While Iowa may be famous for US presidential elections political caucuses, it also does not lag behind regarding data privacy. 

 

On 29 March 2023, Iowa became the sixth state in the US to enact a data privacy law. Iowa's Act Relating to Consumer Data Protection (“The CDPA”) is following in the footsteps of California, Utah, Virginia, Colorado, and Connecticut

 

If you have customers located in Iowa or your website is accessible to Iowa consumers, Iowa's comprehensive consumer privacy law will likely apply to your business. In this article, we go over what the Iowa Data Privacy law is, what it entails for businesses, and how to comply.

 

What about other U.S. states? To learn more about the big picture of data privacy in the United States and access our updated map and law tracker, head to our dedicated blog post:

 

Featured image of a blog post on consumer data privacy laws in the United States, along with a flag of the USA and the label "Country Focus"

 

Summary

 

 

 

Iowa data privacy law in a nutshell

 

On March 29th, the governor of Iowa signed the “Act Relating to Consumer Data Protection”(CDPA or ICDPA) into law. Iowa's CDPA is the first comprehensive consumer privacy legislation in Iowa, and it will become enforceable in January 2025, giving businesses 21 months to prepare.

 

If you have implemented a compliance program to comply with other US state privacy laws such as California’s CPRA, some requirements of the Iowa data privacy law will sound familiar.  However, there are still significant differences between Iowa's Data Privacy law and other US privacy laws.

 

In this article, we will help you understand:

 

  • What are the key requirements of Iowa's privacy law?

  • How do you comply with Iowa law on data privacy?

  • What are the differences between Iowa Data Privacy law and other US privacy laws, and with the EU General Data Protection Regulation (GDPR)?

 

Key requirements and things to know about the Iowa privacy law (CDPA)

 

Mockup of a consent banner presenting various option to users, including "do not sell or share my personal information", "limit the use of my sensitive personal infromation", and "agree and close", along with a label "Global Privacy Control signal detected and applied". On the left side of the image, an american flag.

Let's dive deeper into the nitty-gritty of the CDPA. In this section, we look at:

 

  • Whether the Iowa data privacy law applies to you

  • What data is exempt from the law

  • What are the key requirements you need to comply with

  • What are the penalties for non-compliance

 

Does the Iowa privacy law apply to you?

If you sell goods/services in Iowa or your website is accessible to Iowa residents, you must determine if you are subject to the Iowa data privacy law. If you fulfill the following criteria together, the new law will apply to your business:

 

Criteria 1: Your business produces services/goods targeted at Iowa consumers

For example, you may have an online store where visitors purchase your goods and services. If your website is accessible to USA consumers and Iowa consumers can place orders on your website, this is the case.

 

Criteria 2: Within one calendar year, you fulfill one of the following thresholds:

You control or process the personal data of at least 100,000 consumers;  or

control or process the personal data of at least 25,000 consumers and derive over 50% of your gross revenue from the sale of personal data.

 

Criteria 3: Your business processes personal data

Iowa's privacy law defines personal data as any information that is linked or is reasonably linkable to an identified or identifiable natural person. For example, the credit card details of your customers, email addresses of your prospects, or location data would all fall under the definition of personal data.

 

What data is exempt from the Iowa data privacy law (CDPA)?

Like its California counterpart, the Iowa data privacy law exempts certain categories of personal data from its scope. When considering the above criteria, you also need to think about the following categories of exempted personal data:

 

  • Protected health information under the Health Insurance Portability Act (HIPAA);

  • Health records;

  • Patient identifying information for purposes of §§290dd-2 of Title 42 of the U.S. Code, as part of the Public Health Service Act

  • Personal data collected or processed in an employment context

  • Personal data regulated by the Family Educational Rights and Privacy Act 1974 ('FERPA')

  • Data subject to Title V of the Gramm-Leach-Bliley Act of 1999; financial companies subject to the Gramm-Leach-Bliley Act will fall outside the reach of Iowa Law.

  • Higher education institutions are exempt from the enforceability of Iowa's privacy law.

  • Government entities such as state and municipal entities are also exempt.

 

What Are the Key Requirements You Need To Comply With?

If you have implemented an EU GDPR or California (CCPA and CPRA) compliance program before, you are already one step ahead of everyone in satisfying Iowa privacy law compliance requirements.

 

Similar to its EU and California counterparts, Iowa data privacy law includes requirements such as drafting a transparent privacy notice, data subject access requests, and opt-out of the sale of personal data.

 

Since it would be beyond the scope of this article to explain all requirements, we will briefly address the key requirements you need to consider as follows:

 

Provide your customers with a privacy notice

You need to provide consumers with an easily accessible and clear privacy notice. This written notice should explain what types of personal data you collect and use and who you share personal data with.

 

Furthermore, the privacy notice should also describe how consumers can exercise their right to access their data and their other rights.

 

Implement necessary data security measures

If you cannot maintain the availability and confidentiality of personal data, you cannot comply with the privacy law requirements. Therefore, Iowa data privacy law requires you to apply appropriate technical and organizational measures to guarantee data security.

 

Fulfill data subject requests

Iowa's law provides comprehensive consumer data rights. Under the law, consumers have the right to access, delete, and right to opt out of the sale of their data. Additionally, consumers are also entitled to data portability, just like in the EU GDPR.

