Iowa Data Privacy Laws: ICDPA Consumer Rights Guide (2026)

The Iowa Consumer Data Protection Act (ICDPA), codified as Iowa Code Chapter 715D, took effect on January 1, 2025, giving Iowa consumers four rights over their personal data: access, deletion, portability, and opt-out of sales. The Iowa Attorney General enforces the law exclusively, with civil penalties reaching $7,500 per violation.

Iowa has two primary data privacy statutes that residents and businesses need to understand. The Iowa Consumer Data Protection Act (ICDPA), found in Iowa Code Chapter 715D, establishes comprehensive consumer rights over personal data held by covered businesses. The state's data breach notification law, Iowa Code Chapter 715C, requires notification when personal information is compromised.

Together, these statutes create a protective framework that is notably more business-friendly than laws in California, Colorado, and Connecticut. Iowa lacks a right to correct inaccurate data, requires only opt-out (not opt-in) consent for sensitive data processing, and provides the longest cure period of any state privacy law. This guide covers both statutes, their scope, consumer rights, real enforcement actions, federal overlay, and practical steps for compliance.

What Is the Iowa Consumer Data Protection Act (ICDPA)?

The ICDPA is Iowa's comprehensive consumer data privacy law. Senate File 262 passed the Iowa Senate and House unanimously. Governor Kim Reynolds signed it into law on March 28, 2023. The law became effective on January 1, 2025, giving businesses roughly 21 months to prepare.

Iowa became the sixth state in the United States to adopt a comprehensive data privacy law, following California, Virginia, Colorado, Connecticut, and Utah. The ICDPA is codified in Iowa Code Chapter 715D, within Title XVI (Criminal Law and Procedure).

Legal analysts have described the ICDPA as one of the most business-friendly comprehensive privacy laws among the states. It closely resembles the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act in scope and approach, with meaningful reductions in compliance burden compared to California's CCPA/CPRA and Colorado's CPA.

Who Does the ICDPA Apply To?

The ICDPA applies to persons that conduct business in Iowa or produce products or services targeted to Iowa consumers and that meet one of two thresholds during a calendar year.

Threshold 1: Control or process the personal data of at least 100,000 Iowa consumers.

Threshold 2: Derive over 50% of gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Iowa consumers.

A significant distinction from some other state privacy laws is that the ICDPA does not include a minimum annual revenue requirement. This means smaller businesses that process large volumes of Iowa consumer data may still fall within the law's scope even if their total revenues are modest.

The term "consumer" under Iowa Code Section 715D.1 means a natural person who is a resident of Iowa acting only in an individual or household context. It does not include natural persons acting in a commercial or employment context. Employees are explicitly excluded.

Consumer Rights Under the ICDPA

Iowa Code Section 715D.3 grants Iowa consumers four specific rights regarding their personal data. A controller must comply with an authenticated consumer request to exercise these rights.

Right to Access

Consumers have the right to confirm whether a controller is processing their personal data and to access that personal data. This allows individuals to know what information a business holds about them and how it is being used.

Right to Delete

Consumers may request deletion of personal data that they provided to the controller. This right is limited to data the consumer directly provided, not data the controller collected from other sources or inferred about the consumer. This narrower scope distinguishes Iowa from California and Colorado, which cover all personal data the controller holds.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and, to the extent technically practicable, readily usable format that allows transmission to another controller without hindrance. The processing must be carried out by automated means.

Right to Opt Out of Data Sales

Consumers have the right to opt out of the sale of their personal data. Under the ICDPA, "sale" is defined narrowly as the exchange of personal data for monetary consideration by the controller to a third party. This is a narrower definition than California's, which also covers exchanges for "other valuable consideration."

What Rights Are Missing?

The ICDPA is notably narrower than privacy laws in states like California, Colorado, and Connecticut. Iowa consumers do not have:

• Right to correct inaccurate personal data. Every other comprehensive state privacy law includes this right.
• Right to opt out of targeted advertising. Controllers must disclose targeted advertising activities and how users may opt out, but the consumer has no statutory opt-out right under the ICDPA.
• Right to opt out of profiling. Iowa does not address automated decision-making or profiling in the consumer rights section.

