Articles
State guides
Iowa data privacy law (CDPA): Does it apply to you and how to comply
State guides
new

Iowa data privacy law (CDPA): Does it apply to you and how to comply

Published  

4/25/2023

by 

Ali Talip Pınarbaşı

9
min read

Published  

April 25, 2023

by 

Ali Talip Pınarbaşı

10 min read
Summary

While Iowa may be famous for the US presidential election's political caucuses, it also does not lag behind in terms of data privacy.

On 29 March 2023, Iowa became the sixth state in the US to enact a data privacy law. Iowa’s Act Relating to Consumer Data Protection (CDPA), also referred to in some contexts as the Iowa Data Protection Law (ICDPA), is following in the footsteps of California, Utah, Virginia, Colorado, and Connecticut.

If you have customers located in Iowa or your website is accessible to Iowa consumers, Iowa’s comprehensive consumer privacy law will likely apply to your business. In this article, we go over what the Iowa Data Privacy law is, what it entails for businesses, and how to comply. As part of the broader regulatory ecosystem, laws such as this one emphasize compliance, contractual obligations, and enforcement mechanisms to ensure responsible data handling and protect consumer rights.

What about other U.S. states? To learn more about the big picture of data privacy in the United States and access our updated map and law tracker, head to our dedicated blog post:

{{us-map-link}}

Iowa data privacy law in a nutshell

On March 29th, the governor of Iowa signed the “Act Relating to Consumer Data Protection”(CDPA or ICDPA) into law. Iowa’s CDPA is the first comprehensive consumer privacy legislation in Iowa, and it will become enforceable in January 2025, giving businesses 21 months to prepare. As part of their compliance efforts, businesses should implement reasonable administrative measures to protect personal data and ensure they meet their legal obligations.

If you have implemented a compliance program to comply with other US state privacy laws, such as California’s CPRA, some requirements of the Iowa data privacy law will sound familiar.  However, there are still significant differences between Iowa’s Data Privacy law and other US privacy laws.

In this article, we will help you understand:

  • What are the key requirements of Iowa’s privacy law, including how businesses must process data in accordance with the law?
  • How do you comply with Iowa law on data privacy?
  • What are the differences between Iowa Data Privacy law and other US privacy laws, and with the EU General Data Protection Regulation (GDPR)?

Key requirements and things to know about the Iowa privacy law (CDPA)

Mockup of a consent banner presenting various option to users, including "do not sell or share my personal information", "limit the use of my sensitive personal infromation", and "agree and close", along with a label "Global Privacy Control signal detected and applied". On the left side of the image, an american flag.

Let’s dive deeper into the nitty-gritty of the CDPA. The law governs the processing of data by businesses operating in Iowa, including the collection, use, and sharing of personal information. In this section, we look at:

  • Whether the Iowa data privacy law applies to you
  • What data is exempt from the law
  • What are the key requirements you need to comply with
  • What are the penalties for non-compliance

Does the Iowa privacy law apply to you?

If you sell goods/services in Iowa or your website is accessible to Iowa residents, you must determine if you are subject to the Iowa data privacy law. If you fulfill the following criteria together, the new law will apply to your business.

Note that certain types of data, may be exempt from the law's requirements.

Criteria 1: Your business produces services/goods targeted at Iowa consumers

For example, you may have an online store where visitors purchase your goods and services. If your website is accessible to USA consumers and Iowa consumers can place orders on your website, then this is the case.

 

Criteria 2: Within one calendar year, you fulfill one of the following thresholds:

You control or process the personal data of at least 100,000 consumers, or control or process the personal data of at least 25,000 consumers and derive over 50% of your gross revenue from the sale of personal data.

 

Criteria 3: Your business processes personal data

Iowa's privacy law defines personal data as any information that is linked or is reasonably linkable to an identified or identifiable natural person. For example, the credit card details of your customers, email addresses of your prospects, or location data would all fall under the definition of personal data. (more on that later in the article)

 

What data is exempt from the Iowa data privacy law (CDPA)?

Like its California counterpart, the Iowa data privacy law exempts certain categories of personal data from its scope. When considering the above criteria, you also need to think about the following categories of exempted personal data:

  • Protected health information under the Health Insurance Portability Act (HIPAA);
  • Health records;
  • Patient identifying information for purposes of §§290dd-2 of Title 42 of the U.S. Code, as part of the Public Health Service Act
  • Personal data collected or processed in an employment context
  • Personal data regulated by the Family Educational Rights and Privacy Act 1974 (‘FERPA’)
  • Data subject to Title V of the Gramm-Leach-Bliley Act of 1999; financial companies subject to the Gramm-Leach-Bliley Act will fall outside the reach of Iowa Law.
  • De-identified data, which is expressly excluded from the scope of the Iowa data privacy law, provided that reasonable measures are taken to prevent re-identification and contractual oversight is maintained.
  • Higher education institutions are exempt from the enforceability of Iowa’s privacy law.
  • Government entities, such as state and municipal entities, are also exempt.

