Iowa became the sixth U.S. state to enact a detailed consumer data privacy law when the Iowa Consumer Data Protection Act was signed into law by Governor Kim Reynolds on March 28, 2023.
Effective from January 1, 2025, the Act gives the state’s citizens personal data privacy and protection rights as individuals but not in their employment or business contexts. Unlike similar legislation in other states, Iowa’s data protection law does not include a provision requiring data controllers to honor universal opt-out signals, such as Global Privacy Control (GPC).
Key dates: Iowa Consumer Data Privacy Law
- October 2000 – Iowa Governor Thomas Vilsack commissions the Iowa Privacy Task Force to focus on the privacy of Iowans’ health and financial information. The group begins polling citizens about their concerns.
- January 22, 2002 – The Iowa Privacy Task Force publishes its final report, which includes a set of privacy principles for Iowans’ sensitive financial and health information that aim to build on protections granted by federal legislation such as the Gramm-Leach-Bliley Act. Notably, principle 5 states: “Individuals should have a reasonable right to access their personally identifiable health or financial information held by covered entities and the right to request corrections of inaccurate health or financial information”.
- February 8, 2022 – A subcommittee meeting of the Iowa House Committee on Information Technology introduces House Study Bill 674: “A bill for an act relating to consumer data protection, providing civil penalties and including effective date provisions”.
- March 14, 2022 – The Iowa House Committee on Information Technology introduces House File 2506, an update on the consumer data protection bill. It is read for the first time in the House the next day.
- January 12, 2023 – The Bill now known as House Study Bill 12 is introduced to Iowa’s House and referred to the committee for Economic Growth and Technology.
- January 23, 2023 – Iowa’s consumer data privacy bill is introduced to the Senate (Senate Study Bill 1071) and referred to the Committee on Technology.
- February 13, 2023 – The Bill is introduced as Senate File 262 by the Committee on Technology and placed on the calendar. A committee report approving the bill is filed on the same day.
- March 6, 2023 – Iowa senators all vote in favor (47–0) to pass the consumer data privacy Bill.
- March 15, 2023 – Iowa’s House of Representatives members vote unanimously (97–0) to pass the Bill, sending it to the Governor for signing.
- March 28, 2023 – Iowa Governor Kim Reynolds signs the Consumer Data Protection Act into law. “In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” says Governor Reynolds in a media release on Tuesday March 28, 2023. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”
- January 1, 2025 – Iowa’s Consumer Data Protection Act goes into effect.
Consumer rights under the Iowa Consumer Data Protection Act
The definition of a consumer under the Iowa Consumer Data Protection Act is “a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context”. In this regard, the exclusion of Iowans’ personal data at work or in business follows similar states’ data privacy legislation.
Personal data is also defined almost word-for-word the same as it is in other U.S. state privacy laws, with the same caveats: “‘Personal data’ means any information that is linked or reasonably linkable to an identified or identifiable natural person. ‘Personal data’ does not include de-identified or aggregate data or publicly available information.”
Consumers in Iowa now have the following data privacy and protection rights, which they can exercise as ‘an authenticated consumer’ (or as an authenticated parent or legal guardian of a child) by sending a request to a controller:
- Right to confirm / right to know whether their personal data is being processed by a controller and what personal data is held. A caveat for this right is mentioned in Section 7, Limitations: “This chapter shall not require a controller, processor, third party, or consumer to disclose trade secrets”.
- Right to delete their personal data they’ve previously provided to the controller.
- Right to portability / obtain a copy of their personal data they’ve previously provided to the controller in a format that is “to the extent technically practicable”, readily usable and allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. An exception is when that personal information is subject to security breach protection.
- Right to opt-out of sale of their personal data.
Controllers are required to respond within 90 days to consumers’ requests to exercise their rights under the Act. Any information provided by a controller to a consumer under these rights must be provided at no cost to the consumer, up to twice in a year per consumer.
Controllers are not required to comply with requests from consumers they cannot reasonably authenticate.
Note: Unlike many other states’ data protection regulations, Iowa’s privacy law does not include the consumer right to correct inaccuracies in records of personal data.
It also does not require controllers to get opt-in consent from consumers to collect and process sensitive data but they must give consumers an opt-out choice – see below. And it does not include a consumer right to opt-out from profiling.
Processing of sensitive data and non-discrimination
Although not listed under consumer rights, Section 4 notes controllers are not permitted to process sensitive data collected from a consumer for a non-exempt purpose (see below) without first giving consumers a clear notice and an opt-out mechanism.
All personal information collected from a known child is classified as ‘sensitive data’ and it must be processed in compliance with the Children’s Online Privacy Protection Act 1998 (COPPA).
The Iowa Consumer Data Protection Act defines ‘sensitive data’ as information about a person’s:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
- Precise geolocation (“including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty feet.”)
