Iowa Consumer Data Protection Act

Iowa became the sixth state in the United States to enact a consumer privacy law, which was passed on March 29, 2023.

Iowa Consumer Data Protection Act will take effect on January 1, 2025. The law provides organizations with two years to get ready for compliance.

While the ICDPA shares many similarities with other US state-level data privacy laws, it also presents a few important differences.

In this guide, we will cover everything you need to know about the ICDPA and what steps your business needs to take to prepare for compliance.

What Is the Iowa Consumer Data Protection Act?

The Iowa Consumer Data Protection Act (ICDPA) protects the privacy rights of residents of Iowa and establishes data privacy responsibilities for companies operating in the state or offering goods or services for Iowa residents.

Like other US states, Iowa defines a consumer as a resident or person living in the state and acting in an individual or household context and not in a commercial or employment context.

The ICDPA follows an opt-out approach, employed by other states that have enacted data privacy regulations. This means that businesses must inform consumers about the data they collect and process and must provide consumers with the option to decline data collection and processing. However, user consent for data collection and processing is not required.

The ICDPA is considered one of the most business-friendly data privacy laws among the state-level regulations, similar to privacy law of Utah (UCPA) and Texas (TDPSA).

Consumers’ rights under the Iowa Consumer Data Protection Act

Consumers have the following four main rights under the data protection law of Iowa:

• Right to access. Consumers have the right to know if the controller is processing the consumer’s personal data and access to that data, with some exceptions.
• Right to delete. Consumers have the right to ask for deletion of any personal data the controller has that was provided by the consumer.
• Right to portability. Consumers have the right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions.
• Right to opt-out. Consumers have the right to opt out of sale of their personal data.

The following rights are not included in the ICDPA, differently from other US state privacy laws:

• Right to correction.
• Right to opt out of automated decision-making.
• Right to opt out of profiling.

Note, that a consumer is considered a person, acting on a personal or household context only. A person, acting on a business or an employment context is not considered a consumer under the ICDPA.

Who Has to Comply with the Iowa Consumer Data Protection Act?

The Iowa Consumer Data Protection Act applies to businesses and organizations that meet the following two criteria:

1. Control or process the personal data of at least 100,000 Iowa consumers during a calendar year, or
2. Control or process the personal data of at least 25,000 Iowa consumers during a calendar year and derive more than 50% of their gross revenue from the sale of personal data.

Unlike other states, Iowa’s privacy regulation does not have a revenue threshold. This means that businesses of any size that meet one of the above-mentioned criteria must comply with the law.

Exemptions from the Iowa Consumer Data Protection Act

The following entities are exempt from complying with the Iowa Consumer Data Protection Act:

• The state or any political subdivision of the state.
• Persons subject to the Health Insurance Portability and Accountability Act (HIPAA).
• Persons subject to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
• Financial institutions, their affiliates, or data subjects under the federal Gramm-Leach-Bliley Act (GLBA).
• Nonprofit organizations.
• Institutions of higher education.

Enforcement of the Iowa Consumer Data Protection Act

The Iowa Attorney General has the exclusive authority to enforce the Iowa Consumer Data Protection Act.

In the case of suspected violation of the law, the Attorney General must send the controller or processor a written notice identifying which parts of the ICDPA they allegedly violated.

Entities must cure the violations within 90 days and reply via a written statement to the Attorney General stating that no further infringements shall occur.

If approved, the Attorney General will not take any negative actions against the controller or processor. However, if the infractions are not cured during the 90-days period, the Attorney General does not receive a written statement, or further violations occur, businesses should expect to get fined.

Fines and Penalties Under the ICDPA

Data controllers or processors who fail to comply with the Iowa Consumer Data Protection Act may get fined for up to $7,500 per violation.

The attorney general will then add the money collected to the consumer education and litigation fund.

Use CookieScript Consent Management Platform (CMP) to comply with the ICDPA and avoid fines.

How to Comply with The Iowa Data Privacy Act?

Businesses should follow these advices to comply with The Iowa Data Privacy Act:

Notify consumers of their rights

Businesses must notify consumers of their rights and provide ways that consumers can exercise those rights by submitting a verifiable request to the company. The most common way to notify consumers of their rights is through the Privacy Policy on their website and a Cookie Banner.

After a consumer request is received, the controller has 90 days to respond to it. In some cases, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.

Consent requirements

Like other US states that have passed privacy laws, the ICDPA follows an opt-out approach, which means that user consent is not required before collecting and processing personal data.

However, consumers must have the possibility to opt out of sale of their personal data.

Consent from any known child’s parent or guardian must be obtained before processing of any personal data of a child. A child is considered any user under 13 years of age.

Note, that the Iowa Consumer Data Protection Act does not make any reference to the Global Privacy Control (GPC) or other opt-out mechanism.

Update your Privacy Policy

Controllers must clearly inform consumers about their data processing. This could be done through a cookie notice or Privacy Policy on the company’s website.

The Iowa Consumer Data Protection Act requires controllers to have a Privacy Policy in place that meets several specific guidelines, including:

• Purpose for processing personal data.
• Categories of personal data processed by the controller.
• Categories of personal data that the controller shares with third parties, if any.
• Categories of third parties with whom the controller shares personal data, if any.
• Means for consumers to exercise their rights and/or appeal a controller’s decision.
• If a business sells personal data to any third parties or engages in targeted advertising, all this information must be clearly disclosed. Businesses must provide means for opting out of these activities.
• Secure and reliable means for consumers to submit requests to exercise their rights.

