🆕  Migrate from OneTrust seamlessly with Ketch Switch. Exclusive offer through 4/30/2025.
Regulations
ICDPA

Iowa Consumer Data Protection Act (ICDPA)

Matt George
Data Protection Officer
Last updated
February 7, 2025

The Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025, was signed into law by Governor Kim Reynolds in March 2023. The ICDPA grants Iowa residents essential privacy rights, including the rights to access, delete, and obtain copies of personal data. Businesses must adhere to obligations like providing clear privacy disclosures, and implementing robust data protection measures.

Try Ketch for Free
Request Regulatory Guidance
https://ketch.wistia.com/medias/3rpa64kvob

What is the Iowa Consumer Data Protection Act?

Why was the ICDPA passed?

What makes the ICDPA unique?

The Iowa Consumer Data Protection Act (ICDPA) is unique compared to other state privacy laws because it does not grant the right to correct inaccuracies or explicitly allow consumers to opt out of profiling or targeted advertising. Instead of requiring opt-in consent for sensitive data processing, it mandates businesses to provide clear notice and an opt-out option.

Example H2
Need an easy-to-use consent management solution?
Book a 30 min Demo

Key definitions in the ICDPA

Understanding the terminology used in the Iowa Consumer Data Protection Act is essential for compliance. Here are some critical definitions, as outlined in section 1 of the ICDPA:

  • Personal data: Information that identifies, relates to, or could reasonably be linked to an individual, excluding publicly available information.
  • Sensitive data: Includes personal data revealing racial or ethnic origin, religious beliefs, health information, and precise geolocation.
  • Processing: Any operation performed on personal data, such as collection, use, storage, or dissemination.
  • Controller: An entity determining the purpose and means of processing personal data.
  • Processor: An entity processing personal data on behalf of a controller.

Who does the ICDPA apply to?

The ICDPA applies to businesses that:

  • Process the personal data of 100,000 or more Iowa residents annually; or
  • Derive over 50% of their revenue from selling personal data and process data of at least 25,000 consumers.
“Consumer” means a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.‍

‍Section 1 of the ICDPA

Who is exempt from the ICDPA?

The Iowa Consumer Data Protection Act (ICDPA) exempts government entities, nonprofits, financial institutions under GLBA, HIPAA-covered entities, and educational institutions under FERPA. It also excludes data regulated by federal laws like FCRA and de-identified or employment-related data. Businesses should review exemptions closely.

Key provisions of the ICDPA

1. Consumer rights

Consumer rights are detailed in Section 715D.3 of the ICDPA. The law grants Iowa residents these critical rights:

  • Right to access: Consumers can confirm if a business processes their personal data and access that data.
  • Right to delete: Consumers can request deletion of personal data they provided.
  • Right to data portability: Consumers can obtain a copy of their personal data in a portable format.
  • Right to opt out of data sales: Consumers can opt out of the sale of their personal data.

2. Missing rights compared to other state laws

  • No right to correct inaccuracies: The ICDPA does not provide consumers the right to correct inaccurate personal data. This contrasts with laws in California, Colorado, Connecticut, and Virginia, for instance.
  • No right to opt out of profiling or targeted advertising: The ICDPA does not grant consumers the right to opt out of profiling used to make significant decisions affecting them. Other states, like Colorado and Virginia, offer this right.‍
  • No private right of action: Unlike some other state privacy laws, the ICDPA does not allow consumers to sue businesses directly. Enforcement lies with the Iowa Attorney General.

Is the ICDPA opt-in or opt-out?

The Iowa Consumer Data Protection Act (ICDPA) follows an opt-out model. While it requires businesses to provide an opt-out option for the sale of personal data, it does not explicitly address the right to opt out of targeted advertising. However, businesses must clearly disclose any use of personal data for targeted advertising and provide a means for consumers to opt out. 

For sensitive data processing, the ICDPA does not require opt-in consent. Instead, businesses must provide clear notice and allow consumers to opt out if they don’t want their sensitive data processed.

Requirements for businesses under the ICDPA

The Iowa Consumer Data Protection Act (ICDPA) outlines specific requirements for businesses in several key sections, including Section 715D.3, Section 715D.4, Section 715D.5 and Section 715D.6.

