Iowa Consumer Data Privacy Act (ICDPA)

    Overview

    The Iowa Consumer Data Privacy Act (ICDPA) is the sixth consumer data privacy law enacted in the United States, signed into law on March 28, 2023, and effective on January 1, 2025. It establishes guidelines for businesses on the collection, processing, and protection of personal data of Iowa residents, aligning with existing data privacy laws such as California's CCPA and Colorado's CPA. The ICDPA emphasizes transparency, consumer rights, the secure handling of sensitive personal information, and includes requirements related to data breaches as outlined in Chapter 715C of the Iowa Code.

     

     

    Regulation Summary

    Timeline
    • March 15, 2023: ICDPA passed the Iowa Senate.
    • March 28, 2023: Signed into law.
    • January 1, 2025: Law becomes enforceable.
    What Businesses Are Affected
    • Applies to businesses operating in Iowa or targeting Iowa residents.
    • Businesses that meet one of the following criteria:
      • Process data of 100,000+ consumers annually.
      • Process data of 25,000+ consumers and derive over 50% of revenue from data sales.
    Exemptions
    • Government entities, financial institutions, and nonprofits.
    • Data regulated by HIPAA, GLBA, FERPA, and COPPA.
    • Employment and household data.
    Responsibilities for Businesses
    • Data Security: Implement appropriate technical and organizational safeguards.
    • Transparency: Provide clear and accessible privacy notices.
    • Purpose Limitation: Avoid using data for undisclosed purposes.
    • Non-discrimination: Prohibit unfair treatment of consumers exercising their rights.
    Specific Responsibilities for Website Owners
    • Opt-Out Mechanism: Provide an option to opt out of data sales and targeted advertising.
    • Privacy Notices: Display detailed privacy notices about data collection and usage.
    • Data Access Requests: Respond to consumer requests within 90 days.
    Additional Requirements
    • Sensitive Data: Obtain consumer consent before processing sensitive data (e.g., health data, biometric data).
    • Contractual Obligations: Processors must adhere to specific data handling instructions set by controllers.
    Data Subject Rights
    • Access: Request confirmation and access to personal data.
    • Deletion: Request deletion of personal data.
    • Data Portability: Receive personal data in a portable format.
    • Opt-Out: Refuse the sale of personal data.
    Enforcement
    • Enforced by the Iowa Attorney General.
    • Cure period: 90 days to address violations after notice.
    • Civil penalties: Up to $7,500 per violation.
    • No private right of action (individual lawsuits not allowed).
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596