Iowa
Iowa Consumer Data Protection Act (ICDPA)
Passed | March 29, 2023 |
Effective Date | January 1, 2025 |
Who it applies to |
Businesses that (1) control or process personal data of at least 100,000 Iowa residents; or (2) derive over 50% of revenue from selling the personal data of at least 25,000 Iowa residents. Exempt entities include government agencies, as well as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
Penalties | Up to $7,500 per violation |
What’s notable about it:
Iowa’s ICDPA is often compared to Utah’s UCPA, as both laws are toward the weaker end of the comprehensive privacy law spectrum. However, Iowa's law applies more broadly than Utah's and places slightly more responsibility on businesses to manage their vendors or processors, meaning compliance programs for one state may not seamlessly work across both.
One of the key features of Iowa’s law is its lack of certain consumer rights that are typically found in other state privacy laws. For instance, it does not provide consumers with the right to correct their data, nor does it allow them to opt out of processing for targeted advertising and profiling. These omissions make Iowa’s law less expensive compared to other state laws that include a broader array of consumer rights. Despite this, Iowa’s law does mandate businesses to offer an opt-out mechanism for data sales, which is still a significant consumer right. The law is also noteworthy due to its high thresholds for applicability, including the volume of data processed and the revenue derived from data sales. Although narrower in its scope, Iowa's law represents a different approach to balancing consumer rights and business obligations, particularly focusing on access and deletion rights over more comprehensive privacy protections.