Iowa
What Is the ICDPA? Iowa's Data Privacy Law Explained
The Iowa Consumer Data Protection Act (ICDPA) is Iowa's comprehensive consumer data privacy law, codified at Iowa Code Chapter 715D (Sections 715D.1 through 715D.9). The legislature passed it as Senate File 262, Governor Kim Reynolds signed it on March 28, 2023, and it took effect January 1, 2025. It gives Iowa residents a narrow set of rights over their personal data while imposing the lightest obligations of any state privacy law in the country.
As of 2026, the Iowa Attorney General holds exclusive authority to enforce the ICDPA under Section 715D.8, with civil penalties up to $7,500 per violation. Before any action, a controller gets a 90-day window to cure the alleged violation, the longest cure period in the nation, and it has no sunset date. There is no private right of action.
Jurisdiction scope: This covers Iowa's Consumer Data Protection Act (Iowa Code Chapter 715D). It is general legal information, not legal advice.
What the ICDPA is: statute, enactment, and effective date
The Iowa Consumer Data Protection Act is Iowa's first comprehensive consumer data privacy law. The chapter heading in the Iowa Code reads "Consumer Data Protections," and the law is widely known by the short name Iowa Consumer Data Protection Act, or ICDPA. It is codified at Iowa Code Chapter 715D, running from Section 715D.1 (definitions) through Section 715D.9 (preemption).
The legislature passed it as Senate File 262 during the 2023 session, and Governor Kim Reynolds signed it on March 28, 2023. Each section of the chapter carries the enactment citation "2023 Acts, ch 17," the form the bill took once codified. The law took effect January 1, 2025, giving covered businesses well over a year to prepare.
That timing made Iowa the sixth state to enact a broad consumer privacy law, following California, Virginia, Colorado, Utah, and Connecticut. The ICDPA sits squarely in the Virginia and Utah lineage rather than the California one. It uses the controller and processor vocabulary of those statutes and grants a familiar, but unusually short, list of consumer rights.
What sets the ICDPA apart is not its structure but how far it pulls back on the duties it imposes and the rights it grants. On nearly every contested design choice, Iowa picked the most business-friendly option available, which is why commentators regularly describe the ICDPA as the weakest comprehensive state privacy law in the United States as of 2026.
Who the ICDPA covers: the Section 715D.2 thresholds
The applicability test in Section 715D.2(1) controls who must comply. The law applies to a person conducting business in Iowa, or producing products or services targeted to Iowa residents, that during a calendar year does either of two things.
First, under Section 715D.2(1)(a), the business "controls or processes personal data of at least one hundred thousand consumers." Second, under Section 715D.2(1)(b), it "controls or processes personal data of at least twenty-five thousand consumers and derives over fifty percent of gross revenue from the sale of personal data."
A "consumer" is defined in Section 715D.1 as a natural person who is an Iowa resident acting in an individual or household context. The definition expressly excludes a person acting in a commercial or employment context, so business-to-business contacts and employees do not count toward these thresholds.
Notably, Iowa does not pair its data thresholds with a separate revenue floor the way some states do. A business clears the test simply by hitting the 100,000-consumer mark, or the 25,000-consumer-plus-data-sales mark, regardless of total revenue. Small businesses below those data volumes fall outside the ICDPA entirely.
Categorical exemptions under Section 715D.2(2) and (3)
Even among businesses that clear the threshold, Section 715D.2 removes whole categories of organizations and data from the law's reach. These exemptions are both entity-based and data-based, and they track the pattern set by other state laws.
On the entity side, Section 715D.2(2) provides that the chapter does not apply to the state or any political subdivision of the state; financial institutions, their affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act; persons who comply with HIPAA and the HITECH Act; nonprofit organizations; or institutions of higher education. The nonprofit and higher-education carve-outs are full entity exemptions, so charities and universities generally fall outside the law even when they hold large volumes of Iowa-resident data.
On the data side, Section 715D.2(3) excludes protected health information and health records, patient-identifying information under 42 U.S.C. 290dd-2, human-subjects research data, and information regulated by the federal Fair Credit Reporting Act under Section 715D.2(3)(m). It also excludes data governed by the Driver's Privacy Protection Act under paragraph (n), education records under FERPA under paragraph (o), and data under the federal Farm Credit Act under paragraph (p).
Employment and emergency-contact data are carved out under Section 715D.2(3)(q), and personal data used in accordance with the federal Children's Online Privacy Protection Act is excluded under paragraph (r). The practical upshot is that banks, credit unions, hospitals, schools, and state agencies generally operate outside the ICDPA as to the data those federal laws already govern.
The strikingly limited rights set: why Iowa is the most business-friendly
The clearest reason the ICDPA is called the weakest comprehensive privacy law is its short rights list. Section 715D.3(1) grants a consumer the right to confirm whether a controller is processing the consumer's personal data and to access that data, the right to delete personal data the consumer provided, the right to obtain a portable copy of data the consumer provided, and the right to opt out of the sale of personal data.
