On March 29, 2023, the Iowa Consumer Data Protection Act (ICDPA) was signed into law by State Governor Kim Reynolds. The ICDPA represents the sixth comprehensive privacy law enacted in the US and joins California, Virginia, Colorado, Utah, and Connecticut in making up the US privacy landscape.  

The ICDPA contains several common provisions such as privacy notices, consumer rights, and conditions for processing sensitive data. However, the ICDPA does not contain provisions relating to privacy risk assessments or employee rights. Keep reading for a closer look at who the ICDPA applies to, what provisions it contains, and the penalties for non-compliance.  

What is the Iowa Consumer Data Protection Act? 

The Iowa Consumer Data Protection Act is the sixth comprehensive privacy law to be passed in the US. The ICDPA tracks more closely with the Utah Consumer Privacy Act (UCPA) than other US state laws and is considered to be more business-friendly than the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA).  

What is the effective date of the ICDPA? 

The ICDPA was signed into law on March 29, 2023 and will enter into effect on January 1, 2025.  

Who does the ICDPA apply to? 

The ICDPA has a territorial scope that covers businesses that operate in Iowa or that produce goods or services that are targeted at residents of Iowa. Covered businesses must also meet certain thresholds including: 

• Processing the personal data of either 100,000 individuals, or 
• Processing the personal data of 25,000 individuals while also deriving 50% of annual revenues from the sale of personal information 

The ICDPA does not apply to residents of Iowa acting in a commercial or employment context. Additionally, the ICDPA does not contain a revenue threshold such as those found in California or Utah. 

What types of data are covered by the ICDPA? 

Personal data 

Under the ICDPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”  

Within the definition of personal data, it is explicitly outlined that personal data does not include de-identified data, aggregate data, or publicly available information. 

Sensitive data 

The ICDPA defines a category of personal data that classifies certain types of information as sensitive data.  

Types of information that fall under the definition sensitive data include: 

• Racial or ethnic origin 
• Religious beliefs 
• Mental or physical health diagnosis 
• Sexual orientation 
• Citizenship or immigration status 
• Genetic or biometric data 
• Personal data collected from a known child 
• Precise geolocation data 

The ICDPA also outlines certain conditions that data controllers need to fulfill in order to process sensitive data.  

What consumer rights can be found under the ICDPA? 

The consumer rights offered by the ICDPA are comparable to, albeit more limited than, other state privacy laws. There is no right for correction or for opting out of profiling under the ICDPA and data controllers are not required to honor opt-out signals such as the Global Privacy Control (GPC). Businesses will have 90 days to respond to consumer requests with the possibility of a 45-day extension. 

Right to confirm processing and access 

Consumers have the right to confirm whether a controller is processing their personal data and have the right to access this data. 

Right to deletion 

Consumers have the right to request that the data controller delete personal data related to the requestor. This right only applies to personal data that was provided to the data controller by the consumer. 

Right to data portability  

In limited circumstances, consumers can request a copy of their personal data be provided in “a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance.” 

This right is only applicable to personal data that was provided to the business by the consumer and where the processing is carried out by automated means. 

Right to opt out of sale 

Consumers have the right to opt out of the sale of their personal data. Under the ICDPA, “sale” is defined as the exchange of personal data for monetary consideration by the controller to a third party.  

The ICDPA also includes the right to opt out of targeted advertising. This right is not explicitly called out under Section 3 of the law, but it is mentioned elsewhere in the bill.  

Right to non-discrimination 

Similar to the right to opt out of targeted advertising, the right to non-discrimination is not explicitly called out under the consumer rights section of the ICDPA. The right to non-discrimination is however mentioned elsewhere in the bill as a requirement for data controllers to fulfill.  

This includes not denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. 

Controller and processor obligations under the ICDPA 

Privacy notice 

Controllers are required to provide an accessible, clear, and meaningful privacy notice to consumers. Privacy notices under the ICDPA must include information relating to: 

• The categories of personal data being processed 
• The purpose for processing  
• How consumers may exercise their rights  
• How a consumer can appeal a controller's decision with regard to a consumer rights request 
• The categories of personal data shared with third parties, if any 
• The categories of third parties, if any, with whom personal data is shared with 

Controllers must also ensure that privacy notices contain secure and reliable means for consumers to submit a request to exercise their consumer rights.  

Processing sensitive data 

The use of sensitive data is subject to strict conditions under the ICDPA. Businesses may collect and process sensitive data so long as they ensure that the consumer has been presented with a clear and accessible privacy notice. This notice should include the opportunity for the consumer to opt out of the processing of their sensitive data.  

In instances where the sensitive data is that of a known child, businesses will have to ensure that processing is undertaken in accordance with the Children’s Online Privacy Protection Act (COPPA).  

Data security 

The ICDPA contains provisions requiring businesses that process personal information to adopt appropriate measures to ensure that information’s security. These include “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” 

The law states that the methods implemented should be appropriate to the volume and nature of the personal data concerned.  

Processor contracts 

Controllers and processors are required to enter into a contract to govern how processors handle personal data on behalf of the controller.  

Vendor contracts must clearly outline:  

• The instructions for processing personal data 
• The nature and purpose of processing 
• The type of data subject to processing 
• The duration of processing 
• The rights and duties of both parties 

Contracts should also include requirements to be placed upon the processor to: 

• Ensure personal data is subject to a duty of confidentiality 
• Delete or return all personal data to the controller as requested, unless retention of the personal data is required by law 
• make all information available in the processor's possession available to the controller to demonstrate compliance with the law 
• Engage subcontractors subject to a written contract 

ICDPA enforcement and penalties 

Enforcement 

The Iowa Attorney General will have the exclusive power to enforce the ICDPA and bring action against businesses that are found to be in violation of the law’s provisions.  

Cure period 

The ICDPA gives businesses a 90-day period in which to cure violations of the law’s provisions. Unlike other privacy laws in the US, the cure period provision does not have a sunset clause.  

Privacy right of action 

There is no private right of action under the ICDPA.  

Monetary penalties 

Businesses found to be in violation of the ICDPA are liable for monetary penalties of up to $7,500 per violation.  

Follow OneTrust DataGuidance on LinkedIn and keep up to date with the latest privacy and data protection news.