What are the key requirements you need to comply with?

If you have implemented an EU GDPR or California (CCPA and CPRA) compliance program before, you are already one step ahead of everyone in satisfying Iowa privacy law compliance requirements.

 

Similar to its EU and California counterparts, the Iowa data privacy law includes requirements such as drafting a transparent privacy notice, responding to consumer requests (including access and deletion), and providing opt-out options for the sale of personal data.

 

Since it would be beyond the scope of this article to explain all requirements, we will briefly address the key requirements you need to consider as follows:

Provide your customers with a privacy notice

You need to provide consumers with a clear and easily accessible privacy notice. This written notice should explain what types of personal data you collect and use, and who you share personal data with.

 

Furthermore, the privacy notice should also describe how consumers can exercise their right to access their data and their other rights.

 

Implement necessary data security measures

If you cannot maintain the availability and confidentiality of personal data, you cannot comply with the privacy law requirements. Therefore, Iowa data privacy law requires you to apply appropriate technical and organizational measures to guarantee data security.

 

Fulfill data subject requests

Iowa's law provides comprehensive consumer data rights. Under the law, consumers have the right to access, delete, and right to opt out of the sale of their data. Additionally, consumers are entitled to data portability, just as they are in the EU GDPR.

 

Addressing these data subject access requests (also called DSARs) can be time-consuming and quickly turn into a logistical nightmare for companies. Learn how to deal with them quickly and efficiently in our complate guide to DSARs.

Comply with the purpose limitation principle

When you collect and process personal data, you need to ensure that processing is relevant and necessary to the purpose you seek to achieve. For instance, if you collect credit card data from your customers to process payments, you should not sell this data and purchase history to a data broker.

 

Sign a data processing agreement

Similar to the EU GDPR, Iowa’s law has the data controller-data processor concept and it requires these two parties to sign data processing agreements. Data processing agreements are crucial for formalizing the relationship between controllers and processors, thereby ensuring compliance with data privacy laws.

This agreement should outline how the instructions of a data controller are handled, as well as other key elements such as data retention and the purpose of data processing.

For instance, when you use Google Analytics on your website, Google Analytics is your data processor. In fact, Google Analytics even has a data processing agreement that it signs with its customers.

‍What is personal data and sensitive personal data under the Iowa CDPA?

Under the Iowa Consumer Data Protection Act (ICDPA), personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person.

This broad definition covers a wide range of data types, including names, physical and email addresses, IP addresses, online identifiers, browsing history, and purchase behaviors. Essentially, if the information can be used to identify a specific individual, it is considered personal data under the ICDPA.

Notably, the ICDPA excludes de-identified or aggregate data from its scope. This means that information that cannot be traced back to a particular individual (such as anonymized statistics or grouped data sets) is not subject to the same requirements as personal data. This approach is consistent with other state data privacy laws, such as the California Consumer Privacy Act (CCPA) and the Utah Consumer Privacy Act (UCPA), which also distinguish between personal data and identified or aggregate data.

Businesses that process personal data of Iowa consumers must comply with the ICDPA’s requirements, including implementing reasonable administrative, technical, and physical data security practices. These measures are essential to protect the confidentiality, integrity, and accessibility of consumer data and to ensure compliance with evolving state data privacy laws.

By understanding how the Iowa privacy law defines personal data and adopting robust data protection standards, organizations can better safeguard consumer data and meet their obligations under the law.

Sensitive data protection under the Iowa data privacy law

The Iowa Consumer Data Protection Act (ICDPA) recognizes that certain types of personal data require heightened protection due to their sensitive nature.

Sensitive data under the ICDPA includes information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data. This category of data is considered especially vulnerable and, if misused, could have significant impacts on an individual’s privacy and security.

When processing sensitive personal information, data controllers are required to provide clear notice to consumers and offer them the opportunity to opt out of such processing, with special considerations for children's data under the Children's Online Privacy Protection Act (COPPA). In addition, businesses must implement reasonable security practices to protect sensitive data, ensuring that data processing is adequate, relevant, and limited to what is necessary for the specified purpose.

The ICDPA’s sensitive data protection provisions are designed to ensure that businesses handle this information with the utmost care. Failing to comply with these requirements can result in civil penalties and damage to consumer trust. By prioritizing the protection of sensitive personal data (genetic or biometric data, physical health diagnosis, and other highly confidential information), organizations can demonstrate their commitment to data protection and maintain compliance with Iowa’s comprehensive data privacy law.

To learn more about sensitive personal information in the U.S., check out our dedicated guide, featuring a full comparative state chart:

{{sensitive-personal-information-us}}

What are the penalties for non-compliance with the Iowa data privacy law?

