July 24, 2024
Iowa
Iowa's Consumer Data Protection Act
Iowa has become the sixth U.S. state to pass a comprehensive data privacy law, making America's privacy landscape just a little more complicated.
table of contents

In March 2023, Iowa became the sixth US state to pass its own comprehensive data privacy legislation. It is also the first Midwestern state to pass such a law. After being approved unanimously by both the state house and senate in a matter of weeks, the new law is yet another signal that data privacy is gaining momentum as a priority for lawmakers.

Known informally as the Consumer Data Protection Act, Iowa’s privacy law is based closely on its Virginia counterpart, with a few important distinctions. Here’s a quick introduction to its key features.

When Does the Law Go Into Effect?

Iowa’s Consumer Data Protection Act goes into effect on January 1, 2025.

Which Businesses Does It Apply To?

Iowa’s privacy applies to any for-profit entity that does business within the state, as long as at least one of the following conditions applies:

  • It controls or processes the personal data of at least 100,000 consumers (state residents) per year, OR
  • It controls or processes the personal data of at least 25,000 consumers per year AND derives over 50% of its gross revenue from the sale of personal data

Businesses should keep in mind that, as with other data privacy laws, they are likely processing personal data about all of their website visitors. If you get more than 8,400 unique visitors per month, the law likely applies.

What Are the Key Obligations for Businesses?

The overarching requirements imposed by the Iowa Consumer Data Protection are similar to other state privacy laws. These obligations can be broken broadly into three categories:

  • Data Minimization - Businesses must restrict their collection and use of personal data to what is necessary and proportionate to their purposes.
  • Privacy Notices - Businesses must describe how they collect and use personal data by disclosing information such as the categories of personal data processed, the purposes for processing, and categories of third parties that receive that personal data.
  • Privacy Rights - Consumers have a new set of privacy rights that translate into various privacy requests they can make to businesses.

What Privacy Rights Are Included?

Iowa consumers will now have the following privacy rights:

  • Right to Access - Consumers can request access to any personal data a business has collected about them.
  • Right to Delete - Upon request, businesses must delete any personal data they have collected about a consumer (subject to some important exceptions).
  • Right to Opt Out - Businesses must allow consumers to opt out of targeted advertising, the processing of sensitive data, and the sale of their personal data.
  • Right to Non-discrimination - Businesses may not discriminate against consumers who have exercised their privacy rights, such as by charging a different price or offering a different quality of service. However, there are broad exceptions for customer loyalty and rewards programs, if a consumer exercises their right to opt out.

How Much Do Violations Cost?

Businesses face civil fines of up to $7,500 per violation.

Is There a Private Right of Action?

There is no private right of action for Iowa consumers, meaning they cannot sue businesses over violations.

How Is Iowa’s Privacy Law Different from Laws in Other States?

While most of the new generation of data privacy laws share many common features, none of them are identical. Iowa’s privacy law differs from other states in ways that are generally more permissive. These differences include:

  • Opt-Outs for Sensitive Data - Before processing sensitive data such as protected characteristics, geolocation data, and personal data from children, Iowa’s law requires businesses to give notice and a chance to opt out before any such processing. This is in contrast to the consent requirement in other laws.
  • Data Protection Assessments - Iowa does not require businesses to complete a data protection assessment.
  • Right to Correct - Iowa’s privacy law does not give consumers the right to correct inaccurate personal data.
  • No Appeals Process - While other laws require that businesses offer consumers a way to appeal any denial of a privacy request, Iowa’s law has no such requirement.

This is far from a full list, but it gives a general idea of how the Iowa law differs from others.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

previous chapter
next chapter

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.

Privacy laws are here.
Are you ready?

Say goodbye to privacy headaches and hello to easy compliance with TrueVault.
Launch your Privacy Plan
Sign up Today. Get compliant tomorrow.

The Complete Privacy Platform

TrueVault is not a law firm and its services are not a substitute for obtaining legal advice from a qualified licensed attorney.
© 2024 TrueVault, Inc.
Resources
AboutPlansResource CenterContact
Latest Articles
How Long Can Businesses Keep Personal Data?
How to Create a Data Retention Policy
Cookies & Privacy Compliance
When Do the New State Privacy Laws Go into Effect?
TrueVault is not a law firm and its services are not a substitute for obtaining legal advice from a qualified licensed attorney.
© 2024 TrueVault, Inc.