These omissions are a central reason the ICDPA is considered more business-friendly than other state privacy laws.

Response Timeline

Controllers must respond to consumer requests without undue delay, but in all cases within 90 days of receipt. Information provided in response to a consumer request must be provided free of charge, up to twice annually per consumer.

Key Definitions Under the ICDPA

Understanding the ICDPA requires familiarity with several defined terms from Iowa Code Section 715D.1.

Personal data means any information that is linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data, aggregate data, or publicly available information.

Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status (except when used to prevent discrimination). It also includes genetic or biometric data processed for the purpose of uniquely identifying a person, personal data collected from a known child, and precise geolocation data.

Controller means a person that, alone or jointly with others, determines the purpose and means of processing personal data.

Processor means a person that processes personal data on behalf of a controller.

Targeted advertising means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests.

Data Controller Duties

Iowa Code Section 715D.4 outlines several obligations for controllers.

Transparency Requirements

Controllers must provide consumers with a reasonably accessible, clear privacy notice that discloses the categories of personal data processed, the purpose for processing, how consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom data is shared.

If a controller sells personal data or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that activity and provide a mechanism for consumers to opt out.

Data Security

Controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These practices must be appropriate to the volume and nature of the personal data at issue.

Sensitive Data Processing

The ICDPA takes a different approach to sensitive data than most other state privacy laws. Instead of requiring opt-in consent before processing sensitive data, Iowa requires controllers to provide clear notice and an opportunity for consumers to opt out before processing sensitive data. This is a less restrictive standard and another reason the law is considered business-friendly.

No Data Protection Assessments Required

Unlike Colorado, Connecticut, and Virginia, the ICDPA does not require controllers to conduct data protection impact assessments for processing activities that present a heightened risk of harm to consumers. It also does not impose data minimization or purpose limitation requirements.

No Universal Opt-Out Signal Requirement

The ICDPA does not require controllers to recognize or respond to universal opt-out mechanisms such as the Global Privacy Control (GPC). States like Colorado and Connecticut do require businesses to honor such signals.

Processor Duties

Iowa Code Section 715D.5 requires processors to assist controllers with consumer requests and to implement appropriate data security measures. Controllers and processors must enter into contracts specifying the instructions for processing, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

Processors must also allow controllers to request the return or deletion of personal data at the end of the processing relationship.

Exemptions Under the ICDPA

Iowa Code Section 715D.7 provides broad exemptions at both the entity and data levels.

Entity-Level Exemptions

The following types of organizations are exempt from the ICDPA entirely:

• Government entities (state and local agencies)
• Nonprofit organizations
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Entities covered by HIPAA (Health Insurance Portability and Accountability Act) and the HITECH Act
• Institutions of higher education

Data-Level Exemptions

Certain categories of data are exempt from the ICDPA regardless of the entity processing them:

Enforcement of the ICDPA

Iowa Code Section 715D.8 establishes the enforcement framework.

Attorney General Authority

The Iowa Attorney General has exclusive authority to enforce the ICDPA. There is no private right of action, meaning individual consumers cannot file lawsuits against businesses for ICDPA violations. Consumers may report violations to the Attorney General's office for investigation.

90-Day Cure Period

Before initiating any enforcement action, the Attorney General must provide the controller or processor with 90 days' written notice identifying the specific provisions alleged to have been violated. If the business cures the violation within the 90-day period and provides an express written statement that the violations have been cured and no further violations shall occur, the Attorney General takes no further action.

This 90-day cure period is the longest among all state comprehensive privacy laws. For comparison, Virginia began with a 30-day cure period (which sunset in 2025), Colorado provided a 60-day cure period (which sunset in 2025), and Connecticut's 60-day cure period expired in 2025. Iowa's 90-day cure period has no sunset clause and remains a permanent feature of the law.

