The Iowa Consumer Data Protection Act (ICDPA) marks a pivotal turning point in data privacy for the state, ushering in a new era of consumer control, transparency, and business accountability. After Connecticut, Utah, Virginia, Colorado, and California, Iowa became the sixth state in the country to pass comprehensive privacy legislation. With the ICDPA’s effective date set for January 1, 2025, businesses must now adapt to the law’s stringent requirements, ensuring responsible data governance practices. This legislation aligns with a broader national movement, echoing the objectives of data protection laws in California and Virginia, signaling a nationwide shift towards prioritizing consumer data privacy.

Key Objectives

The ICDPA’s primary objectives are to:

1. Empower Consumers: Grant consumers greater control over their personal data, including the right to access, correct, and delete their data.
2. Promote Transparency: Require businesses to provide clear and transparent information about their data collection, use, and sharing practices.
3. Hold Businesses Accountable: Establish obligations and restrictions on businesses that collect and process consumer data.

Comparison with Other State Privacy Laws

The ICDPA joins a growing number of state privacy laws, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Utah Consumer Privacy Act (UCPA). While these laws share similar goals, they differ in their specific requirements and scope. The ICDPA, for instance, has a higher threshold for personal data processing, requiring controllers to process data from at least 100,000 Iowa consumers or derive 50% of their revenue from personal data sales.

Effective Date and Enforcement

The Iowa Consumer Data Privacy Act takes effect on January 1, 2025, giving businesses ample time to prepare for compliance. The Iowa Attorney General holds the enforcement authority, with the power to issue fines of up to $7,500 per violation.

The Iowa data protection law applies to entities that:

1. Conduct business or target consumers in Iowa.
2. Process or control the personal data of at least 100,000 Iowa consumers.
3. Derive more than 50% of their gross revenue from selling personal data of at least 25,000 Iowa consumers.

Key definitions used in the ICDPA

• Controller: A business that determines the purposes and means of processing personal data.
• Processor: A business processing personal data on behalf of a controller.
• Consumer: Defined as a natural person residing in the state acting in an individual or household context.
• Personal data: Any information that relates to or is identifiable to an individual, including but not limited to name, email address, physical address, purchase history, and browsing activity.
• Sensitive Data: Personal data that reveals racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or union membership.
• Sale of personal data: The exchange of personal data for monetary consideration by the controller to a third party.
• Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

Iowa’s data subject response provision contains a potential 45-day extension to the 90-day response period, contrasting from the standard 45-day response period other states carry.

The data subject rights under Iowa’s data privacy law are as follows:

Right to Access

A consumer has the right to know whether a controller is processing the consumer’s personal data and access that data.

Right to Deletion

A consumer has the right to ask for the deletion of their personal data that the consumer provided to the controller.

Right to Data Portability

A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that is portable, readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

Right to Opt-Out

A consumer has the right to opt out of the processing of the consumer’s personal data for the purpose of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Purpose Limitation

Controllers can process personal data that is reasonably necessary and proportional to the purposes listed in the Iowa privacy law if it is adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in the law.

Transparency

A controller shall provide consumers with reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories and purpose of personal data processed by the controller;
• How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about the consumer’s request;
• The categories of personal data that the controller shares with third parties, if any;
• The categories of third parties, if any, with which the controller shares personal data; and
• An active electronic mail address that the consumer may use to contact the controller.

Security

The controller must establish, implement, maintain and update reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility relevant to the volume and nature of the personal data at issue.

Consent Requirements

Controllers should not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with Children’s Online Privacy Protection Act.Additionally, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it.

Nondiscrimination

A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.

Data processing contracts

Controllers must have a contract with their processors that clearly sets forth instructions for processing personal data, the nature and purpose for processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties. The contract must also lay out processes for retention, deletion, access, and subcontractor accountability.

The Iowa Attorney General will have the exclusive power to enforce the provisions of the bill. Businesses found to have violated the law will be subject to monetary penalties of up to $7500 per violation.

There is a 90-day cure period under the new bill that does not have a sunset clause.

There is no private right of action.

The ICDPA is expected to have a significant impact on businesses and consumers, requiring businesses to adapt their data practices and consumers to become more aware of their rights. The law presents challenges for businesses in terms of compliance costs and potential changes to their data collection and use practices.

The Iowa Consumer Data Protection Act (ICDPA) marks a pivotal turning point in data privacy for the state, ushering in a new era of consumer control, transparency, and business accountability. With the ICDPA’s effective date set for January 1, 2025, businesses must now adapt to the law’s stringent requirements, ensuring responsible data governance practices. This legislation aligns with a broader national movement, echoing the objectives of data protection laws in California and Virginia, signaling a nationwide shift towards prioritizing consumer data privacy.