Iowa Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Iowa requires businesses to notify consumers when their personal information has been compromised in a data breach. The state's Personal Information Security Breach Protection Act, codified at Iowa Code Chapter 715C, establishes notification requirements, timelines, and enforcement mechanisms.

Iowa's breach notification framework is notable for two reasons. First, it includes biometric data in its definition of protected personal information. Second, violations are classified as unlawful practices under the state's consumer fraud statute, giving the Attorney General broad enforcement power to seek damages on behalf of affected consumers.

The state also enacted the Iowa Consumer Data Protection Act (Chapter 715D) in 2023, effective January 1, 2025, which adds a separate layer of protection for biometric data as sensitive consumer data.

This guide covers the notification requirements, timelines, penalties, and enforcement mechanisms under Iowa law.

For broader context on Iowa's overall privacy framework, see the parent guide to [Iowa Data Privacy Laws](/us-laws/data-privacy-laws/iowa-data-privacy-laws).

Who Must Comply

Iowa's breach notification law applies to any person who owns or licenses computerized data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation, or volunteer activities (Iowa Code 715C.2).

The law also applies to any person who maintains or otherwise possesses personal information on behalf of another person. These third-party agents must notify the owner or licensor of the information immediately following discovery of a breach.

What Qualifies as Personal Information

Under Iowa Code 715C.1, "personal information" means an individual's first name or first initial and last name combined with one or more of the following data elements:

• Social Security number
• Driver's license number or other unique identification number issued by a government body
• Financial account number, credit card number, or debit card number combined with any required expiration date, security code, access code, or password that would permit access to a financial account
• Unique electronic identifier or routing code combined with any required security code, access code, or password that would permit access to a financial account
• Unique biometric data, including fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data

The definition excludes information that is lawfully obtained from publicly available sources or from federal, state, or local government records lawfully made available to the general public.

Biometric Data Coverage

Iowa's inclusion of "unique biometric data" is significant. The statute covers fingerprints, retina or iris images, and other unique physical or digital representations of biometric data. This means that if a breach exposes stored fingerprint templates, iris scans, or other biometric identifiers alongside a person's name, notification obligations are triggered.

What Triggers a Notification

A "breach of security" under Iowa law means the unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.

Good faith acquisition exception. The good faith acquisition of personal information by an employee or agent of the person for a legitimate purpose of the person is not a breach of security, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Encrypted data exception. If the breached data was encrypted, the notification requirements may not apply unless the encryption key was also compromised.

Notification Timeline and Requirements

Timeline

Iowa requires consumer notification "in the most expedient time possible and without unreasonable delay." The law specifies that the notification must be consistent with:

• The legitimate needs of law enforcement
• Any measures necessary to sufficiently determine contact information for affected consumers
• The measures needed to determine the scope of the breach
• The steps needed to restore the reasonable integrity, security, and confidentiality of the data

Iowa does not set a hard deadline in days for consumer notification, giving businesses flexibility to investigate while also creating potential for enforcement if a delay is deemed unreasonable.

Attorney General Notification

Any person who owns or licenses computerized data containing personal information that was subject to a breach affecting 500 or more Iowa residents must provide written notice to the director of the consumer protection division of the Iowa Attorney General's office within five business days after notifying affected consumers.

Methods of Notification

Businesses can provide notice through:

• Written notice sent by mail to the last known address of the consumer
• Electronic notice if the consumer has consented to receiving electronic communications
• Substitute notice if the cost of providing direct notice would exceed $250,000, the affected class exceeds 350,000 consumers, or the business does not have sufficient contact information. Substitute notice requires email notice (if addresses are available), conspicuous posting on the business's website, and notification to major statewide media.

Content of Notification

Notifications must include:

• A description of the breach of security
• The approximate date of the breach
• The type of personal information obtained as a result of the breach
• Contact information for consumer reporting agencies
• Advice to the consumer to report suspected identity theft to local law enforcement or the Attorney General

Penalties and Enforcement

Unlawful Practice Classification

A violation of Chapter 715C is an unlawful practice under Iowa Code 714.16, which is Iowa's consumer fraud and unfair practices statute. This classification gives the Attorney General significant enforcement power.

Attorney General Authority

The Attorney General may investigate potential violations and bring enforcement actions. In addition to the standard remedies available under Section 714.16 (including injunctive relief and civil penalties), the Attorney General may seek and obtain an order requiring a violating party to pay damages on behalf of consumers injured by the violation.

No Private Right of Action

Iowa's breach notification law does not create a private right of action for individual consumers. Only the Attorney General can bring enforcement actions under this statute.

No Specific Dollar Cap

Unlike some states that specify maximum civil penalties per violation or per breach, Iowa's statute relies on the enforcement mechanisms of Section 714.16. Penalties are determined based on the circumstances of each case, the nature and extent of the violation, and the harm to consumers.

Iowa Consumer Data Protection Act (Chapter 715D)

In addition to the breach notification law, Iowa enacted the Consumer Data Protection Act (ICDPA) in 2023, effective January 1, 2025. This law adds important protections for biometric data.

Under the ICDPA, biometric data processed for the purpose of uniquely identifying a natural person is classified as sensitive data. Controllers that process sensitive data, including biometric information, must present consumers with clear notice and an opportunity to opt out of such processing.

The ICDPA is enforced exclusively by the Attorney General. It does not create a private right of action. However, it establishes a 90-day cure period: before bringing an enforcement action, the Attorney General must provide the controller with written notice identifying the specific violations, and the controller has 90 days to cure those violations.

How Iowa Compares to Other States

Iowa's breach notification law is middling in strength compared to other states.

Biometric data included. Iowa is ahead of states that do not include biometric data in their breach notification definitions.

AG notification required. The five-business-day AG notification requirement for breaches affecting 500 or more residents is faster than many states.

No hard deadline for consumer notice. The "most expedient time possible" standard lacks the certainty of states with specific deadlines such as 30, 45, or 60 days.

No private right of action. Unlike Hawaii, which allows individuals to sue for actual damages and attorney's fees, Iowa limits enforcement to the Attorney General.

ICDPA adds biometric protections. Iowa's separate consumer data protection law classifies biometric data as sensitive and requires opt-out rights, placing it ahead of states without comprehensive privacy laws.

More Iowa Laws

• Iowa Data Privacy Laws
• Iowa Recording Laws
• Iowa Recording Laws
• Iowa Recording Laws
• Iowa Whistleblower Laws
• Iowa Recording Laws

This article provides general legal information about Iowa data breach notification laws. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Iowa for advice about your specific situation.