Iowa Consumer Data Protection Act: Why It’s Important For Your Business?

Here’s a hot take: The US is slowly but steadily gaining on the EU regarding consumer data protection and its General Data Protection Regulation.

While there’s still no federal data protection act to speak of, and not all states have one, more and more states have either proposed or introduced a data privacy law. Today, 15 US states have a comprehensive consumer data privacy law, with 15 others introducing privacy bills in 2023-2024.

One of those states, as of last year, is Iowa. In this article, we’ll introduce the Iowa Consumer Data Protection Act and, hopefully, help you prepare your business for when it finally enters into effect in less than a year from now.

Key Takeaways

• The Iowa Consumer Data Protection Act was enacted on 29th March 2023 and will take effect on 1st January 2025.
• The ICDPA applies to businesses that operate in Iowa and process the personal data of at least 100,000 residents of Iowa or derive 50% or more of their gross revenue from the sale of personal data of Iowa residents.
• The Attorney General of Iowa enforces the Act and can issue a $7,500 fine per violation.

What is the Iowa Consumer Data Protection Act?

Governor Kim Reynolds introduced and signed the Iowa Consumer Data Protection Act (Iowa CDPA), or officially An Act Relating to Consumer Data Protection, on 29th March, 2023.

This made Iowa the sixth state to get data privacy legislation, following California’s CCPA, Colorado’s CPA, Connecticut’s CTDPA, Virginia’s VCDPA, and Utah’s UCPA.

The law will officially become effective on 1st January 2025, with the aim to protect Iowa consumer data from misuse and to provide data privacy rights.

Important Definitions Under ICDPA

Here are some definitions of essential terms under the Iowa CDPA that you should know:

• Consumer. A natural person who is a resident of Iowa and acting solely in an individual or household context and not in a commercial or employment context
• Consent. A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to them
• Controller. A person who determines the purpose and means of processing personal data
• Personal data. Any information linked or reasonably linkable to an identified or identifiable natural person.
• Identified or identifiable natural person. A person who can be readily identified, directly or indirectly
• Processing. An operation or operation performed on personal data or set of personal data, including gathering, use, storage, sharing, analysis, deletion, modification, etc., by manual or automated means.
• Processor. A person who processes the personal data of consumers on behalf of the controller
• Sensitive data. Category of personal data that includes racial or ethnic origins, religious beliefs, health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, known child’s data, and precise geolocation data.
• Child. Any natural person younger than 13 years of age.

Of course, this is nowhere in the complete list of terms defined by the Iowa CDPA, but it should you give you a good idea so you can understand this article better.

Scope of Iowa Consumer Data Protection Act

The Iowa CDPA applies to businesses that operate in Iowa or produce and sell products and services that target consumers in Iowa.

The Act defines a “consumer” as:

“A person who is a state resident acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.”

In addition, the Iowa privacy law only applies to entities that:

1. Control or process the personal data of at least 100,000 consumers.
2. Control or process the personal data of at least 25,000 consumers and acquire more than 50% of gross revenue from the sale of personal data.

The law does not cover certain entities such as nonprofit organizations, financial institutions, higher education institutions, and other entities subject to federal regulations such as the Health Insurance Portability and Accountability Act (HIPPA) and the Gramm-Leach-Bliley Act (GLBA).

Also, the Iowa CDPA excludes information such as:

• Employment-related data
• Protected health information under HIPAA
• Research-related information
• Data used under the Children’s Online Privacy Protection Act (COPPA)
• Data collected per the Fair Credit Reporting Act, Farm Credit Act, Driver’s Privacy Protection Act, and other federal laws

Consumer Data Rights Under Iowa CDPA

Under the Iowa Consumer Data Protection Act, consumers have the following rights:

• Right to access: Consumers have the right to be informed of the processing of their data by the controller and to access their data.
• Right to delete: Consumers can request the controller delete their personal data.
• Right to data portability: Consumers have the right to obtain a copy of the personal data that the controller has about them.
• Right to opt out of the sale of their personal data.

The ICDPA defines “sale of personal data” as the “exchange of personal data food monetary consideration by the controller to a third party.”

