Iowa
ICDPA Compliance Checklist for Businesses (Iowa)
Complying with the Iowa Consumer Data Protection Act (Iowa Code Chapter 715D) is lighter than complying with almost any other state privacy law. A covered business must confirm it meets the Section 715D.2 thresholds, publish a clear privacy notice, offer a way to opt out of data sales, give a sensitive-data opt-out, and sign processor contracts. The law took effect January 1, 2025.
As of 2026, the Iowa Attorney General enforces the ICDPA exclusively under Section 715D.8, with a 90-day cure period and penalties up to $7,500 per violation. Iowa requires no data protection assessments and no honoring of universal opt-out signals, so the compliance load is real but smaller than in Colorado, Connecticut, or California.
Jurisdiction scope: This covers Iowa's Consumer Data Protection Act (Iowa Code Chapter 715D). It is general legal information, not legal advice.
Step 1: Determine whether the ICDPA applies to you
The first task is to run the applicability test in Section 715D.2(1). The ICDPA reaches a person conducting business in Iowa, or producing products or services targeted to Iowa residents, that during a calendar year does either of two things.
Under Section 715D.2(1)(a), the business controls or processes personal data of at least 100,000 consumers. Under Section 715D.2(1)(b), it controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. A business that hits either prong is covered.
Count carefully. A "consumer" under Section 715D.1 is an Iowa resident acting in an individual or household context, and the definition excludes a person acting in a commercial or employment context. Business-to-business contacts and your own employees do not count toward the thresholds.
Iowa does not add a separate revenue floor to these data thresholds, so a high-volume processor can be covered regardless of total revenue. If your numbers sit near a threshold, document your count and revisit it each calendar year.
Step 2: Check the exemptions
Even if you clear the threshold, you may be exempt. Section 715D.2(2) provides entity-level exemptions for the state and its political subdivisions, financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act, persons who comply with HIPAA and the HITECH Act, nonprofit organizations, and institutions of higher education.
Section 715D.2(3) layers on data-level exemptions. These cover protected health information and health records, information regulated by the federal Fair Credit Reporting Act under paragraph (m), data under the Driver's Privacy Protection Act under paragraph (n), education records under FERPA under paragraph (o), and data under the Farm Credit Act under paragraph (p).
Employment and emergency-contact data are excluded under Section 715D.2(3)(q), and data used in accordance with the federal Children's Online Privacy Protection Act is excluded under paragraph (r). Map your data inventory against these exemptions; an entity that clears the threshold may still find that much of its data is carved out.
Document your analysis. If the Attorney General opens an inquiry, a clear record of why a category is exempt is the first thing you will want to produce.
Step 3: Publish a compliant privacy notice
Section 715D.4(5) requires a reasonably accessible, clear, and meaningful privacy notice. The notice must include five elements, and a checklist makes them easy to track.
The notice must state the categories of personal data the controller processes, the purpose for processing that data, and how consumers may exercise their rights under Section 715D.3, including how to appeal a controller's decision. It must also state the categories of personal data the controller shares with third parties, if any, and the categories of third parties it shares with.
Beyond the five required elements, Section 715D.4(6) adds a conditional disclosure: if you sell personal data or engage in targeted advertising, you must clearly and conspicuously disclose that activity and explain how a consumer may opt out of the sale. Note that the opt-out the statute attaches here is the sale opt-out; Iowa does not create a separate targeted-advertising opt-out right.
Keep the notice current. As your processing changes, the notice should change with it, because the privacy notice is the document the Attorney General will read first.
Step 4: Build the sale opt-out and sensitive-data opt-out
Two opt-out mechanisms sit at the center of ICDPA compliance. The first is the opt-out of the sale of personal data under Section 715D.3(1)(d). You must provide a clear method for an Iowan to opt out of having their personal data sold, and disclose that method under Section 715D.4(6).
A "sale" is defined narrowly in Section 715D.1 as the exchange of personal data for monetary consideration to a third party, with several exclusions such as disclosures to processors and affiliates. If you never exchange data for money, you may not be selling under the ICDPA, but you should document that conclusion.
The second mechanism is the sensitive-data opt-out under Section 715D.4(2). Before processing sensitive data for a nonexempt purpose, you must present the consumer with clear notice and an opportunity to opt out. For a known child, you must instead comply with the federal Children's Online Privacy Protection Act.