Legal basis for data processing

Controllers can collect and process personal data of Iowa consumers if it meets specific guidelines outlined by Iowa’s data privacy law.

These guidelines include collecting data that:

• Is reasonably necessary and proportional to those purposes.
• Is adequate, relevant, and limited to what is necessary to specific purposes.
• Evaluates the nature and purpose of such collection, use, or retention.
• Is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data.

Purpose limitation

Controllers can process personal data for the purpose(s) that they have to ask when collecting the data, as long as the processing is “reasonably necessary” (relevant and limited) and proportional to those purposes.

Nondiscrimination

Controllers must not discriminate against consumers for exercising their rights. For example, a consumer cannot be prevented from accessing a website if they opt out of allowing the sale or collection of personal data.

However, there are some website features or functions that will not work without certain cookies being active. If a consumer does not opt in to their use because, the site may not work optimally. This is not considered discriminatory.

Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in operations, where their personal data is collected. Such offers have to be reasonable and proportional in scale.

Third-party contracts

Controllers must have contracts in place with third-party processors including the following information:

• Instructions about processing personal data.
• Types of data being processed.
• Nature and purpose of processing.
• Duration of keeping the personal data.
• Retention, deletion, and access to personal data.
• Rights and duties of both entities, including subcontractor accountability.

Controllers must ensure that third-party processors are under a written contract that meets all of the standards outlined by the Iowa data privacy law.

Data security

Data controllers must protect the “confidentiality, integrity and availability” of personal data by implementing reasonable “administrative, technical, and physical” data security measures. These measures should be appropriate to the nature and volume of personal data being processed.

Different from other privacy laws of such kind, the ICDPA does not require organizations to have data protection operations or to perform data protection impact assessments.

Use a Consent Management Platform (CMP) to Comply with the ICDPA

A CMP enables to comply with the ICDPA through cookie banner customization and geo-targeting. geo-targeting allows data collection and processing, cookie consent information, and choices for regulations based on specific user location.

CookieScript CMP is the CMP, that was recently ranked as the best CMP on G2. It has the following functionalities:

• geo-targeting. You can specifically target the consumers of Iowa with the geo-targeting functionality.
• Google-certified CMP. CookieScript is a Google-certified CMP partner and comes with a full IAB TCF v2.2 integration.
• Supports Google Consent Mode v2. If you want to use Google services (GA4, Google Ads, gtag, and Google Tag Manager) in the EU or EEA, you need to use a Google-certified CMP.
• Local Storage and Session Storage scanning and blocking. GDPR and other privacy laws require blocking of cookies, Local Storage and Session Storage until user consent is given. However, majority of CMPs do not offer this functionality. CookieScript blocks both Local Storagge and Session Storage.
  
• Multiple integrations. CookieScript CMP integrates easily with Google services automatically via Google Tag Manager, so you could use Google advertisement products easily. The CookieScript CMP is also integrated with other platforms, including content management systems such as Drupal, Magento, Shopify, WordPress, PrestaShop, etc., and analytics platforms, including Google Analytics 4.
• Fully customizable. CookieScript CMP allows Cookie Banner behavior adjustments, and design customization, and has a self-hosted code option.

Frequently Asked Questions

What is the Iowa Consumer Data Protection Act?

The Iowa Consumer Data Protection Act (ICDPA) protects the privacy rights of residents of Iowa and establishes data privacy responsibilities for companies operating in the state or offering goods or services for Iowa residents. The ICDPA follows an opt-out approach, meaning that businesses must inform consumers about the data they collect and process, but user consent for data collection and processing is not required. Use CookieScript CMP to comply with the ICDPA.

Who has to comply with the Iowa Consumer Data Protection Act?

The Iowa Consumer Data Protection Act applies to businesses and organizations that meet the following two criteria: control or process the personal data of at least 100,000 Iowa consumers during a calendar year, or control or process the personal data of at least 25,000 Iowa consumers during a calendar year and derive more than 50% of their gross revenue from the sale of personal data. CookieScript CMP can help you to comply with the ICDPA.

How to comply with the Iowa Consumer Data Privacy Act?

To comply with the ICDPA, follow these advices: notify consumers of their rights, respect user consent requirements, update your privacy policy, have a legal basis for data processing and third-party contracts, and employ purpose limitation and non-discrimination. Use a Consent Management Platform (CMP) to Comply with the ICDPA. CookieScript CMP is the CMP, that was recently ranked as the best CMP on G2.

Does the Iowa Consumer Data Protection Act respect the Global Privacy Control signal?

The Iowa Consumer Data Protection Act does not make any reference to the Global Privacy Control (GPC) or other opt-out mechanism. User consent for data collection and processing is also not required. However, businesses must inform consumers about the data they collect and process and must provide consumers with the means to opt out of the data processing.

What is the age for children under the Iowa Consumer Data Protection Act?

Under the Iowa Consumer Data Protection Act, children are below the age of 13 years. Before processing children's sensitive data, businesses must obtain verifiable parental consent. Use CookieScript CMP to get and store valid cookie consent from consumers of Iowa.