To comply with the ICDPA, businesses must meet the following requirements:

  1. Provide transparency: Offer a clear privacy notice explaining data collection, usage, and opt-out options.
  2. Ensure data security: Use reasonable measures to protect personal data.‍
  3. Respect consumer rights: Allow access, deletion, data portability, and opt-out of data sales.
  4. Handle sensitive data: Provide notice and allow opt-out for sensitive data processing.
  5. Maintain contracts: Establish data protection agreements with service providers.
  6. Avoid discrimination: Ensure equal service regardless of consumers exercising their rights.

Penalties for non-compliance

The ICDPA is enforced by the Iowa Attorney General. Key enforcement details include:

  • Fines: Violations may result in penalties of up to $7,500 per violation.
  • 90-Day Cure Period: Businesses are given 90 days to address and rectify any alleged violations before penalties are imposed.

The Attorney General can seek reimbursement for investigation and litigation costs if businesses fail to comply after the cure period.

Failing to meet the ICDPA’s requirements can result in significant financial and reputational damage.

‍

complete guide to data privacy laws

The impact of the ICDPA on businesses

The ICDPA introduces both opportunities and challenges for businesses:

  • Increased compliance costs: Companies will need to invest in tools, personnel, and processes to meet the new requirements.
  • Focus on transparency: Privacy policies and notices will require updates to comply with the law’s stringent disclosure standards.
  • Operational changes: Businesses must implement processes for handling consumer rights requests efficiently, including data access, deletion, and portability.
  • Enhanced consumer trust: By complying with the ICDPA, businesses can demonstrate their commitment to data privacy, fostering stronger relationships with consumers.

The impact of the ICDPA on consumers

For Iowa residents, the ICDPA is a significant step toward safeguarding personal information. The Iowa Consumer Data Protection Act (ICDPA) impacts consumers by granting some data privacy rights while limiting others.

Consumer benefits

  • Data access and control: consumers can access, delete, and obtain copies of their personal data.‍
  • Opt-out of data sales: consumers can stop businesses from selling their personal data.‍
  • Transparency: businesses must disclose data collection and usage practices.

Consumer limitations

  • No right to correct data: consumers cannot request corrections to inaccurate personal data.
  • No explicit opt-out for profiling or targeted advertising: these protections are not provided.

The ICDPA strengthens consumer privacy but lacks certain rights found in stricter state privacy laws.

How does the ICDPA compare to other data privacy laws?

The ICDPA shares similarities with laws like the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA) but also has distinct features.

‍

State Scope Effective Date Key Features Penalties for Non-Compliance
Connecticut (CTDPA) Connecticut residents July 1, 2023 Similar to GDPR; right to access and correct data $5,000 per violation
Colorado (CPA) Colorado residents July 1, 2023 Opt-out for targeted advertising; sensitive data consent Up to $20,000 per violation
California (CCPA/CPRA) California residents January 1, 2023 Right to access, delete, opt-out; data protection assessments Up to $7,500 per violation
Iowa (ICDPA) Iowa residents January 1, 2025 Data protection, opt-out of data sharing Up to $7,500 per violation
Nebraska (NDPA) Nebraska residents January 1, 2025 Privacy protections, consent requirements Up to $7,500 per violation
Delaware (DPDPA) Delaware residents January 1, 2025 Data privacy, consumer rights protections Up to $10,000 per violation
New Hampshire (NHPA) New Hampshire residents January 1, 2025 Privacy protections, opt-in requirements Up to $10,000 per violation
New Jersey (NJDPL) New Jersey residents January 15, 2025 Data protection laws, breach notifications Up to $7,500 per violation
Tennessee (TIPA) Tennessee residents July 1, 2025 Data privacy rights, consent management Up to $7,500 per violation
Minnesota (MCDPA) Minnesota residents July 31, 2025 Consumer data rights, opt-out options TBD
Maryland (MODPA) Maryland residents October 1, 2025 Online data privacy, consent requirements Up to $10,000 for each violation

‍

What makes the ICDPA stand out?

