Skip to main content

Iowa Consumer Data Protection Act

The Iowa Consumer Data Protection Act grants residents access, deletion, portability, and sale opt-out rights, but omits correction rights and sensitive-data consent. It is business-friendly, offers a 90-day cure period, and is enforced by the Iowa Attorney General.

Jurisdiction
Iowa

Iowa Consumer Data Protection Act

The Iowa Consumer Data Protection Act (ICDPA), enacted as Senate File 262, is Iowa's comprehensive consumer privacy statute. It took effect on January 1, 2025 and is widely regarded as one of the most business-friendly state privacy laws, with narrower consumer rights and fewer controller duties than peer statutes.

Who It Applies To

The ICDPA applies to persons conducting business in Iowa or producing products or services targeted to Iowa residents that, during a calendar year, control or process the personal data of either 100,000 or more consumers, or 25,000 or more consumers while deriving more than 50 percent of gross revenue from the sale of personal data. It exempts entities and data subject to HIPAA and the Gramm-Leach-Bliley Act, government entities, and nonprofits.

Key Requirements

Controllers must provide a privacy notice and maintain reasonable data security. Consumers may confirm processing, access their data, delete data they provided, obtain a portable copy, and opt out of the sale of personal data. Notably, the ICDPA does not grant a right to correct inaccuracies and does not require opt-in consent for sensitive data; instead, controllers must offer clear notice and an opportunity to opt out of sensitive data processing. The law does not require data protection assessments and does not mandate recognition of universal opt-out signals.

Penalties for Non-Compliance

The Iowa Attorney General has exclusive enforcement authority; there is no private right of action. Civil penalties reach up to 7,500 dollars per violation. The law provides a 90-day cure period, one of the longest among state privacy laws, before the Attorney General may bring an enforcement action.

How to Comply

Confirm whether your processing meets the thresholds. Publish a clear privacy notice that discloses sensitive data processing and the right to opt out. Implement processes to handle access, deletion, portability, and sale opt-out requests within 90 days. Maintain reasonable administrative, technical, and physical safeguards. Even though assessments are not required, documenting processing decisions remains good practice and eases multi-state compliance.

Relationship to Other Laws

Iowa is frequently cited as the baseline floor of U.S. state privacy protection: it omits correction rights, sensitive-data opt-in consent, universal opt-out recognition, and mandatory assessments that most peers require. Organizations that build to a stricter state such as Colorado or Connecticut will almost always exceed Iowa's requirements. The main Iowa-specific tasks are honoring its long 90-day cure window in incident planning and ensuring sensitive-data processing is disclosed with a clear opt-out, since Iowa uses notice-and-opt-out rather than opt-in for sensitive data.

Operational Mechanics

Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.