That is the entire list. There is no right to correct inaccurate data, a right that Virginia, Colorado, Connecticut, and Texas all grant. There is no right to opt out of targeted advertising, even though the statute defines "targeted advertising" in Section 715D.1 and requires a disclosure about it in Section 715D.4(6). And there is no right to opt out of profiling, which several other states extend to decisions producing legal or similarly significant effects.
Iowa's deletion right is also narrower than most. Under Section 715D.3(1)(b), a consumer may delete "personal data provided by the consumer," not all personal data a controller has collected about the consumer from other sources. The portability right in Section 715D.3(1)(c) is likewise limited to data the consumer previously provided.
These gaps are the headline. Where most states give five or six rights, Iowa gives four, and two of the most consequential consumer protections, correction and a targeted-advertising opt-out, are simply absent.
The opt-out sensitive-data model and the lighter compliance load
Iowa also takes the lightest possible approach to sensitive data. Under Section 715D.4(2), a controller "shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out." For a known child, the controller must instead process the data in accordance with the federal Children's Online Privacy Protection Act.
That is an opt-out model, the same approach Utah uses. Most other comprehensive state laws, including Virginia, Colorado, Connecticut, and Texas, require opt-in consent before a controller may process sensitive data. Iowa flips the default: a controller may process sensitive data and simply give the consumer notice and a chance to decline.
Sensitive data is defined in Section 715D.1 and includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify a person, personal data collected from a known child, and precise geolocation data accurate within 1,750 feet.
Two duties that have become standard elsewhere are also absent. The ICDPA contains no data protection assessment requirement, so a covered Iowa controller does not have to document risk assessments for high-risk processing. And the statute does not require controllers to honor universal opt-out signals such as Global Privacy Control; the opt-out rights in Section 715D.3 are exercised through the method the controller designates under Section 715D.4.
Enforcement, the 90-day cure, and no private right of action
The ICDPA is enforced through the Attorney General alone. Section 715D.8(1) gives the Attorney General "exclusive authority to enforce the provisions of this chapter" and the power to issue a civil investigative demand on reasonable cause.
Before filing any action, the Attorney General must give the business 90 days' written notice identifying the specific provisions allegedly violated. Under Section 715D.8(2), if the controller or processor cures the noticed violation within that window and provides a written statement that the violations are cured and will not recur, no action may be initiated. This cure period is the longest of any state privacy law, and unlike several states that let their cure windows expire, Iowa's has no sunset date.
If the business does not cure, or breaches its written cure statement, Section 715D.8(3) authorizes the Attorney General to seek an injunction and civil penalties of up to $7,500 for each violation. Collected penalties are paid into the consumer education and litigation fund under Section 714.16C. Section 715D.8(4) states that the chapter does not create a private right of action, so individual Iowans cannot sue a business directly under the ICDPA.
ICDPA vs. CCPA: the key differences
Companies operating nationally often compare Iowa's law to California's CCPA. Our state data privacy law comparison page covers the full multistate picture, but three distinctions between the ICDPA and California's CCPA matter most.
| Feature | Iowa ICDPA (Ch. 715D) | California CCPA |
|---|---|---|
| Right to correct | No | Yes |
| Opt out of targeted ads | No | Yes (limit sharing) |
| Sensitive data | Notice plus opt-out (715D.4(2)) | Right to limit use |
| Response window | 90 days (715D.3(2)) | 45 days |
| Private right of action | None (715D.8(4)) | Limited, for data breaches |
Rights and corrections. The CCPA gives California consumers a right to correct inaccurate personal information and a right to limit the sharing of data for cross-context behavioral advertising. The ICDPA offers neither. Iowa's four rights stop at access, deletion, portability, and a sale opt-out under Section 715D.3.
Response time. California requires businesses to respond to most consumer requests within 45 days. Iowa gives controllers 90 days under Section 715D.3(2)(a), extendable once by 45 more days, the most generous response window among state privacy laws.
Remedies. California retains a limited private right of action for certain data breaches, with statutory damages between $100 and $750 per consumer per incident. The ICDPA has no private right of action at all; under Section 715D.8, only the Iowa Attorney General may enforce.
Related guides
- Iowa Data Privacy Laws (ICDPA hub)
- ICDPA Consumer Rights: What Iowans Can and Cannot Do
- ICDPA Compliance Checklist for Businesses
- US State Privacy Laws Comparison
- What Is the CCPA? California's Privacy Law Explained
Sources
Sources and References
- Iowa Code Chapter 715D: Consumer Data Protections (Full Text)(legis.iowa.gov).gov
- Iowa Code Section 715D.1: Definitions(legis.iowa.gov).gov
- Iowa Code Section 715D.2: Scope and Exemptions(legis.iowa.gov).gov
- Iowa Code Section 715D.3: Consumer Data Rights(legis.iowa.gov).gov
- Iowa Code Section 715D.4: Data Controller Duties (Sensitive Data Opt-Out)(legis.iowa.gov).gov
- Iowa Code Section 715D.8: Enforcement and Penalties(legis.iowa.gov).gov
- Iowa Senate File 262 (2023): Consumer Data Protection Act(legis.iowa.gov).gov
- Iowa Attorney General: Consumer Protection(iowaattorneygeneral.gov).gov