Iowa Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
On March 29, 2023, Iowa Governor Kim Reynolds signed the Iowa Consumer Data Protection Act (ICDPA) into law, following unanimous passage through the Iowa Senate and House. The IDCPA is the nation’s sixth state consumer privacy law, following California, Colorado, Virginia, Utah, and Connecticut to provide consumers more access to and control over how companies handle their personal information. The IDCPA becomes effective on January 1, 2025.
The IDCPA closely resembles the Utah Consumer Privacy Act. The Iowa law creates obligations on “controllers” and “processors” of personal data; defined as persons who determine the purposes of why, and the means through which, personal data is processed, and the persons who process personal data on behalf of a controller, respectively.
Controllers and processors subject to the IDCPA are any persons who conduct business in Iowa or produce a product or service that is targeted to consumers (defined as natural persons who reside in Iowa), and: (1) either controls or processes personal data of 100,000 consumers or more in a calendar year; or (2) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes data of 25,000 or more consumers.
Information and data exempt from the IDCPA include, among other types, personal data subject to regulation under the FCRA, HIPAA, FERPA, and COPPA.
Controllers have the following obligations under the IDCPA:
- Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed, and the purposes for which that data is processed; how consumers may exercise their rights (described below) and appeal a controller’s decision with regard to a consumer’s request; the categories of data shared with third parties; and the categories of third parties with whom the controller shares personal data.
- Consent: controllers shall not process sensitive data (as defined in the IDCPA) collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of processing, or in the case of a known child, without processing such data in accordance with the Children’s Online Privacy Protection Act.
- Security: controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, appropriate to the volume and nature of the personal data at issue.
- Nondiscrimination and nonretaliation: controllers may not discriminate against consumers for exercising their rights under the IDCPA.
- Transparency: if a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.
- Rights Request Mechanism: controllers must establish and describe a secure and reliable means for consumers to exercise their rights under the IDCPA.
Consumer rights under the IDCPA include the right to:
- Confirm whether a controller is processing the consumer’s personal data and access that personal data;
- Delete the consumer’s personal data that the consumer provided to the controller;
- Obtain a copy of the consumer’s personal data that was previously provided to the controller, in a portable, usable, and transmittable format (to the extent technically practicable); and,
- Opt out of the sale of personal data.
The IDCPA contains a provision that any contract or agreement provision that purports to waive or limit and of these rights shall be deemed contrary to public policy and shall be void and unenforceable.
Like the Utah Consumer Privacy Act, the IDCPA does not provide a private right of action, with violations only enforceable by the Iowa Attorney General’s office. Iowa enacted the IDCPA ahead of an additional eighteen states with privacy laws currently in process, according to the International Association of Privacy Professionals.