On January 1, 2025 the Iowa Consumer Data Protection Act is due to come into effect.
The ICDPA is the sixth comprehensive privacy law in the United States.
There are many similarities to it’s predecessors with a few differences.
We’ve laid out the key information you need to know about the new law.
Get in touch to find out more and learn how we can help you.
Businesses that are based in Iowa or produce products or services aimed at consumers based in Iowa and either:
- Controls or processes personal data of at least 100,000 Iowa consumers during a calendar year; or
- Derive revenue from the sale of personal data and control or process personal data of at least 25,000 consumers
- Derive more than 50% of gross revenue from the sale of personal data, if they control or process personal data of at least 25,000 Iowa consumers
Unlike the CCPA or the VCDPA there is no minimum dollar value of business revenue.
- Government entities
- Financial institutions, their affiliates and entities subject to the Gramm-Leach-Bliley Act
- Entities who are subject to and comply with the Health Information Technology for Economic and Clinical Health Act and/or HIPAA
- Nonprofit organizations
- Higher education institutions
Consumers have the right to confirm whether their data is being processed and access that data.
Any personal data they provided to the controller.
Consumers have the right to obtain a copy of the personal data they provided to the controller. Unless said data is subject to security breach protection or if the data has previously been provided to the controller in a portable and readily usable format that allows the consumer “to transmit the data to another controller without hindrance, where processing is carried out by automated means.”
Able to opt-out to the sale of their data.
This does not apply to pseudonymous data
The Iowa Attorney General is exclusively responsible for enforcing the Iowa Consumer Data Protection Act. Violations of the ICDPA could result in penalties of $7,500 per violation.
Once the Iowa Attorney General provides written notice to any entity violating the act the company will have 90 days to address the violations, cure them and provide the attorney general of the cure and a statement that no further violations will occur