Iowa's Consumer Data Protection Act


In March 2023, Iowa became the sixth US state to pass its own comprehensive data privacy legislation. It is also the first Midwestern state to pass such a law. After being approved unanimously by both the state house and senate in a matter of weeks, the new law is yet another signal that data privacy is gaining momentum as a priority for lawmakers.

Known informally as the Consumer Data Protection Act, Iowa’s privacy law is based closely on its Virginia counterpart, with a few important distinctions. Here’s a quick introduction to its key features.

When Does the Law Go Into Effect?

Iowa’s Consumer Data Protection Act goes into effect on January 1, 2025.

Which Businesses Does It Apply To?

Iowa’s privacy applies to any for-profit entity that does business within the state, as long as at least one of the following conditions applies:

  • It controls or processes the personal data of at least 100,000 consumers (state residents) per year, OR
  • It controls or processes the personal data of at least 25,000 consumers per year AND derives over 50% of its gross revenue from the sale of personal data

Businesses should keep in mind that, as with other data privacy laws, they are likely processing personal data about all of their website visitors. If you get more than 8,400 unique visitors per month, the law likely applies.

What Are the Key Obligations for Businesses?

The overarching requirements imposed by the Iowa Consumer Data Protection are similar to other state privacy laws. These obligations can be broken broadly into three categories:

  • Data Minimization - Businesses must restrict their collection and use of personal data to what is necessary and proportionate to their purposes.
  • Privacy Notices - Businesses must describe how they collect and use personal data by disclosing information such as the categories of personal data processed, the purposes for processing, and categories of third parties that receive that personal data.
  • Privacy Rights - Consumers have a new set of privacy rights that translate into various privacy requests they can make to businesses.

What Privacy Rights Are Included?

Iowa consumers will now have the following privacy rights:

  • Right to Access - Consumers can request access to any personal data a business has collected about them.
  • Right to Delete - Upon request, businesses must delete any personal data they have collected about a consumer (subject to some important exceptions).
  • Right to Opt Out - Businesses must allow consumers to opt out of targeted advertising, the processing of sensitive data, and the sale of their personal data.
  • Right to Non-discrimination - Businesses may not discriminate against consumers who have exercised their privacy rights, such as by charging a different price or offering a different quality of service. However, there are broad exceptions for customer loyalty and rewards programs, if a consumer exercises their right to opt out.

How Much Do Violations Cost?

Businesses face civil fines of up to $7,500 per violation.

Is There a Private Right of Action?

There is no private right of action for Iowa consumers, meaning they cannot sue businesses over violations.

How Is Iowa’s Privacy Law Different from Laws in Other States?

While most of the new generation of data privacy laws share many common features, none of them are identical. Iowa’s privacy law differs from other states in ways that are generally more permissive. These differences include:

  • Opt-Outs for Sensitive Data - Before processing sensitive data such as protected characteristics, geolocation data, and personal data from children, Iowa’s law requires businesses to give notice and a chance to opt out before any such processing. This is in contrast to the consent requirement in other laws.
  • Data Protection Assessments - Iowa does not require businesses to complete a data protection assessment.
  • Right to Correct - Iowa’s privacy law does not give consumers the right to correct inaccurate personal data.
  • No Appeals Process - While other laws require that businesses offer consumers a way to appeal any denial of a privacy request, Iowa’s law has no such requirement.

This is far from a full list, but it gives a general idea of how the Iowa law differs from others.

Manage Compliance Across Multiple States

In the absence of a federal privacy law, privacy compliance in the US is steadily getting more complicated. Managing half a dozen or more different laws is a tall order for many small and medium-sized businesses. Miscalculation can lead to expensive fines or, on the other end, overcompliance that results in missed marketing opportunities.

TrueVault US is an attorney-designed software product that helps businesses comply with privacy laws from across the country. Through guided questions and automated workflows, you can get your business compliant in as little as a few hours and be ready to respond to any privacy request.

To learn more about how TrueVault US works, contact our team today.

Schedule Call