Iowa Data Privacy Laws: ICDPA Consumer Rights Guide (2026)
Iowa has two primary data privacy statutes that residents and businesses should understand. The Iowa Consumer Data Protection Act (ICDPA), found in Iowa Code Chapter 715D, establishes comprehensive consumer rights over personal data. The state's data breach notification law, Iowa Code Chapter 715C, requires businesses to notify individuals when their personal information is compromised.
Together, these laws create a framework that protects Iowa consumers while taking a business-friendly approach compared to states like California and Colorado. This guide breaks down both statutes, who they apply to, what rights they grant, and what penalties businesses face for noncompliance.
What Is the Iowa Consumer Data Protection Act (ICDPA)?
The ICDPA is Iowa's comprehensive consumer data privacy law. It was enacted through Senate File 262, which the Iowa Senate and House passed unanimously. Governor Kim Reynolds signed the bill into law on March 28, 2023. The law became effective on January 1, 2025, giving businesses roughly 21 months to prepare for compliance.
Iowa became the sixth state in the United States to adopt a comprehensive data privacy law, following California, Virginia, Colorado, Connecticut, and Utah. The ICDPA is codified in Iowa Code Chapter 715D, within Title XVI (Criminal Law and Procedure).
Legal analysts have described the ICDPA as one of the most business-friendly comprehensive privacy laws among the states. It closely resembles the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act in its scope and approach.
Who Does the ICDPA Apply To?
The ICDPA applies to persons that conduct business in Iowa or produce products or services targeted to Iowa consumers and that meet one of two thresholds during a calendar year.
Threshold 1: Control or process the personal data of at least 100,000 Iowa consumers.
Threshold 2: Derive over 50% of gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Iowa consumers.
A significant distinction from some other state privacy laws is that the ICDPA does not include a minimum annual revenue requirement. This means smaller businesses that process large volumes of Iowa consumer data may still fall within the law's scope.
The term "consumer" under Iowa Code Section 715D.1 means a natural person who is a resident of Iowa acting only in an individual or household context. It does not include natural persons acting in a commercial or employment context.
Consumer Rights Under the ICDPA
Iowa Code Section 715D.3 grants Iowa consumers four specific rights regarding their personal data. A controller must comply with an authenticated consumer request to exercise these rights.
Right to Access
Consumers have the right to confirm whether a controller is processing their personal data and to access that personal data. This allows individuals to know what information a business holds about them.
Right to Delete
Consumers may request deletion of personal data that they provided to the controller. This right is limited to data the consumer directly provided, not data the controller collected from other sources or inferred about the consumer.
Right to Data Portability
Consumers can obtain a copy of their personal data in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance. The processing must be carried out by automated means.
Right to Opt Out of Data Sales
Consumers have the right to opt out of the sale of their personal data. Under the ICDPA, "sale" is defined narrowly as the exchange of personal data for monetary consideration by the controller to a third party. This is a narrower definition than California's, which also covers exchanges for "other valuable consideration."
What Rights Are Missing?
The ICDPA is notably narrower than privacy laws in states like California, Colorado, and Connecticut. Iowa consumers do not have:
- Right to correct inaccurate personal data. Every other comprehensive state privacy law includes this right.
- Right to opt out of targeted advertising. However, controllers must disclose targeted advertising activities and how users may opt out.
- Right to opt out of profiling. Iowa does not address automated decision-making or profiling in the consumer rights section.
These omissions are a central reason the ICDPA is considered more business-friendly than other state privacy laws.
Response Timeline
Controllers must respond to consumer requests without undue delay, but in all cases within 90 days of receipt. Information provided in response to a consumer request must be provided free of charge, up to twice annually per consumer.
Key Definitions Under the ICDPA
Understanding the ICDPA requires familiarity with several defined terms from Iowa Code Section 715D.1.
Personal data means any information that is linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data, aggregate data, or publicly available information.
Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status (except when used to prevent discrimination). It also includes genetic or biometric data processed for the purpose of uniquely identifying a person, personal data collected from a known child, and precise geolocation data.
Controller means a person that, alone or jointly with others, determines the purpose and means of processing personal data.
Processor means a person that processes personal data on behalf of a controller.
Targeted advertising means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.
Data Controller Duties
Iowa Code Section 715D.4 outlines several obligations for controllers.
Transparency Requirements
Controllers must provide consumers with a reasonably accessible, clear privacy notice that discloses the categories of personal data processed, the purpose for processing, how consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom data is shared.
If a controller sells personal data or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that activity and provide a mechanism for consumers to opt out.
Data Security
Controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These practices must be appropriate to the volume and nature of the personal data at issue.
Sensitive Data Processing
The ICDPA takes a different approach to sensitive data than most other state privacy laws. Instead of requiring opt-in consent before processing sensitive data, Iowa requires controllers to provide clear notice and an opportunity for consumers to opt out before processing sensitive data. This is a less restrictive standard and another reason the law is considered business-friendly.
No Data Protection Assessments Required
Unlike Colorado, Connecticut, and Virginia, the ICDPA does not require controllers to conduct data protection impact assessments for processing activities that present a heightened risk of harm to consumers. It also does not impose data minimization or purpose limitation requirements.
