The Iowa Consumer Data Protection Act was signed in March 2023 and takes effect January 1, 2025.
Iowa Privacy & Accessibility Laws
Iowa enacted the Iowa Consumer Data Protection Act (ICDPA) in March 2023, becoming one of the states with comprehensive consumer privacy legislation. The law takes effect January 1, 2025. Iowa state agencies must also ensure their digital services are accessible to individuals with disabilities.
→
Privacy Law Status
ICDPA Enacted
→
Accessibility Requirements
State Government Websites
Iowa state agencies must ensure websites and digital services are accessible under ADA Title II and state IT policies.
Iowa Consumer Data Protection Act (ICDPA)
The Iowa ICDPA establishes privacy rights for Iowa consumers and obligations for businesses that collect and process personal data.
Key Dates
- Enacted: March 28, 2023
- Effective Date: January 1, 2025
- Cure Period: 90 days (permanent, no sunset provision)
Who Must Comply?
The Iowa ICDPA applies to entities that conduct business in Iowa or target Iowa residents AND:
| Threshold | Requirement |
|---|---|
| Data Volume | Control or process personal data of 100,000+ Iowa consumers |
| Revenue + Data | Derive more than 50% of gross revenue from selling personal data AND process data of 25,000+ consumers |
Consumer Rights Under Iowa ICDPA
| Right | Description |
|---|---|
| Right to Know | Confirm whether a controller is processing personal data and access that data |
| Right to Delete | Delete personal data provided by or obtained about the consumer |
| Right to Portability | Obtain personal data in a portable, readily usable format |
| Right to Opt-Out | Opt out of targeted advertising and sale of personal data |
Notable Differences
Iowa's law notably does not include a right to correct inaccurate data or a right to opt out of profiling, making it more business-friendly than some other state privacy laws.
Sensitive Data Categories
The Iowa ICDPA requires opt-in consent for processing sensitive data, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data for identification
- Personal data of known children
- Precise geolocation data
Accessibility Requirements
Iowa government agencies must ensure digital accessibility for all residents:
State Government Obligations
- Iowa state agencies must comply with ADA Title II for all public-facing digital content
- Office of the Chief Information Officer provides accessibility guidance
- State websites should follow WCAG 2.1 Level AA guidelines
- Educational institutions must ensure accessible digital learning materials
- State IT procurement encourages vendor accessibility compliance
Private Sector Considerations
- Businesses with physical locations in Iowa are subject to ADA Title III
- Website accessibility claims can be brought under federal ADA
- Healthcare providers must ensure accessible patient portals
- Financial institutions must provide accessible online banking services
Enforcement
→
Privacy Enforcement
- Iowa Attorney General - Exclusive enforcement authority for ICDPA
- 90-day cure period - Permanent (no sunset provision)
- No private right of action - Only AG can enforce
Contact:
Office of the Iowa Attorney General
Consumer Protection Division
1305 E. Walnut Street
Des Moines, IA 50319
(515) 281-5926
→
Accessibility Enforcement
- U.S. Department of Justice - ADA Title II and III enforcement
- Iowa Civil Rights Commission - State disability discrimination
- Private litigation - Individuals can bring ADA claims
Contact:
Disability Rights Iowa
400 E. Court Avenue, Suite 300
Des Moines, IA 50309
(515) 278-2502
Iowa ICDPA Penalties
| Violation Type | Maximum Penalty |
|---|---|
| Per violation (after cure period) | $7,500 per violation |
| Consumer Fraud Act violation | Additional penalties under Iowa Consumer Fraud Act |
| Injunctive relief | Court may order business practices to cease |
Business Obligations
| Obligation | Description |
|---|---|
| Privacy Notice | Clear notice of data categories, purposes, rights, and third-party sharing |
| Data Minimization | Limit collection to what is reasonably necessary for disclosed purposes |
| Purpose Limitation | Process data only for purposes disclosed to consumers |
| Security | Implement appropriate technical and organizational security measures |
| Sensitive Data Consent | Obtain opt-in consent before processing sensitive personal data |
| Request Response | Respond to consumer requests within 90 days |
| Data Processing Agreements | Establish contracts with processors that handle personal data |
Consumer Rights
Iowa residents have the following privacy rights under the ICDPA:
- Right to Access: Confirm processing and access personal data
- Right to Delete: Request deletion of personal data
- Right to Portability: Receive data in portable format
- Right to Opt-Out: Opt out of targeted advertising and data sales
- Right to Non-Discrimination: Cannot be penalized for exercising rights
- Right to Appeal: Appeal controller's decision on consumer requests
Important Exemptions
The Iowa ICDPA exempts government entities, nonprofits, higher education institutions, HIPAA-covered entities, financial institutions under GLBA, and data regulated by FERPA, HIPAA, FCRA, or GLBA.
Related Resources
- US Privacy Laws Overview
- State Privacy Law Comparison
- ADA Title II Requirements
- All State Laws
- Privacy Compliance Guide
- Report a Violation
Need Help with Iowa Compliance?
The Iowa ICDPA is now in effect as of January 1, 2025. The 90-day cure period provides businesses time to remedy violations. Contact our experts for guidance on privacy policies and consumer request processes.