Iowa Consumer Privacy Law (ICDPA)

Primary law · 2025-01-01

The ICDPA applies to a person conducting business in Iowa or targeting its residents that, during a calendar year, controls or processes the data of at least 100,000 consumers, or 25,000+ while deriving over 50% of gross revenue from selling personal data.

This chapter applies to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following: a. Controls or processes personal data of at least one hundred thousand consumers. b. Controls or processes personal data of at least twenty-five thousand consumers and derives over fifty percent of gross revenue from the sale of personal data.

See Iowa Code § 715D.2(1).

Primary law · 2025-01-01

The ICDPA does not apply to government, financial institutions and GLBA-regulated data, HIPAA-regulated entities, nonprofit organizations, or institutions of higher education.

This chapter shall not apply to the state or any political subdivision of the state; financial institutions, affiliates of financial institutions, or data subject to Tit. V of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq.; persons who are subject to and comply with regulations promulgated pursuant to Tit. II, subtit. F, of the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal Health Information Technology for Economic and Clinical Health Act of 2009, 42 U.S.C. §17921 – 17954; nonprofit organizations; or institutions of higher education.

See Iowa Code § 715D.2(2).

Primary law · 2025-01-01

A consumer is an Iowa resident acting in an individual or household context, excluding a person acting in a commercial or employment context.

“Consumer” means a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.

See Iowa Code § 715D.1(7).

Primary law · 2025-01-01

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed, the purpose for processing, how consumers exercise and appeal their rights, and the categories of data and third parties shared with.

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following: a. The categories of personal data processed by the controller. b. The purpose for processing personal data. c. How consumers may exercise their consumer rights pursuant to section 715D.3, including how a consumer may appeal a controller’s decision with regard to the consumer’s request. d. The categories of personal data that the controller shares with third parties, if any. e. The categories of third parties, if any, with whom the controller shares personal data.

See Iowa Code § 715D.4(5).

Primary law · 2025-01-01

A controller that sells personal data or engages in targeted advertising must clearly and conspicuously disclose that activity and how a consumer may opt out.

If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.

See Iowa Code § 715D.4(6).

Primary law · 2025-01-01

A controller must describe in its privacy notice secure and reliable means for submitting rights requests and may not require a consumer to create a new account to exercise rights.

A controller shall establish, and shall describe in a privacy notice, secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter.

See Iowa Code § 715D.4(7).

Primary law · 2025-01-01

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.

See Iowa Code § 715D.5(2).

Primary law · 2025-01-01

The processor contract must require a duty of confidentiality, deletion or return of data at the controller's direction, information to demonstrate compliance, and a written contract binding subcontractors to the same duties.

The contract shall also include requirements that the processor shall do all of the following: a. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data. b. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law. c. Upon the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligations in this chapter. d. Engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to the personal data.

See Iowa Code § 715D.5(2).

Primary law · 2025-01-01

A controller may process sensitive data only after presenting the consumer with clear notice and an opportunity to opt out, and must handle a known child's data in accordance with COPPA — Iowa uses notice-and-opt-out, not opt-in consent.

A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq.

See Iowa Code § 715D.4(2).

Primary law · 2025-01-01

Sensitive data includes specified data such as racial or ethnic origin, religious beliefs, a health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data used to identify a person, data from a known child, and precise geolocation.

“Sensitive data” means a category of personal data that includes the following: a. Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law. b. Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person. c. The personal data collected from a known child. d. Precise geolocation data.

See Iowa Code § 715D.1(26).

Primary law · 2025-01-01

The Attorney General has exclusive authority to enforce the ICDPA.

The attorney general shall have exclusive authority to enforce the provisions of this chapter.

See Iowa Code § 715D.8(1).

Primary law · 2025-01-01

Before bringing an action, the Attorney General must give 90 days' written notice identifying the specific provisions allegedly violated, and no action follows a timely cure plus written assurance.

Prior to initiating any action under this chapter, the attorney general shall provide a controller or processor ninety days’ written notice identifying the specific provisions of this chapter the attorney general alleges have been or are being violated. If within the ninety-day period, the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further such violations shall occur, no action shall be initiated against the controller or processor.

See Iowa Code § 715D.8(2).

Primary law · 2025-01-01

If a controller or processor continues to violate after the cure period or breaches its written cure statement, the Attorney General may seek an injunction and civil penalties of up to $7,500 per violation.

If a controller or processor continues to violate this chapter following the cure period in subsection 2 or breaches an express written statement provided to the attorney general under that subsection, the attorney general may initiate an action in the name of the state and may seek an injunction to restrain any violations of this chapter and civil penalties of up to seven thousand five hundred dollars for each violation under this chapter.

See Iowa Code § 715D.8(3).

Primary law · 2025-01-01

The ICDPA provides no private right of action for violations of the chapter.

Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law.

See Iowa Code § 715D.8(4).