What the Iowa Consumer Data Protection Act Covers
Governor Kim Reynolds signed Senate File 262 into law in March 2023, making Iowa the sixth US state to pass a comprehensive data privacy statute. The Iowa Consumer Data Protection Act (ICDPA), codified as Iowa Code Chapter 715D, took effect on 1 January 2025.
The law gives Iowa residents a set of rights over their personal data and places obligations on businesses that collect or process that data. It follows the opt-out model used by Virginia's VCDPA, though with fewer consumer rights and lighter compliance burdens than many of its counterparts.
For website owners already tracking US state privacy laws, the ICDPA sits at the more business-friendly end of the spectrum.
Who Must Comply with the ICDPA
The ICDPA applies to persons that conduct business in Iowa or produce products or services targeted at Iowa consumers, provided they meet one of two thresholds:
- Control or process the personal data of at least 100,000 Iowa consumers during a calendar year, or
- Control or process the personal data of at least 25,000 Iowa consumers and derive more than 50% of gross revenue from the sale of personal data.
These thresholds are higher than some other state laws. The Texas TDPSA, for example, has no minimum consumer count at all. Iowa's thresholds mean that smaller businesses with limited Iowa traffic are unlikely to fall within scope.
Who Is Exempt
Several categories of organisations fall outside the ICDPA entirely:
- State and local government bodies
- Nonprofits
- Institutions of higher education
- Entities subject to the Gramm-Leach-Bliley Act (financial institutions)
- Entities governed by HIPAA or the Health Information Technology for Economic and Clinical Health Act
Data types already regulated by federal sectoral laws - such as data covered by the Fair Credit Reporting Act or the Driver's Privacy Protection Act - are also excluded.
Consumer Rights Under the ICDPA
Iowa residents receive four core rights under the ICDPA. The list is shorter than those granted by laws in Colorado or Connecticut.
| Right | Description | Available in Iowa? |
|---|---|---|
| Access | Confirm whether a controller is processing personal data and obtain a copy | Yes |
| Deletion | Request deletion of personal data provided by the consumer | Yes |
| Data portability | Obtain a copy of personal data in a portable, readily usable format | Yes |
| Opt out of sale | Opt out of the sale of personal data | Yes |
| Opt out of targeted advertising | Opt out of processing for targeted advertising | Yes |
| Correction | Correct inaccuracies in personal data | No |
| Opt out of profiling | Opt out of automated profiling decisions | No |
The absence of a correction right is notable. Most other US state privacy laws, including the Montana CDPA and Oregon CPA, grant consumers the right to fix inaccurate records.
How the ICDPA Handles Sensitive Data
Sensitive data under the ICDPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data used to identify someone, personal data collected from a known child, and precise geolocation.
Here the law diverges from most of its peers. Opt-in consent is the standard approach for sensitive data across states such as Virginia, Colorado, and Connecticut. Iowa takes the opposite route: controllers must provide clear notice before processing sensitive data and give consumers the ability to opt out. No prior consent is needed.
This opt-out-only approach to sensitive data makes the ICDPA one of the least restrictive US privacy laws on this point.
No Universal Opt-Out Signal Requirement
A growing number of state laws require controllers to recognise Global Privacy Control (GPC) or similar universal opt-out mechanisms. Colorado, Connecticut, Montana, and Delaware all mandate recognition of such signals.
Iowa does not. The ICDPA has no provision requiring controllers to honour browser-based opt-out signals. If your site already supports GPC for other jurisdictions, that implementation will not satisfy any Iowa-specific requirement - because there is none to satisfy.
This also means Iowa consumers must opt out manually through whatever mechanism a controller provides, typically a privacy settings page or a cookie preference centre on the website.
No Data Protection Assessments Required
Several state privacy laws require controllers to conduct data protection impact assessments before engaging in high-risk processing activities such as targeted advertising, profiling, or selling personal data. Virginia, Colorado, and Connecticut all include this obligation.
Iowa does not require data protection assessments of any kind. This reduces the administrative overhead for businesses that fall within scope but removes a layer of proactive risk evaluation.
Controller Obligations for Website Owners
If your website meets the applicability thresholds, the ICDPA requires you to:
- Publish a clear privacy notice - disclose the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties.
- Limit data collection - collect only data that is adequate, relevant, and reasonably necessary for the disclosed purpose.
