Recently, Iowa joined the ever-growing list of US states with a data protection law called the Iowa Consumer Data Protection Act or Iowa CDPA.
While the Iowa CDPA shares many similarities with other US state data privacy laws, it also introduces a few important differences.
In this guide, I’ll cover everything you need to know about the Iowa CDPA, who it protects, who it applies to, and what steps your business needs to take to prepare for compliance.
- What Is the Iowa Consumer Data Protection Act (Iowa CDPA)?
- Iowa CDPA Key Terms and Definitions
- What Does the Iowa Consumer Data Protection Act Cover?
- Requirements of the Iowa Consumer Data Protection Act
- Iowa’s Data Privacy Law vs. Other States' Laws: Similarities and Differences
- How Will Consumers Be Impacted by the Iowa CDPA?
- How Will Businesses Be Impacted by the Iowa CDPA?
- Who Must Comply With Iowa’s New Data Privacy Law?
- How Can Businesses Prepare for the Iowa CDPA?
- How Will the Iowa CDPA Be Enforced?
- Fines and Penalties Under the Iowa Consumer Data Protection Act
- How Will Termly Help With Iowa CDPA Compliance?
- Are There Other Privacy Related Laws in Iowa?
What Is the Iowa Consumer Data Protection Act (Iowa CDPA)?
The Iowa CDPA is a data privacy law signed by the governor of Iowa in March of 2023.
The law was created to protect the personal information of Iowa consumers and outlines civil penalties for entities that violate the new requirements and consumer rights.
Iowa CDPA Effective Date
The new Iowa Consumer Data Protection Act enters into force on Jan. 1, 2025.
Entities impacted by this law have until that date to prepare for the regulations and obligations it presents concerning their data collecting and processing activities.
Iowa CDPA Key Terms and Definitions
The new Iowa data privacy law describes several key terms in Section 1, 715D.1 “Definitions.”
Understanding these definitions is critical for complying with the requirements of this new law.
Below are the key terms exactly as they appear in the text of the law:
- Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means or any other unambiguous affirmative action.
- Consumer: A natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.
- Controller: A person who —alone or jointly with others — determines the purpose and means of processing personal data.
- Personal data: Any information linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified or aggregate data or publicly available information.
- Processing: Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
- Processor: A person that processes personal data on behalf of a controller.
Sale of data: The exchange of personal data for monetary consideration by the controller to a third party.
- It does not include the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer or a parent of a child;
- The disclosure or transfer of personal data to an affiliate of the controller;
- The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
- The disclosure or transfer of personal data when a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties;
- The disclosure or transfer of personal data to a third party as an asset part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
- It does not include the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- Sensitive data: Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, and precise geolocations.
What Does the Iowa Consumer Data Protection Act Cover?
The Iowa CDPA covers residents of the state of Iowa. It only applies to those in the state acting in a noncommercial and nonemployment context.
This scope is explained in Section 1 within the definition provided for the term “consumer,” which is used throughout the text of the law.
Requirements of the Iowa Consumer Data Protection Act
The following section briefly covers the primary requirements Iowa CDPA imposes on businesses to comply with the law.
Data Security Requirements
According to Section 4, 715D.4 of the Iowa CDPA, controllers must implement reasonable security practices to protect the confidentiality of the personal data collected.
The data security practices you implement must consider both the volume and nature of the collected data.
Legal Basis for Processing Data
Controllers can legally process personal data if it meets specific guidelines outlined by Iowa’s data privacy law.
These guidelines include collecting data that:
- Is reasonably necessary and proportionate to the purposes presented to consumers
- Is adequate, relevant, and limited to what is necessary concerning the specific purposes listed
- Takes into account the nature and purpose of such collection, use, or retention
- Is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data
Contractual Obligations With Third-Party Processors
Controllers and processors who work together under Iowa’s new privacy law must both sign contracts that include specific provisions required by the law.
According to Section 5, Part 715D.5, the contract must require processors to:
- Ensure the processors are subject to a duty of confidentiality concerning the data.
- Delete, at the controller’s direction, or return all personal data to the controller unless retention is required by law.
- Make all information available to the controller as necessary to comply with obligations outlined by the Iowa CDPA at the controller’s reasonable request.
- Ensure any subcontractors or agents are under a written contract that meets all of the standards outlined by the Iowa CDPA.
One interesting thing about this law is that it does not hold controllers or processors accountable if contracted with a third party who violates portions of the law, provided they did not know when disclosing the data that the recipient intended to commit an infraction.
Other U.S. state laws hold both parties accountable if such a situation arises, which makes this a particularly unique aspect of the Iowa CDPA.
Requirements Regarding Children’s Data
Like other state data privacy laws, the Iowa CDPA requires businesses to follow the federal Children’s Online Privacy Protection Act (COPPA) when collecting and processing data from known children.
Entities must also allow legal guardians to submit verifiable consumer requests on behalf of known children, thus following through on the consumer rights outlined by this law.
Iowa’s Data Privacy Law vs. Other States’ Laws: Similarities and Differences
Iowa is one of several U.S. states that have recently passed data privacy laws, including the:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- Oregon Data Privacy Act (ODPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2024
- Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
While these laws share some similarities, they also include key differences, as shown in the table below comparing the Iowa CDPA to all other U.S. data privacy laws listed above.
How Will Consumers Be Impacted by the Iowa CDPA?
The Iowa CDPA impacts Iowa consumers by granting them new rights over how businesses and other entities collect, process, and use their personal information.
According to Section 3, 715D.3 “Consumer data rights,” individuals protected by this law have the right to:
- Confirm if a controller is processing their personal data and gain access to that data.
- Have the data they provided to a controller deleted.