No Universal Opt-Out Signal Requirement
The ICDPA does not require controllers to recognize or respond to universal opt-out mechanisms such as the Global Privacy Control (GPC). States like Colorado and Connecticut do require businesses to honor such signals.
Processor Duties
Iowa Code Section 715D.5 requires processors to assist controllers with consumer requests and to implement appropriate data security measures. Controllers and processors must enter into contracts specifying the instructions for processing, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
Processors must also allow controllers to request the return or deletion of personal data at the end of the processing relationship.
Exemptions Under the ICDPA
Iowa Code Section 715D.7 provides broad exemptions at both the entity and data levels.
Entity-Level Exemptions
The following types of organizations are exempt from the ICDPA entirely:
- Government entities (state and local agencies)
- Nonprofit organizations
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Entities covered by HIPAA (Health Insurance Portability and Accountability Act) and the HITECH Act
- Institutions of higher education
Data-Level Exemptions
Certain categories of data are exempt from the ICDPA regardless of the entity processing them:
| Exempted Data Category | Governing Federal Law |
|---|---|
| Protected health information | HIPAA |
| Patient identifying information | 42 U.S.C. Section 290dd-2 |
| Consumer credit information | Fair Credit Reporting Act (FCRA) |
| Student education records | Family Educational Rights and Privacy Act (FERPA) |
| Children's online data | Children's Online Privacy Protection Act (COPPA) |
| Driver information | Driver's Privacy Protection Act (DPPA) |
| Farm credit data | Farm Credit Act |
| Employment-related data | Various federal and state employment laws |
| De-identified and aggregate data | N/A |
Enforcement of the ICDPA
Iowa Code Section 715D.8 establishes the enforcement framework.
Attorney General Authority
The Iowa Attorney General has exclusive authority to enforce the ICDPA. There is no private right of action, meaning individual consumers cannot file lawsuits against businesses for violations. Consumers may, however, report violations to the Attorney General's office.
90-Day Cure Period
Before initiating any enforcement action, the Attorney General must provide the controller or processor with 90 days' written notice identifying the specific provisions alleged to have been violated. If the business cures the violation within the 90-day period and provides an express written statement that the violations have been cured and no further violations shall occur, the Attorney General takes no further action.
This 90-day cure period is the longest among all state comprehensive privacy laws. For comparison, Virginia started with a 30-day cure period (which sunsets in 2025), Colorado provides a 60-day cure period (sunsetting in 2025), and Connecticut's 60-day cure period ended in 2025.
Critically, Iowa's 90-day cure period has no sunset clause. It remains a permanent feature of the law, meaning businesses will always have the opportunity to cure violations before facing penalties.
Penalties
If a controller or processor fails to cure a violation within the 90-day window, or breaches the express written statement provided to the Attorney General, the following enforcement tools are available:
| Enforcement Action | Details |
|---|---|
| Civil penalties | Up to $7,500 per violation |
| Injunctive relief | Court order to stop ongoing violations |
| Costs and attorney fees | Recoverable by the state |
| Fund destination | All amounts collected go to the Consumer Education and Litigation Fund under Iowa Code Section 714.16C |
Preemption
Iowa Code Section 715D.9 establishes that the ICDPA supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by any city, county, municipality, or local agency regarding the processing of personal data by controllers or processors. Local governments in Iowa cannot enact their own data privacy ordinances that conflict with the ICDPA.
Iowa Data Breach Notification Law (Iowa Code Chapter 715C)
Separate from the ICDPA, Iowa has maintained a data breach notification law since 2008, most recently amended in 2014. Iowa Code Chapter 715C requires businesses and other entities to notify Iowa residents when their personal information has been compromised in a data breach.
What Triggers a Notification Obligation?
Notification is required when any unauthorized acquisition of personal information maintained by a person who owns or licenses computerized data occurs and there is a reasonable likelihood of financial harm to the consumer.
A "breach of security" means the unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.
What Personal Information Is Covered?
Under Iowa Code Section 715C.1, "personal information" is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number
- Driver's license number or other unique government identification number
- Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, or password that would permit access to the account
- Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to a financial account
- Unique biometric data (fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data)
The definition also covers any of the above data elements when not combined with a name if the element, when compromised, would be sufficient to perform or attempt identity theft.
Notification Timeline
The statute requires notification in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine contact information for affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.
Iowa does not set a specific day count for consumer notification. This is less prescriptive than states like Colorado (30 days) and Florida (30 days).
Attorney General Notification
Any entity whose breach affects 500 or more Iowa residents must provide written notice to the Director of the Consumer Protection Division of the Iowa Attorney General's Office within five business days after notifying affected consumers.
Contact information for breach reporting:
- Email: consumer@ag.iowa.gov
- Phone: 515-281-5926
- Mail: Consumer Protection Division, Office of the Attorney General
What Must the Notification Include?
Breach notifications to consumers must contain:
- A description of the breach of security
- The approximate date of the breach
- The type of personal information obtained as a result of the breach
- Contact information for consumer reporting agencies
- Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the Attorney General
Substitute Notification
Iowa permits substitute notification when the cost of providing direct notice would exceed $250,000, the affected class exceeds 350,000 persons, or the entity does not have sufficient contact information. Substitute notification consists of email notice (if the entity has email addresses), conspicuous posting on the entity's website, and notification to major statewide media.
When Notification Is Not Required
Notification is not required if, after an appropriate investigation or consultation with relevant law enforcement, the entity determines that no reasonable likelihood of financial harm to the consumers has resulted or will result from the breach. This determination must be documented in writing and maintained for five years.
Enforcement of Breach Notification Law
A violation of Iowa Code Chapter 715C is an unlawful practice under Iowa's consumer fraud statute. The Iowa Attorney General may seek and obtain an order requiring the violating party to pay damages on behalf of injured persons. Entities that comply with federal laws providing equivalent or greater protection (such as GLBA or HIPAA) are deemed to be in compliance with Iowa's breach notification requirements.
How Iowa Compares to Other State Privacy Laws
The ICDPA is frequently compared to other comprehensive state data privacy laws. Here is how Iowa stacks up on key provisions.
| Feature | Iowa | California (CCPA/CPRA) | Virginia | Colorado | Connecticut |
|---|---|---|---|---|---|
| Effective date | Jan. 1, 2025 | Jan. 1, 2020 / Jan. 1, 2023 | Jan. 1, 2023 | July 1, 2023 | July 1, 2023 |
| Right to access | Yes | Yes | Yes | Yes | Yes |
| Right to delete | Yes (consumer-provided data) | Yes (all data) | Yes | Yes | Yes |
| Right to correct | No | Yes | Yes | Yes | Yes |
| Right to portability | Yes | Yes | Yes | Yes | Yes |
| Right to opt out of sales | Yes (monetary only) | Yes (monetary + valuable consideration) | Yes | Yes | Yes |
| Right to opt out of targeted advertising | No | Yes | Yes | Yes | Yes |
| Right to opt out of profiling | No | Yes (limited) | Yes | Yes | Yes |
| Sensitive data consent | Opt-out | Opt-in (for certain categories) | Opt-in | Opt-in | Opt-in |
| Data protection assessments | Not required | Required (CPRA) | Required | Required | Required |
| Universal opt-out signal | Not required | Required | Not required | Required | Required |
| Cure period | 90 days (permanent) | 30 days (expired) | 30 days (sunsets 2025) | 60 days (sunsets 2025) | 60 days (expired 2025) |
| Enforcement | AG only | AG + private right of action (limited) | AG only | AG only | AG only |
| Penalties per violation | $7,500 | $2,500 / $7,500 (intentional) | $7,500 | $20,000 | $5,000 |
Tips for Businesses Operating in Iowa
Businesses that meet the ICDPA's applicability thresholds should take several steps to ensure compliance.
Audit your data processing activities. Determine whether you process personal data of 100,000 or more Iowa consumers, or whether you derive 50% or more of your revenue from data sales involving 25,000 or more Iowa consumers.
Update your privacy notice. Ensure your privacy policy discloses the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, and whether you sell personal data or engage in targeted advertising.
Establish consumer request procedures. Implement a system to receive, authenticate, and respond to consumer access, deletion, portability, and opt-out requests within the 90-day response window.
Review vendor contracts. If you use data processors, verify that your contracts meet the requirements of Iowa Code Section 715D.5, including processing instructions, data security obligations, and data return or deletion provisions.
Address sensitive data processing. If you process sensitive data, provide clear notice and an opt-out mechanism before processing begins.
Prepare a breach response plan. Ensure you have procedures in place to detect breaches, investigate their scope, notify affected individuals, and report to the Iowa Attorney General within five business days when 500 or more residents are affected.
More Iowa Laws
Iowa's data privacy laws are part of a broader set of protections for residents. Explore other Iowa legal topics:
This article provides general legal information about Iowa data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in Iowa for advice about your specific situation.
Sources and References
- Iowa Code Chapter 715D: Consumer Data Protections (Full Text)(legis.iowa.gov).gov
- Iowa Code Section 715D.1: Definitions(legis.iowa.gov).gov
- Iowa Code Section 715D.3: Consumer Data Rights(legis.iowa.gov).gov
- Iowa Code Section 715D.4: Data Controller Duties(legis.iowa.gov).gov
- Iowa Code Section 715D.5: Processor Duties(legis.iowa.gov).gov
- Iowa Code Section 715D.7: Limitations and Exemptions(legis.iowa.gov).gov
- Iowa Code Section 715D.9: Preemption(legis.iowa.gov).gov
- Senate File 262 (Enrolled): Iowa Consumer Data Protection Act(legis.iowa.gov).gov
- Iowa Code Chapter 715C: Personal Information Security Breach Protection(legis.iowa.gov).gov
- Iowa Code Section 715C.2: Security Breach Notification Requirements(legis.iowa.gov).gov
- Iowa Attorney General: Security Breach Notifications(iowaattorneygeneral.gov).gov
- Iowa Code Section 714.16C: Consumer Education and Litigation Fund(legis.iowa.gov).gov