close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

What You Need To Know About Iowa’s New Data Privacy Law

Jasmine Sharma, December 16, 2024

Iowa is stepping into the world of data privacy with its newly passed Iowa Consumer Data Protection Act (ICDPA), which will take effect on January 1, 2025. This law brings Iowa in line with other states that have enacted privacy protections, but with its own unique set of provisions and limitations. 

Signed into law on March 29, 2023, the ICDPA made Iowa the sixth state to enact a comprehensive data privacy law. It’s similar to the Utah Consumer Privacy Act (UCPA), which is widely regarded as more business-friendly and less stringent in comparison to, for example, California or Colorado’s privacy laws.

With a wave of new laws coming into effect this January, it’s never been more critical to stay ahead of the curve and protect your business from hefty fines and reputational damages. Here’s a breakdown of what you need to know about Iowa’s law and how it’ll impact your operations.

Understanding the ICDPA | Scope of Application | Rights Granted to Consumers | Key Obligations for Businesses Under Iowa’s Privacy Law | Enforcement of The ICDPA | How DataGrail Can Help

Understanding the ICDPA

The Iowa Consumer Data Protection Act (ICDPA) is designed to protect the personal data of Iowa residents. Businesses subject to the ICDPA must notify consumers about the data collection and processing they perform, offer an option to opt out of data collection, and ensure certain protections for the data they collect.

Iowa’s law is unique in that it does not include certain consumer rights, such as the right to correct data or opt out of targeted advertising and profiling. This makes Iowa’s law less expansive compared to other states, as it focuses more on providing consumers the right to access and delete their data. Still, it introduces essential requirements that businesses need to be aware of.

Scope of Application

The ICDPA applies to businesses that:

  1. Control or process personal data of at least 100,000 Iowa residents; or
  2. Control or process personal data of at least 25,000 Iowa residents and derive more than 50% of their revenue from the sale of personal data.

This makes the law applicable to a broad range of companies, but it also sets clear thresholds, which means smaller companies that do not meet these criteria won’t be subject to the law.

But there are also a few exemptions: The ICDPA does not apply to government agencies, entities subject to the Gramm-Leach-Bliley Act (like financial institutions),  or organizations governed by HIPAA or the Health Information Technology for Economic and Clinical Health Act. Additionally, nonprofit organizations and institutions of higher education are also excluded from its requirements.   

Rights Granted to Consumers

Despite its narrower focus, the ICDPA still mandates businesses to give Iowa residents a few essential rights:

  1. Right to Access: Iowa residents have the right to confirm whether a business (or “controller”) is processing their personal data and access that data. Businesses must provide a way for residents to understand what personal data is being held about them. 
  2. Right to Delete: Consumers can request the deletion of personal data they’ve provided to a controller. This right is narrower compared to Connecticut and Colorado’s privacy laws, which also allow for the deletion of data collected from other sources. Iowa’s law focuses on data the consumer has directly provided.
  3. Right to Data Portability: Iowa residents have the right to request a copy of the personal data they’ve provided to a business (or “controller”). This data must be delivered in a portable, user-friendly format that allows them to transfer it to another entity without obstacles, provided it was processed using automated systems. Exceptions apply for data protected under security breach laws or data already provided in a compliant format. Similar to Virginia’s privacy law, this right focuses solely on data directly provided by the consumer.
  4. Right to Opt-out of Data Sales: Iowa residents can opt out of the sale of their personal data.  A “sale” refers to the exchange of personal data for monetary consideration but excludes disclosures, such as: 
    • Transfers to processors
    • Disclosures made to fulfill a consumer’s request
    • Publicly shared data
    • Internal transfers, such as those occurring during mergers and acquisitions
    • Pseudonymous data (data that cannot be linked to an individual without additional information). 

Unlike Colorado, Connecticut, Virginia, and Utah, Iowa’s opt-out rights explicitly exclude pseudonymous data from this provision.

While the ICDPA provides foundational privacy rights, it omits certain protections found in other state laws: 

  1. No Right to Correction: Unlike California’s CCPA or Virginia’s CDPA, the ICDPA does not grant consumers the right to correct inaccurate personal data.
  2. No Opt-Out for Targeted Ads or Profiling: Consumers cannot opt out of processing for targeted advertising or profiling, even if it has significant or legal impacts  (for example, in automated decision-making processes).

These omissions place Iowa’s law on the less strict end of the privacy spectrum, especially when compared to states that offer more comprehensive consumer rights. Still, there are a few key obligations that businesses need to be aware of.

