While Iowa may be famous for US presidential elections political caucuses, it also does not lag behind regarding data privacy.
On 29 March 2023, Iowa became the sixth state in the US to enact a data privacy law. Iowa's Act Relating to Consumer Data Protection (“The CDPA”) is following in the footsteps of California, Utah, Virginia, Colorado, and Connecticut.
If you have customers located in Iowa or your website is accessible to Iowa consumers, Iowa's comprehensive consumer privacy law will likely apply to your business. In this article, we go over what the Iowa Data Privacy law is, what it entails for businesses, and how to comply.
Iowa data privacy law in nutshell
On March 29th, the governor of Iowa signed the “Act Relating to Consumer Data Protection”(CDPA or ICDPA) into law. Iowa's CDPA is the first comprehensive consumer privacy legislation in Iowa, and it will become enforceable in January 2025, giving businesses 21 months to prepare.
If you have implemented a compliance program to comply with other US state privacy laws such as California’s CPRA, some requirements of the Iowa data privacy law will sound familiar. However, there are still significant differences between Iowa's Data Privacy law and other US privacy laws.
In this article, we will help you understand:
What are the key requirements of Iowa's privacy law?
How to comply with the Iowa Law on data privacy?
What are the differences between Iowa Data Privacy law and other US privacy laws, and with the EU General Data Protection Regulation (GDPR)?
Key requirements and things to know about the Iowa privacy law (CDPA)
Let's dive deeper into the nitty-gritty of the CDPA. In this section, we look at:
Whether the Iowa data privacy law applies to you
What data is exempt from the law
What are the key requirements you need to comply with
What are the penalties for non-compliance
Does the Iowa privacy law apply to you?
If you sell goods/services in Iowa or your website is accessible to Iowa residents, you need to determine if you are subject to the Iowa data privacy law. If you fulfill the following criteria together, the new law will apply to your business:
Criteria 1: Your business produces services/goods targeted at Iowa consumers
For example, you may have an online store where your visitors may purchase your goods and services. If your website is accessible to USA consumers and Iowa consumers can place orders on your website, this is the case.
Criteria 2: Within one calendar year, you fulfill one of the following thresholds:
You control or process the personal data of at least 100,000 consumers; or
control or process the personal data of at least 25,000 consumers and derives over 50% of your gross revenue from the sale of personal data.
Criteria 3: Your business processes personal data
Iowa's privacy law defines personal data as any information that is linked or is reasonably linkable to an identified or identifiable natural person. For example, the credit card details of your customers, email addresses of your prospects or location data would all fall under the definition of personal data.
What data is exempt from the Iowa data privacy law (CDPA)?
Similar to its California counterpart, the Iowa data privacy law exempts certain categories of personal data from its scope. When considering the above criteria, you also need to think about the following categories of exempted personal data:
Protected health information under Health Insurance Portability Act (HIPAA);
Patient identifying information for purposes of §§290dd-2 of Title 42 of the U.S. Code, as part of the Public Health Service Act
Personal data collected or processed in an employment context
Personal data regulated by the Family Educational Rights and Privacy Act 1974 ('FERPA')
Data subject to Title V of the Gramm-Leach-Bliley Act of 1999; financial companies subject to the Gramm-Leach-Bliley Act will fall outside the reach of Iowa Law.
Higher education institutions are exempt from the enforceability of Iowa's privacy law.
Government entities such as state and municipal entities are also exempt.
What Are the Key Requirements You Need To Comply With?
Similar to its EU and California counterparts, Iowa data privacy law includes requirements such as drafting a transparent privacy notice, data subject access requests, and opt-out of the sale of personal data.
Since it would be beyond the scope of this article to explain all requirements, we will briefly address the key requirements you need to consider as follows:
Provide your customers with a privacy notice
You need to provide consumers with an easily accessible and clear privacy notice. This written notice should explain what types of personal data you collect and use and who you share personal data with.
Furthermore, the privacy notice should also describe how consumers can exercise their right to access their data and their other rights.
Implement necessary data security measures
If you cannot maintain the availability and confidentiality of personal data, you cannot comply with the privacy law requirements. Therefore, Iowa data privacy law requires you to apply appropriate technical and organizational measures to guarantee data security.
Fulfill data subject requests
Iowa's law provides comprehensive consumer data rights. Under the law, consumers have the right to access, delete, and right to opt out of the sale of their data. Additionally, consumers are also entitled to data portability, just like in the EU GDPR.
Addressing these data subject access requests (also called DSAR) can be time-consuming and quickly turn into a logistical nightmare for companies. To learn how to deal with them quickly and efficiently, take a look at Didomi's Privacy Request module.
Comply with the purpose limitation principle
When you collect and process personal data, you need to ensure that processing is relevant and necessary to the purpose you seek to achieve. For instance, if you collect credit card data from your customers to process payments, you should not sell this data and purchase history to a data broker.