Importantly, Iowa does not require you to honor a universal opt-out signal such as Global Privacy Control, and it does not require data protection assessments. Both of those obligations exist in several other states but are absent from the ICDPA, which is the single biggest reason Iowa's compliance load is lighter.
Step 5: Put processor contracts in place
If you use vendors to process personal data on your behalf, Section 715D.5(2) requires a written contract that governs the processing. This is a hard requirement, not a best practice.
The contract must set out instructions for processing, the nature and purpose of processing, the type of data, the duration, and the rights and duties of both parties. It must also require the processor to ensure each person processing data is under a duty of confidentiality, to delete or return data at the end of the engagement at the controller's direction, to make available information needed to demonstrate compliance, and to flow these duties down to any subcontractor under a written contract.
Processors have their own duties under Section 715D.5(1), including assisting the controller with consumer-rights requests and with security and breach-notification obligations under Section 715C.2. Review existing vendor agreements and add a data processing addendum where one is missing.
Step 6: Stand up the request, response, and appeal workflow
Operationally, you need a process that meets the timelines in Section 715D.3. Under Section 715D.4(7), you must establish secure and reliable means for consumers to submit requests, and you may not require a consumer to create a new account to do so.
Once you authenticate a request, you must respond within 90 days under Section 715D.3(2)(a), with one optional 45-day extension when reasonably necessary. Responses are free up to twice a year per consumer under Section 715D.3(2)(c). Build authentication, tracking, and a calendar that flags the 90-day deadline.
You also need an appeal process under Section 715D.3(3). It must be conspicuously available, must produce a written decision within 60 days, and, if the appeal is denied, must give the consumer an online mechanism to contact the Attorney General. Document each step, because the appeal record is part of your compliance posture.
Enforcement, the 90-day cure, and penalties
The ICDPA is enforced by the Iowa Attorney General alone. Section 715D.8(1) grants exclusive enforcement authority and the power to issue a civil investigative demand on reasonable cause.
The cure period is generous. Under Section 715D.8(2), the Attorney General must give a controller or processor 90 days' written notice identifying the specific provisions allegedly violated. If the business cures within that window and provides a written statement that the violations are cured and will not recur, no action may be initiated. This 90-day cure is the longest of any state privacy law, and it has no sunset date, so it remains permanently available as of 2026.
| Compliance item | ICDPA requirement | Section |
|---|---|---|
| Privacy notice | Required, five elements | 715D.4(5) |
| Sale opt-out | Required if you sell data | 715D.3(1)(d), 715D.4(6) |
| Sensitive data | Notice plus opt-out | 715D.4(2) |
| Data protection assessment | Not required | None |
| Universal opt-out signal | Not required | None |
| Processor contract | Required | 715D.5(2) |
| Cure period | 90 days, no sunset | 715D.8(2) |
| Maximum penalty | $7,500 per violation | 715D.8(3) |
If a business does not cure or breaches its cure statement, Section 715D.8(3) authorizes an injunction and civil penalties of up to $7,500 per violation, paid into the consumer education and litigation fund under Section 714.16C. Because Section 715D.8(4) bars any private right of action, the only enforcement risk under the ICDPA is an Attorney General action, which makes the 90-day cure a meaningful safety valve for businesses acting in good faith.
Related guides
- Iowa Data Privacy Laws (ICDPA hub)
- What Is the ICDPA? Iowa's Data Privacy Law Explained
- ICDPA Consumer Rights: What Iowans Can and Cannot Do
- US State Privacy Laws Comparison
- What Is the CCPA? California's Privacy Law Explained
Sources
Sources and References
- Iowa Code Chapter 715D: Consumer Data Protections (Full Text)(legis.iowa.gov).gov
- Iowa Code Section 715D.2: Scope and Exemptions(legis.iowa.gov).gov
- Iowa Code Section 715D.4: Data Controller Duties(legis.iowa.gov).gov
- Iowa Code Section 715D.5: Processor Duties(legis.iowa.gov).gov
- Iowa Code Section 715D.3: Consumer Data Rights (Response Window)(legis.iowa.gov).gov
- Iowa Code Section 715D.8: Enforcement and Penalties (90-Day Cure)(legis.iowa.gov).gov
- Iowa Senate File 262 (2023): Consumer Data Protection Act(legis.iowa.gov).gov
- Iowa Attorney General: Consumer Protection(iowaattorneygeneral.gov).gov