Like the other US State privacy laws, such as those of Virginia and Colorado, Iowa's CDPA provides the Iowa Attorney General with exclusive enforcement authority to take legal action against businesses that violate the law.

 

The Iowa Attorney General is required to provide the relevant business with a 90-day notice to remedy the alleged violation.

 

If you are found to violate the Iowa data privacy law, you can face a fine of 7,500 $ per violation. However, Iowa consumers are not entitled to a private right of action for non-compliance.

 

How does the Iowa privacy law compare to the other US state privacy laws? 

From what we have discussed so far, you may get the idea that the Iowa Consumer Data Protection Act is highly similar to the California Consumer Privacy Act

 

However, the ICDPA differs from California’s regulations and other US States’ privacy laws on the following key issues:

 

Right to opt out of targeted advertising

Whereas California’s CPRA explicitly gives consumers the right to opt out of targeted advertising, the CDPA does not include such consumer data rights. Instead, it just requires data controllers carrying out targeted advertising to:

(...) clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.

 

Put simply, there are no specific rules on the scope of the right to opt out of targeted advertising and how it should be exercised in Iowa's CDPA.

 

Universal opt-out signals

Unlike California, Colorado, and Connecticut privacy laws, the CDPA does not include the obligation to implement universal opt-out signals, such as opting out of personalized advertising via browser settings.

 

Consent for the processing of sensitive data

The Colorado, Connecticut, and Virginia privacy laws require businesses to obtain consent for the collection and processing of sensitive data.

 

Iowa's CDPA, on the other hand, does not include such a requirement; it only requires data controllers to provide the right to opt out of the processing of sensitive data.

 

Iowa privacy law (CDPA) vs. the EU GDPR 

Given that the EU GDPR has the most stringent privacy law requirements worldwide, it is no surprise that CDPA is slightly less strict. Let’s have a look at the key differences between the two laws.

 

Deadline to respond to data subject request

Under the GDPR, data controllers must respond to data subjects’ requests within 30 days following the receipt of the request, which can be extended by a further two months. 

 

The CDPA, however, stipulates that data controllers have 90 days to respond to requests from consumers, which can be extended by a further 45 days.

 

In terms of the data subject rights, Iowa is more limited compared to the GDPR

GDPR allows consumers to rectify their personal data and the right not to be subject to automated decision-making or profiling. 

The ICDPA, on the other hand, does not recognize these rights.

 

Overall, the GDPR contains more detailed  requirements

The GDPR requires businesses to maintain records of processing activities, appoint a data protection officer under specific conditions, and conduct data protection assessments.

Iowa does not include any of these obligations.

 

How can Didomi help you tick Iowa's CDPA off your list?

Knowing Iowa's comprehensive consumer privacy legislation is one thing, but confidently taking steps to ensure compliance is another.

 

Didomi aims to become the partner of choice for global organizations looking to lead with data privacy best practices and steer clear of potential fines. Through our expertise, guidance, and product offering, we are here to help. 

 

Browse our website to learn more about our Consent Management Platform, Preference Management Platform, Privacy Request module, and Advanced Compliance Monitoring, or book a time with one of our experts to discuss your challenges directly:

{{talk-to-an-expert}} 

Frequently Asked Questions (FAQ) about the Iowa Consumer Data Protection Act (CDPA) 

When does the Law become enforceable?

The Law will come into force in January 2025, giving businesses 21 months to understand the requirements and implement a compliance program.

 

Does Iowa privacy law require businesses to obtain consent?

While the law defines lawful consent, it does not require businesses to ask for consent before collecting or processing personal data.

 

Does Iowa Law include the right to delete personal data provided by consumers?

Yes, if you receive a request from consumers to delete personal data they have provided, you must comply and delete such data.

 

However, contrary to other state privacy laws enacted, such as the Colorado law, you do not need to erase a consumer's personal data that you obtained from third-party sources.

 

Does processing sensitive data require opt-in consent?

Iowa law does not require opt-in consent for such processing of sensitive data.

 

Do you need consent for the sale of personal data?

The Law does not require consent for the sale of personal data. However, consumers can opt out of the sale of their data, which refers to the sale of data for monetary consideration.

The author
Ali Talip Pınarbaşı
Freelance writer
London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London, advising businesses on how to comply with data protection laws.
Access author profile

Related Articles

State guides
Data protection in the United States: June 2025 update
June 11, 2025
Read article
State guides
Everything you need to know about the California Delete Act
March 12, 2025
Read article
State guides
Understanding sensitive personal information (SPI) in U.S. data privacy laws
December 20, 2024
Read article
State guides
Tennessee privacy law: Understanding the Tennessee Information Protection Act (TIPA)
December 13, 2024
Read article
State guides
Delaware Personal Data Privacy Act (DPDPA): Exploring the Delaware privacy law
November 20, 2024
Read article
State guides
New Hampshire Privacy Act (NHPA): Everything you need to know
November 13, 2024
Read article