- Implement reasonable security - protect personal data with appropriate administrative, technical, and physical safeguards.
- Avoid secondary use without notice - if you process data for a purpose materially different from what you originally disclosed, you must notify consumers.
- Respond to consumer requests - act on verified consumer rights requests within 90 days.
For sites using marketing cookies or analytics cookies tied to Iowa consumer data, this means your privacy policy should accurately describe the tracking technologies in use and the opt-out mechanisms available.
Processor Contracts
Controllers that use processors (any third-party service handling personal data on their behalf) must have a written contract in place. The contract must specify the nature and purpose of processing, the type of data involved, the duration, and the rights and obligations of both parties. Processors must assist controllers in meeting their obligations under the ICDPA.
Enforcement and Penalties
The Iowa Attorney General holds exclusive enforcement authority over the ICDPA. There is no private right of action - consumers cannot sue businesses directly for violations.
Before taking enforcement action, the Attorney General must issue a written notice to the controller or processor identifying the specific provisions believed to have been violated. The business then has 90 days to cure the alleged violation. Unlike some other state laws where the cure period sunsets after a set date, Iowa's 90-day cure period has no expiration. It remains available indefinitely.
If the violation is not cured within the 90-day window, the Attorney General may pursue civil penalties of up to $7,500 per violation, plus injunctive relief, attorney's fees, and investigative costs.
How the ICDPA Compares to Other State Laws
The ICDPA is often grouped with the Utah UCPA as one of the narrowest US state privacy laws. Both take a business-friendly approach with higher thresholds, fewer consumer rights, and limited obligations. The table below highlights key differences with other frameworks.
| Feature | Iowa (ICDPA) | Virginia (VCDPA) | Colorado (CPA) |
|---|---|---|---|
| Effective date | 1 Jan 2025 | 1 Jan 2023 | 1 Jul 2023 |
| Right to correct | No | Yes | Yes |
| Sensitive data approach | Opt-out | Opt-in | Opt-in |
| Universal opt-out signal | Not required | Not required | Required |
| Data protection assessments | Not required | Required | Required |
| Cure period | 90 days (permanent) | 30 days (expired) | 60 days (expired) |
| Private right of action | No | No | No |
| Maximum penalty per violation | $7,500 | $7,500 | $20,000 |
Practical Steps to Bring Your Website into Compliance
If your website meets the ICDPA thresholds, here is a concise compliance checklist:
- Audit your data flows. Identify what personal data you collect from Iowa visitors, including through cookies and tracking scripts. A cookie scanner can automate much of this process.
- Update your privacy notice. Ensure it lists the categories of data processed, the purposes, third-party sharing, and how consumers can exercise their rights.
- Provide opt-out mechanisms. Give Iowa consumers a clear way to opt out of the sale of their data and targeted advertising. This can be handled through a cookie preference centre or a dedicated privacy settings page.
- Review processor contracts. Confirm that agreements with third-party vendors that handle Iowa consumer data include the required contractual terms.
- Establish a request process. Set up a workflow to receive, verify, and respond to consumer rights requests within 90 days.
- Document your compliance. While assessments are not mandatory, keeping records of your privacy practices is prudent should the Attorney General investigate.
Frequently Asked Questions
Does the Iowa Consumer Data Protection Act require cookie consent?
The ICDPA does not mandate prior cookie consent the way the GDPR does. It requires an opt-out mechanism for targeted advertising and data sales, but does not prescribe a specific consent banner format.
Do I need to recognise Global Privacy Control signals under the ICDPA?
No. The ICDPA does not require controllers to honour universal opt-out signals such as GPC. Consumers must opt out through a mechanism you provide directly.
What happens if my business violates the ICDPA?
The Iowa Attorney General will issue a written notice and grant a 90-day cure period. If the violation is not resolved, penalties of up to $7,500 per violation may apply.
Does the ICDPA apply to nonprofits?
No. Nonprofits, government bodies, and higher education institutions are exempt from the ICDPA.
How does Iowa handle sensitive data differently from other states?
Most US state privacy laws require opt-in consent before processing sensitive data. Iowa only requires clear notice and an opt-out option, making it less restrictive.
Is there a private right of action under the ICDPA?
No. Only the Iowa Attorney General can enforce the ICDPA. Consumers do not have the right to bring lawsuits against businesses for violations.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your opt-out mechanisms satisfy the ICDPA, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