The Iowa Consumer Data Protection Act (ICDPA) is unique due to its approach to consumer rights and sensitive data processing. While it grants consumers the rights to access, delete, and obtain copies of personal data, it does not provide the right to correct inaccuracies or allow them to opt out of profiling or targeted advertising, limiting consumer control compared to other privacy laws.

For sensitive data processing, the ICDPA does not require opt-in consent. Instead, businesses must provide clear notice and give consumers the option to opt out, shifting responsibility to consumers to act if they object. This balance between privacy protection and business compliance makes the ICDPA less restrictive than other state privacy laws.

How Ketch can help with ICDPA compliance

Staying compliant with the ICDPA and other state privacy laws doesn’t have to be overwhelming. The Ketch Data Permissioning Platform simplifies compliance with features like:

  • Automated data mapping: Know exactly what data you process and why.
  • Centralized consent management: Handle consent for sensitive data with ease.‍
  • Dynamic privacy templates: Customize privacy notices and policies for Iowa and beyond.

‍

‍

Final thoughts on the ICDPA

The Iowa Consumer Data Protection Act represents a significant shift in how businesses operating in Iowa must manage personal data. By taking proactive steps toward compliance, you can not only avoid penalties but also build trust with your customers.

Ready to streamline compliance for Iowa and other jurisdictions? Contact Ketch today and future-proof your privacy strategy.

Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQs

This a sample accordion element needed for script above to work

Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
  1. ‍Does the ICDPA require businesses to honor universal opt-out signals like Global Privacy Control (GPC)?
    The Iowa Consumer Data Protection Act (ICDPA) does not explicitly require businesses to honor universal opt-out signals, such as the Global Privacy Control (GPC). Unlike privacy laws in California and Colorado, which mandate recognition of such signals, the ICDPA lacks provisions addressing this technology. Therefore, under the ICDPA, businesses are not obligated to act upon universal opt-out mechanisms like GPC.‍
  2. How does the ICDPA define publicly available data?
    Publicly available data refers to information that is lawfully made available from government records or data the consumer has intentionally made public. Such data is excluded from the scope of the ICDPA.‍
  3. Are there specific requirements for data retention under the ICDPA?
    The ICDPA does not explicitly require businesses to implement data retention policies, but the principles of data minimization imply that businesses should only retain data as long as necessary for their stated purposes.‍
  4. Does the ICDPA require employee training on data privacy?
    ‍    The ICDPA does not mandate employee training, but businesses may benefit from educating staff to ensure compliance with the law’s requirements, especially for handling consumer requests and sensitive data.‍
  5. What are the specific exemptions for de-identified data?
    The ICDPA excludes de-identified data from its scope as long as it cannot reasonably be linked to an individual and the business commits to maintaining it in a de-identified state.‍
  6. Are businesses required to conduct data protection impact assessments (DPIAs)?
    No, the ICDPA does not mandate data protection impact assessments, unlike laws such as Virginia’s VCDPA or Colorado’s CPA.‍
  7. How are children’s data protected under the ICDPA?
    The ICDPA defers to the federal Children’s Online Privacy Protection Act (COPPA) for protecting children’s data, requiring parental consent for processing data of children under 13.‍
  8. Does the ICDPA apply to non-profit organizations or small businesses?
    Non-profit organizations are explicitly exempt. Small businesses are also exempt unless they meet the thresholds of processing data for 100,000 consumers or deriving 50% of revenue from data sales.

    Unlike laws such as the California Consumer Privacy Act (CCPA), the ICDPA does not include a minimum annual revenue threshold. Therefore, small businesses that did not meet the revenue criteria of the CCPA may still be subject to the ICDPA if they meet the data processing thresholds mentioned above. It's crucial for such businesses to assess their data processing activities to determine applicability.‍
  9. How does the ICDPA handle pseudonymized data?
    The ICDPA does not specifically address pseudonymized data. However, businesses should ensure that such data cannot be reasonably linked to an individual to avoid its classification as personal data.
  10. Are loyalty programs affected by the ICDPA?
    The ICDPA does not restrict loyalty programs directly but requires businesses to disclose data collection practices related to these programs in their privacy notices.
Matt George
Data Protection Officer
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
Try Ketch for Free
Book a Demo