The Iowa Consumer Data Protection Act (ICDPA), signed into law in March 2023, places Iowa among the growing number of states with comprehensive privacy legislation. This law introduces new consumer rights and compliance obligations, effective January 1, 2025, giving businesses limited time to prepare.
Looking for comparisons? See our deep dives on the Colorado Privacy Act and Connecticut Consumer Data Protection Act for a broader U.S. privacy law perspective.
Iowa’s Approach to Consumer Data Protection
Unlike California’s CCPA, which is often viewed as the strictest in the nation, Iowa has taken a more balanced route. The Iowa Consumer Data Protection Act applies to businesses that process the personal data of 100,000 or more Iowa consumers annually or handle 25,000 consumers’ data while generating 50% of revenue from selling personal data.
Certain categories remain exempt, such as data regulated under HIPAA, GLBA, or FCRA as well as nonprofits and higher education institutions. The full statutory language is available through the Iowa Legislature’s legal code for those seeking exact definitions and scope.
Iowa Privacy Law Effective Date
The law goes into effect January 1, 2025. Unlike states such as Colorado, which implemented phased obligations, Iowa’s law activates in one step leaving businesses little room for delay.
Who Must Follow Iowa’s CDPA?
Compliance is required for any business meeting Iowa’s thresholds and doing business in the state or targeting Iowa residents. The law does not apply to small businesses below the threshold and excludes employment and B2B data from its coverage.
Rights Granted to Iowa Consumers
Residents gain new rights under the Iowa data privacy law, including the ability to:
- Confirm whether their data is being processed and access that data.
- Request deletion of personal data they provided.
- Receive a portable copy of their data in a usable format.
- Opt out of the sale of personal data and targeted advertising.
Unlike Colorado or Connecticut, Iowa does not grant consumers the right to correct inaccuracies. For a comparison of rights across states, check our Indiana CDPA breakdown.
Responsibilities for Businesses
Covered entities must provide transparent privacy notices, implement methods for consumers to submit requests, and respond within 90 days (with one 45-day extension allowed). Businesses must also ensure contracts with processors include clear obligations for data protection.
Unlike Colorado’s privacy rules, Iowa does not require Data Protection Impact Assessments (DPIAs) or compliance with global privacy opt-out signals. For practical compliance steps, see Termly’s Iowa CDPA resource.
Enforcement and Fines
Enforcement lies exclusively with the Iowa Attorney General’s Consumer Protection Division, which can impose civil penalties of up to $7,500 per violation. Companies benefit from a 90-day cure period, the most generous in the U.S., before penalties are applied. Details on enforcement mechanisms can be found through the Attorney General’s official site.
How Iowa Differs from Other State Laws
Compared to California or Colorado, Iowa’s law is considered business-friendly. The cure period is permanent, consumer rights are fewer (no correction right), and compliance obligations such as DPIAs or universal opt-outs are not required. For legal analysis of these differences, review the National Law Review commentary.
Recent Updates and Clarifications
- The effective date remains January 1, 2025, with no phased rollout.
- Iowa has no rulemaking authority, meaning businesses should rely on the statutory text for compliance rather than waiting for future regulations.
- Early enforcement will likely focus on voluntary compliance due to the 90-day cure period, but businesses should not assume leniency will last.
FAQ
What companies must comply with the Iowa CDPA?
Businesses controlling or processing 100,000+ consumers’ data annually or 25,000+ consumers’ data with significant revenue from data sales.
What rights do Iowa residents have?
Access, deletion, portability, and opt-out rights for data sales and targeted ads.
Is there a private right of action?
No, enforcement is limited to the Attorney General.
When does the law take effect?
January 1, 2025.
How does Iowa compare to Virginia?
Both share a similar framework, but Iowa offers longer timelines for compliance and fewer obligations overall.
Final Thoughts
The Iowa Consumer Data Protection Act may be simpler than California’s or Colorado’s frameworks, but compliance still requires planning. Start now by auditing your data practices, updating privacy policies, and preparing systems to manage consumer rights requests.For further detail, explore the Iowa Legislature’s legal text, the Attorney General’s Consumer Protection Division, and this expert legal analysis for deeper insights.