Penalties

If a controller or processor fails to cure a violation within the 90-day window, or breaches the express written statement provided to the Attorney General, the following enforcement tools are available:

Preemption

Iowa Code Section 715D.9 establishes that the ICDPA supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by any city, county, municipality, or local agency regarding the processing of personal data by controllers or processors. Local governments in Iowa cannot enact their own data privacy ordinances that conflict with the ICDPA.

Recent Enforcement Actions by Iowa AG Brenna Bird

Although the ICDPA itself has not yet generated a reported enforcement action, AG Brenna Bird has pursued several data-related consumer protection cases under Iowa Code Chapter 714.16 (Iowa Consumer Fraud Act) and Chapter 715C (breach notification). These cases signal the AG's approach and enforcement priorities for data-intensive businesses operating in Iowa.

General Motors / OnStar (Filed February 26, 2026)

AG Bird filed suit in Polk County District Court against General Motors LLC and its OnStar subsidiary, alleging violations of the Iowa Consumer Fraud Act. The petition alleged that since 2015 GM installed tracking systems in its vehicles that collected speed, seatbelt usage, driving habits, and precise location data. GM then sold that data to third-party data brokers, which resold it to insurance companies that used it to raise rates, deny coverage, or cancel policies. The complaint alleged GM deceived consumers at the point of sale by misrepresenting the nature and scope of OnStar-connected services. The state seeks restitution for affected Iowans, civil penalties, and a court order barring further data-sharing practices in Iowa.

Change Healthcare (Filed March 31, 2026)

AG Bird filed suit against Change Healthcare Inc. and its owners under both the Iowa Consumer Fraud Act and the Personal Information Security Breach Protection Act (Iowa Code Chapter 715C). The complaint alleged that a February 2024 cyberattack went undetected for ten days while a criminal actor installed malware, created privileged administrator accounts, and stole the personal health, financial, and identifying data of approximately 2.2 million Iowans, including Social Security numbers, driver's license numbers, health insurance information, and medical records. Change Healthcare allegedly failed to notify affected Iowans for five months after discovery. The state sought civil penalties, mandatory improvements to data security, and restoration of ill-gotten gains. Iowa Code Section 714.16(7) allows civil penalties of up to $40,000 per violation under the Consumer Fraud Act.

TikTok (Amended Complaint, April 2026)

Iowa's original lawsuit against TikTok alleged the platform deployed addictive design features targeting minors. In April 2026, AG Bird filed an amended complaint adding a data privacy dimension: the state alleged TikTok falsely represented to Iowa users that their personal data was safe from Chinese government access, constituting deceptive trade practices under the Iowa Consumer Fraud Act. The suit seeks injunctive relief, civil penalties, disgorgement, and fees.

Iowa Data Breach Notification Law (Iowa Code Chapter 715C)

Separate from the ICDPA, Iowa has maintained a data breach notification law since 2008, most recently amended in 2014. Iowa Code Chapter 715C requires businesses and other entities to notify Iowa residents when their personal information has been compromised.

What Triggers a Notification Obligation?

Notification is required when any unauthorized acquisition of personal information maintained in computerized form occurs and there is a reasonable likelihood of financial harm to the consumer. A "breach of security" means the unauthorized acquisition of personal information that compromises its security, confidentiality, or integrity.

What Personal Information Is Covered?

Under Iowa Code Section 715C.1, "personal information" is an individual's first name or first initial and last name in combination with any one or more of the following:

• Social Security number
• Driver's license number or other unique government identification number
• Financial account number, credit card number, or debit card number in combination with any required security code or password
• Unique electronic identifier or routing code in combination with any required security code or password permitting access to a financial account
• Unique biometric data (fingerprint, retina or iris image, or other unique physical representation)

The definition also covers any of the above elements when not combined with a name, if the element alone would be sufficient to enable identity theft.

Notification Timeline

The statute requires notification in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore reasonable integrity and security of the data.

Iowa does not set a specific day count for consumer notification. This is less prescriptive than states like Colorado and Florida, which require notification within 30 days.

Attorney General Notification

Any entity whose breach affects 500 or more Iowa residents must provide written notice to the Director of the Consumer Protection Division of the Iowa Attorney General's Office within five business days after notifying affected consumers.