Sign a data processing agreement
Similar to the EU GDPR, Iowa's law has the data controller-data processor concept and it requires these two parties to sign a data processing agreement. This agreement should address how the instructions of a data controller are handled and other elements such as data retention and the purpose of data processing.
For instance, when you use Google Analytics on your website, Google Analytics is your data processor. In fact, Google Analytics even has a data processing agreement it signs with its customers.
What are the penalties for non-compliance with the Iowa data privacy law?
Similar to the other US State privacy laws such as that of Virginia and Colorado, Iowa's CDPA provides the Iowa Attorney General with exclusive enforcement authority to take legal action against businesses that violate the law.
The Iowa Attorney general is required to provide the relevant business with a 90-day notice to remedy the alleged violation.
If you are found to violate the Iowa data privacy law, you can face a fine of 7,500 $ per violation. However, iowa consumers are not entitled to a private right of action for non-compliance.
How does the Iowa law compare to the other US state privacy laws?
From what we have discussed so far, you may get the idea that the Iowa Consumer Data protection act is highly similar to the California Consumer Privacy Act.
However, the ICDPA differs from California’s regulations and other US States’ privacy laws on the following key issues:
Right to opt out of targeted advertising
Whereas California’s CPRA explicitly gives consumers the right to opt out of targeted advertising, the CDPA does not include such consumer data rights. Instead, it just requires data controllers carrying out targeted advertising to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity."
Put simply, there are no specific rules on the scope of the right to opt out of targeted advertising and how it is to be exercised in Iowa's CDPA.
Universal opt-out signals
Contrary to the California, Colorado, and Connecticut privacy laws, the CDPA does not include the obligation to implement universal opt-out signals such as opting out of personalized advertising via browser settings.
Consent for processing of sensitive data
The Colorado, Connecticut, and Virginia privacy laws require businesses to obtain consent for the collection and processing of sensitive data.
Iowa's CDPA, on the other hand, does not include such a requirement; it only requires data controllers to provide the right to opt out of the processing of sensitive data processing.
For a full breakdown of the state of data privacy in the US and a state-by-state look at the various laws in place, check out our dedicated article on the topic, and download our U.S. State Legislation Tracker:
Grab the PDF version and see our U.S. State Legislation Map here.
Iowa's CDPA vs. EU's GDPR
Given that the EU GDPR has the most stringent privacy law requirements worldwide, it is no surprise that CDPA is slight less strict. Let’s have a look at the key differences between the two laws.
Deadline to respond to data subject request
Under the GDPR, data controllers must respond to data subjects’ requests within 30 days following the receipt of the request, which can be extended by further two months.
The CDPA, however, sets out that data controllers have 90 days to respond to requests by consumers, which can be extended by further 45 days.
In terms of the data subject rights, Iowa is more limited compared to the GDPR
GDPR allows consumers to rectify their personal data and the right to not be subject to automated decision-making or profiling.
The ICDPA, on the other hand, does not recognize these rights.
Overall, the GDPR contains more detailed requirements
The GDPR requires businesses to keep records of processing activities, appoint a data protection officer under certain conditions and carry out data protection assessments.
Iowa does not include any of these obligations.
How can Didomi help you tick Iowa's CDPA off your list
Knowing Iowa's comprehensive consumer privacy legislation is one thing, but confidently taking steps to ensure compliance is another.
Didomi aims to become the partner of choice for global organizations looking to lead with data privacy best practices and steer clear of potential fines. Through our expertise, guidance, and product offering, we are here to help.
Browse our website to learn more about our Consent Management Platform, Preference Management Platform, Privacy Request module, and Advanced Compliance Monitoring, or book a time with one of your experts to discuss your challenges directly:
Frequently Asked Questions (FAQ) about the Iowa Consumer Data Protection Act (CDPA)
When does the Law become enforceable?
The Law will come into force in January 2025, giving businesses 21 months to understand the requirements and implement a compliance program.
Does Iowa privacy law require businesses to obtain consent?
While the Lw defines lawful consent, it does not require businesses to ask for consent before collecting or processing personal data.
Does Iowa Law include the right to delete personal data provided by consumers?
Yes, if you receive a request from consumers to delete personal data provided by them, you need to comply and delete such data.
However, contrary to other state privacy laws enacted such as the Colorado law you do not need to erase consumer's personal data that you obtained from third-party sources.
Does processing sensitive data require opt-in consent?
Iowa law does not require opt-in consent for such processing of sensitive data.
Do you need consent for the sale of personal data?
The Law does not make it mandatory to ask for consent for the sale of personal data. However, consumers can opt out of the sale of their data, which refers to the sale of data for monetary consideration.