# Iowa Consumer Privacy Law (ICDPA)[^about] The Iowa Consumer Data Protection Act gives Iowa consumers rights over their personal data and imposes notice, contracting, and sensitive-data duties on controllers above defined thresholds — one of the most business-favorable state privacy laws, it is enforced exclusively by the Attorney General with a 90-day cure period, treats sensitive data on a notice-and-opt-out basis, and provides no private right of action. ## Does the Iowa Consumer Data Protection Act apply to your business? {#does-icdpa-apply} **Short answer.** It turns on consumer volume, not revenue. The ICDPA applies to a person conducting business in Iowa or targeting its residents that, in a calendar year, controls or processes the personal data of at least 100,000 consumers, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data [^stat-715d2-apply]. Iowa set no dollar revenue floor, so a large enterprise that processes data for fewer than 100,000 Iowa consumers and does not sell that data falls entirely outside the statute. The exemptions are broad: the chapter does not apply to the state or its political subdivisions, financial institutions and GLBA-regulated data, HIPAA-regulated entities, nonprofit organizations, or institutions of higher education, and a long list of federally regulated data categories is also carved out [^stat-715d2-exempt]. A consumer is an Iowa resident acting in an individual or household context, not an employee or business contact [^stat-715d1-consumer]. ## What must your Iowa privacy policy contain? {#privacy-policy-contents} **Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise and appeal their rights, the categories of personal data shared with third parties, and the categories of those third parties [^stat-715d4-notice]. For a template privacy policy, section 715D.4 is the content checklist. If the controller sells personal data or engages in targeted advertising, the notice must clearly and conspicuously disclose that activity and how to opt out [^stat-715d4-optout-disclose]. The policy must also describe a secure and reliable way for consumers to submit rights requests, and the controller may not require a consumer to create a new account to exercise rights [^stat-715d4-request-means]. The notice should match the data practices the controller actually carries out. ## What must your contracts with vendors and processors include? {#vendor-processor-contracts} **Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-715d5-contract]. Section 715D.5 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, the rights and duties of both parties, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, and a requirement to bind subcontractors by written contract to the same processor duties [^stat-715d5-terms]. A compliant template data processing agreement tracks each of these. ## How does Iowa treat sensitive data and opt-outs? {#sensitive-data-and-opt-out} **Short answer.** Iowa does not require opt-in consent for sensitive data. A controller may process a consumer's sensitive data for a nonexempt purpose only after presenting the consumer with clear notice and an opportunity to opt out, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-715d4-sensitive]. Sensitive data includes data on race or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; data collected from a known child; and precise geolocation [^stat-715d1-sensitive]. This notice-and-opt-out model is one of the features that makes the ICDPA among the most business-favorable state privacy laws. Iowa also does not require controllers to recognize a universal opt-out preference signal, so an Iowa program can rely on its own opt-out mechanisms for sales and targeted advertising. ## Who enforces the ICDPA, and can consumers sue? {#enforcement-and-lawsuits} **Short answer.** No consumer can sue. The Attorney General has exclusive authority to enforce the ICDPA [^stat-715d8-enforce], and the chapter provides no private right of action [^stat-715d8-no-pra]. Before bringing an action, the Attorney General must give 90 days' written notice of the specific alleged violations and a chance to cure [^stat-715d8-cure]. A controller that cures within the 90-day window and certifies the cure in writing avoids the action; an uncured violation, or a breach of that written statement, exposes the controller to an injunction and civil penalties of up to $7,500 per violation [^stat-715d8-penalty]. The practical posture is still to build the notice, sensitive-data, and contracting controls up front, but a covered business that receives a notice has a long window to fix the issue. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-05. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Iowa. This article synthesizes Iowa primary law and is not legal advice from a Iowa-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^stat-715d2-apply]: **Iowa Code § 715D.2** — "This chapter applies to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following: a. Controls or processes personal data of at least one hundred thousand consumers. b. Controls or processes personal data of at least twenty-five thousand consumers and derives over fifty percent of gross revenue from the sale of personal data." *Iowa Code § 715D.2(1).* [^stat-715d2-exempt]: **Iowa Code § 715D.2** — "This chapter shall not apply to the state or any political subdivision of the state; financial institutions, affiliates of financial institutions, or data subject to Tit. V of the federal Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq.; persons who are subject to and comply with regulations promulgated pursuant to Tit. II, subtit. F, of the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal Health Information Technology for Economic and Clinical Health Act of 2009, 42 U.S.C. §17921 – 17954; nonprofit organizations; or institutions of higher education." *Iowa Code § 715D.2(2).* [^stat-715d1-consumer]: **Iowa Code § 715D.1** — "‘Consumer’ means a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context." *Iowa Code § 715D.1(7).* [^stat-715d4-notice]: **Iowa Code § 715D.4** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following: a. The categories of personal data processed by the controller. b. The purpose for processing personal data. c. How consumers may exercise their consumer rights pursuant to section 715D.3, including how a consumer may appeal a controller’s decision with regard to the consumer’s request. d. The categories of personal data that the controller shares with third parties, if any. e. The categories of third parties, if any, with whom the controller shares personal data." *Iowa Code § 715D.4(5).* [^stat-715d4-optout-disclose]: **Iowa Code § 715D.4** — "If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity." *Iowa Code § 715D.4(6).* [^stat-715d4-request-means]: **Iowa Code § 715D.4** — "A controller shall establish, and shall describe in a privacy notice, secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter." *Iowa Code § 715D.4(7).* [^stat-715d5-contract]: **Iowa Code § 715D.5** — "A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties." *Iowa Code § 715D.5(2).* [^stat-715d5-terms]: **Iowa Code § 715D.5** — "The contract shall also include requirements that the processor shall do all of the following: a. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data. b. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law. c. Upon the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligations in this chapter. d. Engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to the personal data." *Iowa Code § 715D.5(2).* [^stat-715d4-sensitive]: **Iowa Code § 715D.4** — "A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq." *Iowa Code § 715D.4(2).* [^stat-715d1-sensitive]: **Iowa Code § 715D.1** — "‘Sensitive data’ means a category of personal data that includes the following: a. Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law. b. Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person. c. The personal data collected from a known child. d. Precise geolocation data." *Iowa Code § 715D.1(26).* [^stat-715d8-enforce]: **Iowa Code § 715D.8** — "The attorney general shall have exclusive authority to enforce the provisions of this chapter." *Iowa Code § 715D.8(1).* [^stat-715d8-no-pra]: **Iowa Code § 715D.8** — "Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law." *Iowa Code § 715D.8(4).* [^stat-715d8-cure]: **Iowa Code § 715D.8** — "Prior to initiating any action under this chapter, the attorney general shall provide a controller or processor ninety days’ written notice identifying the specific provisions of this chapter the attorney general alleges have been or are being violated. If within the ninety-day period, the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further such violations shall occur, no action shall be initiated against the controller or processor." *Iowa Code § 715D.8(2).* [^stat-715d8-penalty]: **Iowa Code § 715D.8** — "If a controller or processor continues to violate this chapter following the cure period in subsection 2 or breaches an express written statement provided to the attorney general under that subsection, the attorney general may initiate an action in the name of the state and may seek an injunction to restrain any violations of this chapter and civil penalties of up to seven thousand five hundred dollars for each violation under this chapter." *Iowa Code § 715D.8(3).*