Contact information for breach reporting:

• Email: consumer@ag.iowa.gov
• Phone: 515-281-5926
• Mail: Consumer Protection Division, Office of the Attorney General

What Must the Notification Include?

Breach notifications to consumers must contain:

• A description of the breach of security
• The approximate date of the breach
• The type of personal information obtained as a result of the breach
• Contact information for consumer reporting agencies
• Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the Attorney General

Substitute Notification

Iowa permits substitute notification when the cost of providing direct notice would exceed $250,000, the affected class exceeds 350,000 persons, or the entity lacks sufficient contact information. Substitute notification consists of email notice (where available), conspicuous posting on the entity's website, and notification to major statewide media.

When Notification Is Not Required

Notification is not required if, after an appropriate investigation or consultation with relevant law enforcement, the entity determines that no reasonable likelihood of financial harm to the consumers has resulted or will result from the breach. This determination must be documented in writing and maintained for five years.

Enforcement of Breach Notification Law

A violation of Iowa Code Chapter 715C is an unlawful practice under Iowa's consumer fraud statute. The Iowa Attorney General may seek an order requiring the violating party to pay damages on behalf of injured persons. Entities that comply with federal laws providing equivalent or greater protection (such as GLBA or HIPAA) are deemed to be in compliance with Iowa's breach notification requirements.

Iowa Insurance Data Security Act

Iowa enacted a separate data security law specifically for insurance licensees. The Iowa Insurance Data Security Act, codified at Iowa Code Chapter 507F, was signed on April 30, 2021, and took effect January 1, 2022. It is based on the National Association of Insurance Commissioners (NAIC) model cybersecurity law.

Chapter 507F applies to licensees of the Iowa Insurance Division and imposes requirements to develop and maintain an Information Security Program, investigate cybersecurity events, and notify the Insurance Commissioner within three business days of determining a cybersecurity event has occurred. It establishes exclusive state standards for data security and cybersecurity event investigation for regulated insurance entities, operating separately from the ICDPA and Chapter 715C frameworks.

Federal Privacy Laws That Apply in Iowa

Federal law creates parallel obligations for Iowa businesses that apply regardless of whether the ICDPA threshold is met.

TAKE IT DOWN Act (Pub. L. 119-12)

President Trump signed the TAKE IT DOWN Act on May 19, 2025. The law criminalizes the publication of nonconsensual intimate imagery (NCII), including AI-generated deepfakes. The criminal prohibition was immediate upon signing. Platform takedown obligations, requiring covered online platforms to remove reported NCII within 48 hours of notice, became effective on May 19, 2026, with the Federal Trade Commission as the enforcement authority. Covered platforms that fail to "reasonably comply" with the notice-and-removal requirements are deemed in violation of the FTC Act's unfair or deceptive acts or practices provisions.

HIPAA and HITECH

The Health Insurance Portability and Accountability Act governs covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates. HIPAA's Privacy Rule and Security Rule impose access, use, disclosure, and security requirements on protected health information. Iowa's ICDPA exempts HIPAA-covered entities at the entity level and exempts protected health information at the data level, but HIPAA applies to those entities directly.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions subject to the GLBA are exempt from the ICDPA. The GLBA's Safeguards Rule, updated by the FTC in 2023, requires covered financial institutions to develop, implement, and maintain a comprehensive information security program and to provide customers with notices about information-sharing practices.

Fair Credit Reporting Act (FCRA)

The FCRA governs consumer reporting agencies and those who furnish or use consumer report information. FCRA-regulated data is exempt from the ICDPA's data-level exemptions. Consumers have rights to access their credit reports, dispute inaccurate information, and restrict certain uses of their data under federal law regardless of Iowa state law.

Children's Online Privacy Protection Act (COPPA)

COPPA applies to operators of websites and online services directed to children under 13, and to general-audience services that have actual knowledge they are collecting personal information from children under 13. COPPA requires verifiable parental consent before collecting personal information from children. The ICDPA provides a data-level exemption for personal data collected under COPPA, but COPPA itself continues to apply independently.