- Obtain a portable copy of the personal data they provided to a controller unless it is subject to security breach protection.
- Opt out of the sale of their personal data.
- Opt out of targeted advertising.
- Opt out of having their sensitive personal information collected and processed.
Data controllers must comply with all of the above consumer requests and need to reply without undue delay or at least within 90 days of receipt of the submission.
If an entity denies a consumer request, it must provide a reason why and allow the individual to appeal the process, free of charge, in a conspicuously available way similar to the original method for submitting requests.
Who Does the Iowa CDPA Protect?
As mentioned above, the Iowa CDPA applies only to the personal data of residents of Iowa.
In particular, they must be acting in a personal or household context.
The scope of the Iowa Consumer Data Protection Act is explained in Section. 2., Part 715D.2 “Scope and Exemptions”.
How Will Businesses Be Impacted by the Iowa CDPA?
The Iowa CDPA impacts businesses in several different ways.
Along with the contractual obligations, security requirements, and legal basis for processing personal data mentioned previously in this guide, businesses should also prepare to update privacy policies and cookie policies.
Let’s discuss the changes businesses may need to make to these documents.
This requirement means businesses must prepare a few updates to their existing policy.
- The categories of personal data processed.
- The purpose for processing the data.
- A description of how consumers can exercise their rights and appeal a controller’s decision.
- The categories of data shared with any third parties, if any.
- The categories of the third parties you share data with — if any
- If a business sells personal data to any third parties or engages in targeted advertising, all of this information must be clearly disclosed, and it is necessary to present users with a means for opting out of these activities.
- Establish and describe the secure, reliable means for consumers to submit requests to exercise their rights.
Notably, consumers under the Iowa CDPA have the right to opt out of targeted advertising, the sale of their personal data, and the collection and processing of sensitive personal information.
If a business uses any internet cookies that lead to targeted ads or collects data from users that is sold to third parties, they must mention what those cookies are and provide a way for users to opt out of them.
A similar opt-out mechanism must be in place if you collect sensitive personal data.
Who Must Comply With Iowa’s New Data Privacy Law?
A business must comply with the Iowa CDPA if it conducts business in Iowa or produces products and services targeted to consumers who are residents of the state and meet either of the following thresholds during a calendar year:
- Controls or processes personal data of 100,000 or more consumers
- Controls or processes personal data of at least 25,000 consumers and generates over 50% of their gross annual revenue from the sale of personal data
Who Is Exempt From the Iowa CDPA?
The following entities are exempt from the Iowa Consumer Data Protection Act:
- The state or any political subdivision of the state
- Financial institutions, their affiliates, or data subjects under the federal Gramm-Leach-Bliley Act (GLBA)
- Persons subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Persons subject to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
- Nonprofit organizations
- Institutions of higher education
How Can Businesses Prepare for the Iowa CDPA?
Implement Consent Management
They should also use a Consent Management Platform (CMP) with an adequate consent banner and preference center that allows users to act on their privacy rights, like opting out of the sale of their data and targeted ads.
Offer a Data Subject Access Request Form
Adding a Data Subject Access Request (DSAR) form to a website is another adequate way to provide an easy means for users to submit requests to act on their rights and appeal any decisions a data controller might make.
Draft Data Processing Agreements
If a business relies on any third parties to process data on its behalf, it must use a Data Processing Agreement (DPA) that includes all necessary clauses described by the Iowa CDPA.
How Will the Iowa CDPA Be Enforced?
The Iowa Attorney General has the exclusive authority to enforce all parts of the Iowa CDPA.
If the AG has reasonable cause to believe an entity is violating the law, they can issue a civil investigative demand.
They will give the controller or processor a 90-day written notice identifying which parts of the Iowa CDPA they allegedly violated.
Entities must cure the violations within 90 days and send a written statement back to the AG stating that no further infractions shall occur.
If approved, the AG will take no negative actions against the controller or processor.
But if the AG never receives a written statement or further infractions occur, businesses should expect to get fined.
Fines and Penalties Under the Iowa Consumer Data Protection Act
Under the Iowa CDPA, controllers or processors who fail to follow through during the cure period after committing an alleged violation are at risk of receiving fines.
Those fines may be up to $7,500 per violation.
The attorney general will then add the money collected through violations to the consumer education and litigation fund.
How Will Termly Help With Iowa CDPA Compliance?
An example of what the generator looks like can be found in the screenshot below:
You can also configure Termly’s Consent Management Platform so it’s compatible with the consumer opt-out requirements outlined by laws like the Iowa CDPA for targeted advertising and the sale of personal data.
See what it looks like below.
The best part about using Termly? The policy generators and tools are backed by legal and data privacy experts.
Plus, Termly updates products as the laws and regulations evolve, meaning you can trust that the tools are always up-to-date.
Are There Other Privacy Related Laws in Iowa?
While the Iowa Consumer Data Protection Act is the first law in the state that directly addresses the collection and processing of consumer personal information, Iowa does have another law in place that impacts the security and integrity of this data.
Specifically, a section of the Iowa Code addresses personal data breaches, Title XVI.
To comply with this section of the code, entities must notify consumers and the Attorney General about personal data breaches involving electronic or paper records if more than 500 Iowa residents are affected by a data breach to comply.
This section of the Iowa Code will work in tandem with Iowa’s new data privacy requirements and consumer rights described in the Iowa CDPA.
Help make compliance with the Iowa CDPA easier on your business by having a plan in place to complete all of the following before it enters into force in 2025:
- Implement opt-out options for consumers regarding sensitive personal data, targeted advertising, and the sale of personal data.
- Ensure you use Iowa CDPA-compliant contracts with any third-party processors you work with.