This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image


Iowa Consumer Data Protection Act (ICDPA)

Passed March 28, 2023
Effective Date January 1, 2025
Who it applies to

Businesses that (1) control or process personal data of at least 100,000 Iowa residents; or (2) derive over 50% of revenue from selling the personal data of at least 25,000 Iowa residents. Exempt entities include government agencies, as well as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).

Penalties Up to $7,500 per violation

What’s notable about it:

Iowa’s ICDPA is most similar to Utah’s UCPA, and both are toward the weaker end of the comprehensive privacy law spectrum. But Iowa’s law applies more broadly than Utah’s, and requires businesses to keep a slightly tighter grip on their vendors (or “processors”). So copy and pasting your compliance program across both states might not work.

The Strict Spectrum

Less Strict