Iowa
Iowa Consumer Data Protection Act (ICDPA)
| Passed | March 28, 2023 |
| Effective Date | January 1, 2025 |
| Who it applies to |
Businesses that (1) control or process personal data of at least 100,000 Iowa residents; or (2) derive over 50% of revenue from selling the personal data of at least 25,000 Iowa residents. Exempt entities include government agencies, as well as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
| Penalties | Up to $7,500 per violation |
What’s notable about it:
Iowa’s ICDPA is most similar to Utah’s UCPA, and both are toward the weaker end of the comprehensive privacy law spectrum. But Iowa’s law applies more broadly than Utah’s, and requires businesses to keep a slightly tighter grip on their vendors (or “processors”). So copy and pasting your compliance program across both states might not work.
The Strict Spectrum