However, the definition of ‘precise geolocation data’ does not include the content of communications or data generated by or connected to utility meters.
Section 4 of the Act also states controllers cannot discriminate against consumers for exercising their rights (by “denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.”)
Applicability: Businesses subject to Iowa data privacy legislation
Iowa’s data privacy legislation applies to a person that:
- Conducts business in Iowa; or
- Produces products or services that are targeted to consumers who are residents of Iowa; and
During a calendar year does either of the following:
- Controls or processes personal data of at least 100,000 consumers;
or - Controls or processes personal data of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal data.
Note: Like Montana’s Consumer Data Privacy Act there is no minimum revenue threshold for organizations, which means even very small businesses and sole traders are subject to Iowa’s data protection law if they meet other applicability criteria.
Exemptions under the Iowa Consumer Data Protection Act
The requirements of Iowa’s data protection law do not apply to:
- The state of Iowa or any political subdivisions of the state;
- Financial institutions, their affiliates or data subject to the Gramm-Leach-Bliley Act;
- People who are subjects to and must comply with two federal health Acts: Health Insurance Portability and Accountability Act (HIPAA), and Health
- Information Technology for Economic and Clinical Health Act (HITECH);
- Nonprofit organizations; and
- Institutions of higher education.
Information and data also exempt from the requirements of the Act includes:
- Protected health information under HIPAA;
- Health records;
- Information and documents created for purposes of the federal Health Care Quality Improvement Act (42 U.S.C); and patient identifying information and patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
- Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 CFR 46;
- Information covered by the protection of human subjects under 21 CFR 50 and 21 CFR 56;
- Personal data collected, maintained, disclosed, sold or used in compliance with the federal Fair Credit Reporting Act;
- Personal data collected, processed, sold or disclosed in compliance with the federal Driver’s Privacy Protection Act;
- Personal data regulated by the Family Educational Rights and Privacy Act;
- Personal data collected, processed, sold or disclosed in compliance with the federal Farm Credit Act;
- Personal data used in accordance with the federal Children’s Online Privacy Protection Act of 1998 (COPPA);
- Data about an individual in an employment context, including emergency contact information and administering their benefits for another person.
Controller compliance requirements under the Iowa Consumer Data Protection Act
Under Iowa’s data protection legislation, controllers must:
- Comply with authenticated consumer requests to exercise their personal data rights within 90 days;
- Adopt and implement reasonable data security practices to protect the confidentiality, integrity and accessibility of personal data. These practices must be appropriate to the volume and nature of the personal data;
- Provide consumers with a clear notice and an opportunity to opt-out of the collection of their sensitive data (unless the data is exempt, as outlined above);
- Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer; and
- Publish a reasonably accessible, clear and meaningful privacy notice.
Iowa Data Privacy Law privacy notice requirements
A privacy notice must include the following information:
- Categories of personal data processed by the controller;
- Categories of personal data shared by the controller with third parties, if any; and the categories of any third parties;
- Purpose for processing personal data;
- Instructions on how a consumer may exercise their consumer rights via a secure and reliable means that allows the controller to authenticate a consumer;
- Instructions on how a consumer can appeal a controller’s decision regarding a rights request; and
- Disclosure if the controller sells a consumer’s personal data to third parties or engages in targeted advertising – this information must be displayed in a clear notice and give consumers a means to opt-out from such activities.
Processor compliance under Iowa’s data privacy law
Processors must enter contracts with controllers and assist with meeting controller compliance obligations, such as responding to consumer rights requests and notification of data breaches.
A contract between a processor and a controller must include:
- Instructions for processing personal data;
- Nature and purpose of the processing;
- Type/s of date subject to processing;
- Duration of the processing;
- Requirement for the processor to delete or return all personal data when directed to by the controller at the end of the contract, unless retention of the personal data is required by law; and
- Rights and responsibilities of both parties;
- Requirement for the processor to engage any subcontractors or agents with a written contract ensuring they meet the processor’s duties when processing personal data;
- Requirement for the processor to ensure each person processing personal data complies with data confidentiality and other compliance rules.
Enforcement of Iowa data privacy legislation
The Iowa Attorney General (AG) has exclusive authority to investigate and enforce violations of the Iowa Consumer Data Protection Act. There is no private right of action available.
If the AG plans to initiate an action against a business for an alleged violation of the act, it must first give the business written notice and a 90 day cure period. After this time, the AG can pursue penalties of up to $7,500 per violation, regardless of whether the violation was found to be accidental or intentional.
Nymity Research
Stay up to date on hundreds of global privacy laws, regulations, and standards.
Start today
Automate your compliance program
Use PrivacyCentral to streamline privacy compliance across all relevant jurisdictions.
Learn more
