The Iowa Consumer Data Protection Act took effect on January 1 2025. The law includes the longest cure period of any state privacy law at 90 days, making it one of the most business-friendly enforcement environments.
How ICDPA Enforcement Works
The Iowa Attorney General has exclusive enforcement authority under the ICDPA. Consumers cannot bring private lawsuits for violations.
When the Attorney General identifies a potential violation, businesses receive a 90-day cure period to address the issue. This is significantly longer than the 30-60 day periods found in other states.
The extended cure period means early enforcement is expected to focus on voluntary compliance rather than immediate penalties.
Enforcement Status
As of January 2026, the Iowa Attorney General has not publicly announced enforcement actions or fines under the ICDPA. The law has been in effect for one year.
The 90-day cure period substantially reduces the likelihood of formal enforcement actions, as most compliance issues can be resolved during this extended window.
Enforcement Expectations
Despite the business-friendly environment, certain violations may still attract attention:
Data sales without opt-out. Consumers have the right to opt out of personal data sales. Businesses that sell data without providing a functional opt-out mechanism may face enforcement.
Targeted advertising without opt-out. Similar to data sales, consumers must be able to opt out of targeted advertising. Non-functional or missing opt-out mechanisms create enforcement risk.
Sensitive data processing. While Iowa only requires notice and opt-out (not consent), businesses must still provide these before processing sensitive data. Failure to do so is a potential violation.
Missing privacy notices. The ICDPA requires clear privacy notices. Inadequate or missing notices are relatively easy to identify.
Business-Friendly Features
Iowa’s ICDPA is designed to minimise compliance burden:
90-day cure period. The longest of any state privacy law, providing ample time to address issues.
No correction right. Unlike most states, Iowa does not require businesses to correct inaccurate consumer data.
No profiling opt-out. Consumers cannot opt out of profiling activities.
Opt-out for sensitive data. Rather than requiring opt-in consent, Iowa only requires notice and opt-out opportunity for sensitive data.
90-day response window. Businesses have 90 days to respond to consumer requests, compared to 45 days in most states.
What This Means for Your Organization
Iowa’s enforcement environment is among the most lenient of any state with privacy legislation. The combination of limited consumer rights, opt-out sensitive data handling, and an extended cure period creates a lower-risk compliance environment.
However, this does not mean compliance can be ignored. Businesses should:
- Ensure privacy notices are complete and accessible
- Implement opt-out mechanisms for data sales and targeted advertising
- Provide notice and opt-out opportunities before processing sensitive data
- Document response processes for consumer requests
Businesses compliant with stricter state laws like California or Colorado will generally exceed Iowa’s requirements.