 

Addressing these data subject access requests (also called DSAR) can be time-consuming and quickly turn into a logistical nightmare for companies. To learn how to deal with them quickly and efficiently, take a look at Didomi's Privacy Request module.

 

Discover our Privacy Request module

 

Comply with the purpose limitation principle

When you collect and process personal data, you need to ensure that processing is relevant and necessary to the purpose you seek to achieve. For instance, if you collect credit card data from your customers to process payments, you should not sell this data and purchase history to a data broker.

 

Sign a data processing agreement

Similar to the EU GDPR,  Iowa's law has the data controller-data processor concept and it requires these two parties to sign a data processing agreement. This agreement should address how the instructions of a data controller are handled and other elements such as data retention and the purpose of data processing.

 

For instance, when you use Google Analytics on your website, Google Analytics is your data processor. In fact, Google Analytics even has a data processing agreement it signs with its customers.

 

What are the penalties for non-compliance with the Iowa data privacy law?

Like the other US State privacy laws, such as those of Virginia and Colorado, Iowa's CDPA provides the Iowa Attorney General with exclusive enforcement authority to take legal action against businesses that violate the law.

 

The Iowa Attorney general is required to provide the relevant business with a 90-day notice to remedy the alleged violation.

 

If you are found to violate the Iowa data privacy law, you can face a fine of 7,500 $ per violation. However, Iowa consumers are not entitled to a private right of action for non-compliance.

 

How does the Iowa law compare to the other US state privacy laws?

 

From what we have discussed so far, you may get the idea that the Iowa Consumer Data Protection Act is highly similar to the California Consumer Privacy Act

 

However, the ICDPA differs from California’s regulations and other US States’ privacy laws on the following key issues:

 

Right to opt out of targeted advertising

Whereas California’s CPRA explicitly gives consumers the right to opt out of targeted advertising, the CDPA does not include such consumer data rights. Instead, it just requires data controllers carrying out targeted advertising to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity."

 

Put simply, there are no specific rules on the scope of the right to opt out of targeted advertising and how it should be exercised in Iowa's CDPA.

 

Universal opt-out signals

Contrary to the California, Colorado, and Connecticut privacy laws, the CDPA does not include the obligation to implement universal opt-out signals such as opting out of personalized advertising via browser settings.

 

Consent for processing of sensitive data

The Colorado, Connecticut, and Virginia privacy laws require businesses to obtain consent for the collection and processing of sensitive data.

 

Iowa's CDPA, on the other hand, does not include such a requirement; it only requires data controllers to provide the right to opt out of the processing of sensitive data processing.

 

Iowa's CDPA vs. EU's GDPR

 

Given that the EU GDPR has the most stringent privacy law requirements worldwide, it is no surprise that CDPA is slightly less strict. Let’s have a look at the key differences between the two laws.

 

Deadline to respond to data subject request

Under the GDPR, data controllers must respond to data subjects’ requests within 30 days following the receipt of the request, which can be extended by a further two months. 

 

The CDPA, however, sets out that data controllers have 90 days to respond to requests by consumers, which can be extended by a further 45 days.

 

In terms of the data subject rights, Iowa is more limited compared to the GDPR

GDPR allows consumers to rectify their personal data and the right not to be subject to automated decision-making or profiling. 

The ICDPA, on the other hand, does not recognize these rights.

 

Overall, the GDPR contains more detailed  requirements

The GDPR requires businesses to keep records of processing activities, appoint a data protection officer under certain conditions, and carry out data protection assessments.

Iowa does not include any of these obligations.

 

How can Didomi help you tick Iowa's CDPA off your list?

 

Knowing Iowa's comprehensive consumer privacy legislation is one thing, but confidently taking steps to ensure compliance is another.

 

Didomi aims to become the partner of choice for global organizations looking to lead with data privacy best practices and steer clear of potential fines. Through our expertise, guidance, and product offering, we are here to help. 

 

Browse our website to learn more about our Consent Management Platform, Preference Management Platform, Privacy Request module, and Advanced Compliance Monitoring, or book a time with one of your experts to discuss your challenges directly: 

 

Talk to an expert

 

Frequently Asked Questions (FAQ) about the Iowa Consumer Data Protection Act (CDPA)

 

When does the Law become enforceable?

The Law will come into force in January 2025, giving businesses 21 months to understand the requirements and implement a compliance program.

 

Does Iowa privacy law require businesses to obtain consent?

While the law defines lawful consent, it does not require businesses to ask for consent before collecting or processing personal data.

 

Does Iowa Law include the right to delete personal data provided by consumers?

Yes, if you receive a request from consumers to delete personal data provided by them, you need to comply and delete such data.

 

However, contrary to other state privacy laws enacted, such as the Colorado law, you do not need to erase consumer's personal data that you obtained from third-party sources.

 

Does processing sensitive data require opt-in consent?

Iowa law does not require opt-in consent for such processing of sensitive data.

 

Do you need consent for the sale of personal data?

The Law does not make it mandatory to ask for consent for the sale of personal data. However, consumers can opt out of the sale of their data, which refers to the sale of data for monetary consideration.