FTC Act Section 5

The FTC's authority to prohibit unfair or deceptive acts or practices in commerce provides a federal consumer protection floor. Businesses that make material misrepresentations about their data practices face FTC enforcement independent of any state law. The GM/OnStar and TikTok enforcement trends noted above mirror parallel FTC enforcement at the federal level.

How Iowa Compares to Other State Privacy Laws

The ICDPA is frequently compared to other comprehensive state data privacy laws. Here is how Iowa stacks up on key provisions.

How Iowa Consumers Exercise Their Rights

Iowa consumers with questions about how a business is using their personal data can take these steps under the ICDPA:

Step 1: Identify the controller. Determine which company controls the personal data at issue. This is usually the company you have a direct relationship with.

Step 2: Locate the privacy notice. The ICDPA requires controllers to maintain a privacy notice that explains how to submit access, deletion, portability, and opt-out requests. This is typically linked in the website footer.

Step 3: Submit an authenticated request. Controllers may require you to verify your identity before responding. Provide the information requested for authentication, but you are not required to provide more than what is reasonably necessary.

Step 4: Await the response window. Controllers have up to 90 days to respond. They may request a single 45-day extension by notifying you of the reason.

Step 5: Appeal a denial. If a controller denies your request, Iowa law gives you the right to appeal that denial to the controller. The controller must complete the appeal within 60 days and explain the outcome in writing.

Step 6: Contact the Attorney General. If you believe a business has violated the ICDPA, you may report it to the Iowa Attorney General's Consumer Protection Division. Call 515-281-5926, email consumer@ag.iowa.gov, or visit iowaattorneygeneral.gov.

Iowa's recording laws are governed by Iowa Code Chapter 808B, which establishes a one-party consent standard for recording conversations.

Tips for Businesses Operating in Iowa

Businesses that meet the ICDPA's applicability thresholds should take several steps to ensure compliance.

Audit your data processing activities. Determine whether you process personal data of 100,000 or more Iowa consumers, or whether you derive 50% or more of your revenue from data sales involving 25,000 or more Iowa consumers.

Update your privacy notice. Ensure your privacy policy discloses the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, and whether you sell personal data or engage in targeted advertising.

Establish consumer request procedures. Implement a system to receive, authenticate, and respond to consumer access, deletion, portability, and opt-out requests within the 90-day response window.

Review vendor contracts. If you use data processors, verify that your contracts meet the requirements of Iowa Code Section 715D.5, including processing instructions, data security obligations, and data return or deletion provisions.

Address sensitive data processing. If you process sensitive data, provide clear notice and an opt-out mechanism before processing begins.

Prepare a breach response plan. Ensure you have procedures in place to detect breaches, investigate their scope, notify affected individuals, and report to the Iowa Attorney General within five business days when 500 or more residents are affected.

If you operate connected vehicles or collect driving behavior data, the GM/OnStar enforcement action signals that the Iowa AG will pursue data-sale practices under the Consumer Fraud Act even without an ICDPA violation. Review what vehicle data you collect, how you share it, and what disclosures you make at the point of sale.

More Iowa Laws

Iowa's data privacy laws are part of a broader set of protections for residents. Explore other Iowa legal topics:

• Iowa Age-Verification Law (HF 864) Takes Effect July 1, 2026
• State Data Privacy Laws Overview
• Iowa Recording Laws
• Iowa AI Meeting Recording Laws
• Iowa Alimony Laws
• Iowa At-Will Employment Laws
• Iowa Car Accident Laws
• Iowa Car Seat Laws
• Iowa Child Custody Laws
• Iowa Child Support Laws
• Iowa Common Law Marriage Laws
• Iowa Deepfake Laws
• Iowa Divorce Laws
• Iowa Dog Bite Laws
• Iowa Emancipation Laws
• Iowa Expungement Laws
• Iowa Hit and Run Laws
• Iowa Landlord-Tenant Laws
• Iowa Lemon Laws

In-depth guides

• What Is the ICDPA? Iowa Consumer Data Protection Act
• ICDPA Consumer Rights: Your Data Privacy Rights
• ICDPA Compliance Checklist for Businesses (2026)