Guides

Iowa Consumer Data Protection Act: 101 – What You Need to Know

Scott Dooley
3 min read · Jan 7, 2026 Last updated: January 1, 2026

Iowa became the sixth US state to enact consumer privacy legislation when Governor Kim Reynolds signed Senate File 262 in March 2023. The law took effect on January 1 2025 and takes a notably business-friendly approach compared to other state privacy laws.

What Is the ICDPA?

The Iowa Consumer Data Protection Act (ICDPA) grants Iowa residents certain rights over their personal data and establishes obligations for covered businesses. The law is one of the more limited state privacy laws, omitting several rights found in other states.

Enforcement is handled by the Iowa Attorney General. There is no private right of action.

Does It Apply to Your Business?

The ICDPA applies to businesses that conduct business in Iowa or produce products or services targeted to Iowa residents. To be covered, a business must also meet at least one of two thresholds during a calendar year:

Threshold 1: Control or process the personal data of at least 100,000 Iowa residents.

Threshold 2: Control or process the personal data of at least 25,000 Iowa residents AND derive more than 50% of gross revenue from selling personal data.

The law does not include a revenue threshold, so small businesses meeting the data volume requirements are covered regardless of their annual revenue.

Exemptions

Several categories are exempt from the ICDPA:

  • Government agencies (state and federal)
  • Financial institutions regulated by the Gramm-Leach-Bliley Act
  • Healthcare entities covered by HIPAA
  • Nonprofit organizations
  • Higher education institutions
  • Employment and B2B data

Key Consumer Rights

Iowa residents have more limited rights compared to other state privacy laws:

  • Right to confirm whether a business is processing their personal data
  • Right to access their personal data
  • Right to delete personal data they provided
  • Right to obtain a portable copy of their data
  • Right to opt out of the sale of personal data
  • Right to opt out of targeted advertising

Notable absences: Unlike most other state privacy laws, the ICDPA does not provide consumers with a right to correct inaccurate information. It also does not grant a right to opt out of profiling.

Business Obligations

Covered entities must:

  • Provide clear privacy notices
  • Implement reasonable data security measures
  • Respond to consumer requests within 90 days (with possible 45-day extension)
  • Provide notice and opt-out opportunity before processing sensitive data

Sensitive data approach: Unlike most state laws that require opt-in consent for sensitive data, the ICDPA only requires notice and an opt-out opportunity. This is a less restrictive standard, similar to Utah’s approach.

Sensitive Data

The ICDPA’s sensitive data categories include:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic data
  • Biometric data
  • Personal data of known children
  • Precise geolocation data

Enforcement and Penalties

The Iowa Attorney General has exclusive enforcement authority.

The law includes a 90-day cure period for alleged violations. This is the longest cure period of any state privacy law and provides businesses substantial time to address issues before penalties apply.

Penalties for violations that are not cured follow standard enforcement provisions. Early enforcement is expected to focus on voluntary compliance given the lengthy cure period.

Key Dates

  • March 29 2023: ICDPA signed into law
  • January 1 2025: ICDPA took effect

Where to Find Official Resources

Getting Started

Iowa’s ICDPA is one of the most business-friendly state privacy laws. The absence of a correction right, the opt-out rather than consent approach to sensitive data, the lack of profiling opt-out rights, and the 90-day cure period all reduce the compliance burden.

If your business meets the thresholds, focus on ensuring your privacy notices disclose data practices, implementing opt-out mechanisms for data sales and targeted advertising, and providing notice and opt-out opportunities before processing sensitive data.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Rhode Island Data Transparency and Privacy Protection Act: 101 – What You Need to Know
  2. Connecticut Data Privacy Act: 101 – What You Need to Know
  3. Indiana Consumer Data Protection Act: 101 – What You Need to Know
  4. Utah Consumer Privacy Act: 101 – What You Need to Know
  5. Virginia Consumer Data Protection Act: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR