ICDPA Consumer Rights: What Iowans Can and Cannot Do

Under the Iowa Consumer Data Protection Act (Iowa Code Chapter 715D), Iowa residents have four privacy rights: to confirm and access their personal data, to delete data they provided, to obtain a portable copy of that data, and to opt out of the sale of personal data. These rights are set out in Section 715D.3 and took effect with the rest of the law on January 1, 2025.

As of 2026, a covered business must respond to a verified request within 90 days under Section 715D.3(2), one of the longest response windows in the country. Iowans cannot sue a business directly to enforce these rights; Section 715D.8(4) bars any private right of action, leaving enforcement to the Iowa Attorney General.

Jurisdiction scope: This covers Iowa's Consumer Data Protection Act (Iowa Code Chapter 715D). It is general legal information, not legal advice.

The four rights Iowans have under Section 715D.3

The Iowa Consumer Data Protection Act gives Iowa residents a short, defined list of rights. Section 715D.3(1) requires a controller to comply with an authenticated consumer request to exercise each of four rights, and no more.

The first right is the right to confirm and access. Under Section 715D.3(1)(a), a consumer may ask a controller to confirm whether it is processing the consumer's personal data and to access that data. This is the entry point for the other rights, because it lets a consumer see what a company holds.

The second is the right to delete. Under Section 715D.3(1)(b), a consumer may request deletion of "personal data provided by the consumer." This is narrower than the deletion rights in some states, which extend to data a company collected from other sources; in Iowa, the deletion right reaches data the consumer themselves provided.

The third is the right to data portability. Under Section 715D.3(1)(c), a consumer may obtain a copy of the personal data they previously provided, in a portable and, to the extent technically practicable, readily usable format. That format must let the consumer transmit the data to another controller without hindrance where processing is automated. The statute carves out data subject to the security-breach rules in Section 715C.1.

The fourth is the right to opt out of the sale of personal data. Under Section 715D.3(1)(d), a consumer may direct a controller to stop selling their personal data. A "sale" is defined in Section 715D.1 as the exchange of personal data for monetary consideration to a third party, a narrower definition than California's, which also covers other valuable consideration.

What Iowans cannot do: the missing rights

The gaps in Iowa's rights list are as important as the rights themselves, and they are the reason the ICDPA is widely described as the weakest comprehensive state privacy law as of 2026.

There is no right to correct. Section 715D.3 does not include a right to fix inaccurate personal data, unlike Virginia, Colorado, Connecticut, Texas, and California. An Iowan who finds an error in the data a company holds about them cannot demand a correction under the ICDPA, although they can request deletion of data they provided.

There is no right to opt out of targeted advertising. The statute defines "targeted advertising" in Section 715D.1 and requires a controller that engages in it to disclose that activity and explain how to opt out under Section 715D.4(6). But the enumerated rights in Section 715D.3 do not include a targeted-advertising opt-out, so the disclosure duty is not paired with an enforceable consumer right to stop the practice.

There is no right to opt out of profiling. Several states let consumers opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Iowa grants no such right. The ICDPA neither defines a profiling opt-out nor lists one among the Section 715D.3 rights.

The practical effect is a rights set built around access, deletion, portability, and a data-sale opt-out, with the broader behavioral-advertising and correction protections that consumers have in neighboring states simply absent in Iowa.

How to exercise your rights and the 90-day response window

To exercise a right, a consumer submits a request to the controller through the method the controller specifies under Section 715D.4. A controller must establish secure and reliable means for submitting requests and, under Section 715D.4(7), may not require a consumer to create a new account to do so, though it may require use of an existing account. A known child's parent or legal guardian may submit a request on the child's behalf.

The controller must first authenticate the request. "Authenticate" is defined in Section 715D.1 as verifying through reasonable means that the requester is the consumer entitled to exercise the right. If a controller cannot authenticate the request using commercially reasonable efforts, Section 715D.3(2)(d) allows it to decline and to ask for additional information.

Once a request is authenticated, the clock starts. Under Section 715D.3(2)(a), a controller must respond without undue delay and in all cases within 90 days of receipt. The controller may extend the period once by 45 additional days when reasonably necessary, given the complexity and number of requests, if it tells the consumer of the extension and the reason within the initial 90 days.

That 90-day baseline is the longest response window among state privacy laws. Many states, including California and Virginia, require a response within 45 days. Iowans should expect a slower turnaround than consumers in most other states.

Responses are free up to twice a year per consumer under Section 715D.3(2)(c). A controller may charge a reasonable fee or decline only when a request is manifestly unfounded, excessive, repetitive, or technically unfeasible, and the controller bears the burden of proving that.

Appeals: the Section 715D.3(3) process

If a controller declines to act on a request, the consumer has a built-in appeal right. Under Section 715D.3(2)(b), a controller that declines must inform the consumer of the justification without undue delay and provide instructions for appealing, unless it suspects a fraudulent request.

The appeal process itself is governed by Section 715D.3(3). A controller must establish a conspicuously available appeal process that is similar to the process for submitting the original request. Within 60 days of receiving an appeal, the controller must inform the consumer in writing of any action taken or not taken, with a written explanation of the reasons.

If the appeal is denied, the controller must give the consumer an online mechanism to contact the Iowa Attorney General and submit a complaint. This is the practical escalation path under the ICDPA, because there is no private right of action and the Attorney General is the sole enforcer.

Sensitive data: the opt-out path under Section 715D.4(2)

Iowa treats sensitive data through an opt-out model rather than the opt-in consent most states require. Under Section 715D.4(2), a controller "shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out." For a known child, the controller must instead process the data in accordance with the federal Children's Online Privacy Protection Act.

In practice, this means the burden is on the Iowan to say no. A company may begin processing sensitive data after giving notice and an opt-out opportunity; it does not have to obtain affirmative consent first. This is the same lighter standard Utah uses and a key reason both states are considered business-friendly.

Sensitive data is defined in Section 715D.1 to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify a person, the personal data of a known child, and precise geolocation data accurate within 1,750 feet. An Iowan who wants to limit this processing should look for the controller's sensitive-data notice and use the opt-out it provides.

Discrimination protection and how to file a complaint

The ICDPA includes an anti-retaliation rule. Under Section 715D.4(3), a controller may not discriminate against a consumer for exercising a right, including by denying goods or services, charging different prices, or providing a different quality of service. The statute preserves an exception for bona fide loyalty, rewards, or club-card programs and for offers tied to data the controller does not collect.

Any contract clause that purports to waive or limit a consumer's rights under Section 715D.3 is void and unenforceable as against public policy under Section 715D.4(4). A business cannot make an Iowan sign away these rights.

Because Section 715D.8(4) bars a private right of action, an Iowan who believes a business is not honoring these rights cannot sue under the ICDPA. Instead, after exhausting the controller's appeal process, the consumer can submit a complaint to the Iowa Attorney General, who holds exclusive enforcement authority under Section 715D.8. The Attorney General's office accepts consumer complaints through its consumer-protection division.

Related guides

• Iowa Data Privacy Laws (ICDPA hub)
• What Is the ICDPA? Iowa's Data Privacy Law Explained
• ICDPA Compliance Checklist for Businesses
• US State Privacy Laws Comparison
• What Is the CCPA? California's Privacy Law Explained

Sources