breached.

Other applicable privacy statutes in Iowa are sector-specific, such as the Iowa Student Online Personal Information Protection Act and the Iowa Health Information Network Act.

You can follow legislative developments in the US through the USA State Law Tracker.

News

Insights

June 2023

Iowa: ICDPA - FAQs

Senate File 262 for An Act relating to consumer data protection (ICDPA) was signed by Governor of Iowa, Kim Reynolds, on March 28, 2023, following its passage by the State Senate and House of Representatives.

The ICDPA introduces obligations for data controllers and duties for data processors, as well as consumer rights, and will enter into effect on January 1, 2025.

April 2023

Iowa: And then there were six - what you need to do to comply with the new Iowa Privacy Law

On 29 March 2023, Iowa became the sixth state to pass a comprehensive data privacy law (in line behind Connecticut, Utah, Virginia, Colorado, and California). The Iowa Consumer Data Protection Act ('ICDPA') will go into effect on 1 January 2025.  While there are some familiar elements to other state laws that came before it (the law is most similar to that enacted recently in Utah) - there is still a lot that you need to do!

What are the key things for business to focus on if they are already CCPA compliant or compliant with another state privacy program?  What about for businesses who are not yet compliant with any state-specific privacy regulations? 

Odia Kagan and Melanie Notari, from Fox Rothschild LLP, provide an overview of some of the ICDPA's provisions and take a look at what needs to considered in order to comply with the law.

March 2023

Iowa: Consumer data protection act – a comprehensive state privacy law

Senate File 262 for An Act relating to consumer data protection ('the Act') was introduced, on 23 January 2023, to the Iowa State Senate. In particular, the Act has passed both the State Senate as well as the House of Representatives, and was signed by Governor of Iowa, Kim Reynolds, on 28 March 2023. The Act introduces obligations for data controllers and duties for data processors, as well as consumer rights and will enter into effect on the 1 January 2025. OneTrust DataGuidance breaks down the key provisions of the Act.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.