Key Obligations for Businesses Under Iowa’s Privacy Law

Businesses subject to the ICDPA must comply with several key obligations:

Controllers’ Responsibilities 

Controllers—those who determine the purposes and means of processing personal data—are required to:

  1. Privacy Notices: Companies must provide clear and conspicuous privacy notices to Iowa residents, explaining what data they collect and how it will be used, shared, sold, and any third parties with whom the personal data is shared, and the categories of those third parties. 
  2. Consent for Sensitive Data: Obtain clear and affirmative consent before processing sensitive data. The consent must be informed, specific, and unambiguous. Consumers must also be given an opportunity to opt-out. For sensitive data related to children, the controller must comply with COPPA (Children’s Online Privacy Protection Act).Data Minimization: The law requires businesses to limit the amount of personal data they collect to only what is necessary for their specific purpose, in line with the principle of data minimization.
  3. Data Security: Companies are required to ensure that they securely handle and store personal data to protect it from unauthorized access or breaches.
  4. Vendor and Processor Management: While the ICDPA does not go as far as some other laws in terms of requiring risk assessments, it does place obligations on businesses to manage their third-party vendors and processors to ensure compliance with the law.
  5. Opt-out Mechanism: Businesses must implement an opt-out mechanism for the sale of personal data. Although there’s no opt-out for targeted ads or profiling, businesses must respect the sale of personal data upon request.

Processors’ Responsibilities

Processors—those who handle personal data on behalf of controllers—are required to:

  1. Assist with Consumer Requests: Help controllers respond to consumer requests, including access, deletion, and opt-out.
  2. Data Security: Implement technical and operational measures to secure personal data.
  3. Compliance with Data Breach Notifications: Notify the controller promptly in the event of a data breach.
  4. Data Processing Contracts: Adhere to the terms of the contract established by the controller, ensuring that processing is performed according to the controller’s instructions.

Despite these obligations, businesses in Iowa may find that their compliance programs for other states don’t seamlessly align with the ICDPA. Iowa’s law takes a more business-friendly approach, especially in the absence of requirements like risk assessments or detailed consent management systems.

The ICDPA also differs from other laws in terms of the timeline for responding to data subject access requests (DSARs). Businesses are required to respond to consumer requests within 90 days. If the request is complex or involves multiple inquiries, an additional 45 days may be granted, provided the consumer is informed of the extension within the initial 90-day period.

Enforcement of The ICDPA

Because it offers an ongoing 90-day “cure period” for businesses found in violation of the law, the ICDPA is more lenient than many other state laws. In contrast, other states typically provide shorter or temporary cure periods to allow businesses time to comply. Given that the ICDPA’s cure period is permanent, it can be considered more pro-business compared to other state data privacy laws.

The Iowa Attorney General is responsible for enforcing the ICDPA. However, the law does not grant consumers the ability to sue businesses directly (no private right of action). This means that enforcement will be led by the Attorney General, and consumers cannot initiate lawsuits for violations themselves. Enforcement will likely be reactive, with the Attorney General taking the lead on investigating potential violations.

If the Attorney General finds that a company is in violation of the ICDPA, penalties can be as high as $7,500 per violation. If the controller or processor remedies the identified violation within the 90-day period and submits a written statement confirming that the violation has been corrected and will not recur, no further action will be taken. However, if the violation is not addressed, the business may face a hefty fine for each infraction.

How DataGrail Can Help

Navigating the intricacies of state privacy laws, like the Iowa Consumer Data Protection Act, can be challenging for businesses. That’s where we come in.

Our privacy management platform helps businesses comply with evolving data privacy laws, including the ICDPA. With DataGrail, companies can:

  1. Automate privacy rights requests such as access, deletion, and opt-out, ensuring they meet the deadlines outlined in Iowa’s law.
  2. Generate privacy notices that comply with the law’s transparency requirements.
  3. Manage vendor relationships to ensure third-party compliance with data handling obligations.

Our Request Manager can help organizations comply with the ICDPA by automating and streamlining the process of handling data subject access requests (DSARs), data deletion requests, and opt-out requests—all key requirements under Iowa’s law and other data privacy regulations like CCPA and GDPR.

By leveraging DataGrail’s platform, businesses can stay ahead of privacy regulations and minimize risk, allowing them to focus on what really matters: building trust with their customers.

Request a demo here.   

Iowa’s new privacy law introduces a set of straightforward but essential data privacy requirements that businesses must comply with by January 1, 2025. While it doesn’t grant the same broad rights to consumers as other states, it still provides transparency and control over the sale of personal data. For businesses, the key to compliance lies in offering privacy notices, respecting consumer opt-out requests, and managing data securely and responsibly.

As more states roll out their own privacy regulations, staying on top of these laws will be crucial. Four other states–– Delaware, Nebraska, New Hampshire, and New Jersey–– are all joining the wave of privacy laws hitting the U.S. coming into effect January 2025. With tools like DataGrail, businesses can streamline their compliance processes and remain agile in an ever-evolving privacy landscape. Check out our Guide to State Privacy Laws for a breakdown of each of these law’s key components and how they impact your business. 

For questions, please reach out directly to your CSM or email [email protected]. If you’d like a demo of the DataGrail platform, reach out to us here

 

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.

Related resources

article
Dec 2024
What You Need To Know About Delaware’s New Data Pr...
webinar
Dec 2024
How January’s 5 New Privacy Laws Will Change...
article
Dec 2024
The 5 U.S. State Privacy Laws You Need to Know Bef...