This does not include the disclosure of personal data:

1. Made available intentionally by the consumer
2. To a processor who processes that data on behalf of the controller
3. To a third party for providing a product or service on the consumer’s request (or the parent if the consumer is a child)
4. To an affiliate of the controller
5. As part of a merger or acquisition
6. When the consumer directs the controller to disclose personal data or interact with a third party intentionally

Unlike similar legislations, the ICDPA does not include the right to opt out of automated decision-making and user profiling or to correct inaccurate information about them.

Additionally, the law states that if a controller engages in targeted advertising, they must “clearly and conspicuously disclose such activity as well as the manner in which a consumer may exercise the right to opt-out of such activity.”

Security Breach Notifications

According to the Iowa Consumer Data Protection Act, any security breach affecting 500 or more Iowa residents must be reported via a written notice to the Attorney General’s Consumer Protection Division Director within five business days after notifying the affected consumers.

For instance, if the consumer you notify an affected consumer of the breach of their personal data on Monday, the company has to inform the attorney general’s office by Friday that same week.

Under Chapter 715C, “breach of security” is:

“Unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.”

To submit a Security Breach Notification, you can:

• Email Iowa AG at [email protected]
• Phone 515-281-5926
• Fax 515-281-6771 or
• Mail Consumer Protection Division, Security Breach Notifications, Office of the Attorney General of Iowa, 1305 E. Walnut Street, Des Moines, Iowa 50319-0106

Checklist For Compliance With the Iowa Data Protection Act

Here’s a checklist you can follow to ensure you are compliant with this law if you are running a business in Iowa or are selling goods and services to the residents of this state:

Understand the Iowa Consumer Data Protection Act Scope and Definitions

• Verify that the Iowa CDPA applies to your business (operating a business in Iowa, processing data of over 100,000 consumers, or deriving 50% of gross revenue from the sale of personal data)
• Get acquainted with the definitions provided by the law (personal data, consumer, controller, etc.)

Data Processing and Consumer Rights

• Understand what rights consumers have under this Act (right to access information, right to delete, correct to data portability, and the right to opt out of the sale of personal data)
• Build clear procedures for consumers to exercise their data rights under Iowa CDPA
• Implement transparent authentication processes for consumer requests (subject access requests, portability requests, deletion, do not sell my data requests, etc.)
• Ensure you are processing sensitive data following the Iowa CDPA, including obtaining explicit consent from consumers

Data Security and Privacy Practices

• Update your privacy policy to make sure it meets the requirements of the ICDPA
• Introduce and implement adequate organizational, technical, and physical data security measures to safeguard consumers’ personal data.
• Limit data processing to what is necessary concerning the specific purpose.
• Do not process consumer personal data in a way that discriminates against individuals exercising their rights.

Third-Party Management

• Review and update contracts with third-party vendors to ensure they comply with the Iowa CDPA.
• Guarantee they are only processing data for the purposes the contract specifies

Employee Data Security Training and Monitoring

• Conduct regular data privacy training for employees to help them understand the importance of data privacy and compliance.
• Create a privacy awareness training program for your employees to follow.
• Monitor your employees’ data processing activities and ensure they follow the best practices in data protection.

Security Incident Reports and Notification

• Create and follow an effective incident response plan to address security incidents and data breaches.
• Follow the ICDPA requirements regarding notifying consumers and relevant authorities about data privacy breaches.

Documentation

• Maintain detailed records of your data processing activities, consumer requests, and the steps you’ve taken in response to those requests.
• Record any efforts, including privacy notices, security measures, etc., to comply with the Iowa CDPA.

Compliance and Staying Up to Date

• Consult with compliance and data protection experts to better understand your business’s obligations under the law.
• Stay up-to-date with changes to the Iowa CDPA and other relevant laws affecting your business’ data processing activities.

Penalties For Non-Compliance

The attorney general enforces the Iowa CDPA. Suppose there is reasonable cause to suspect that a controller or processor violates this law. In that case, the attorney general will send a 90-day notice to the business to cure the violation.

If, after 90 days, the business continues to violate the ICDPA provisions, the attorney general may seek an injunction and fine the business up to $7,500 per violation.

The attorney general will send any money collected through Iowa CDPA to the consumer education and litigation fund.

The current (34th) Attorney General of Iowa is Brenna Bird, who has been in office since 3rd January 2023.

Frequently Asked Questions (FAQs)

What Is The Iowa Act Relating to Consumer Data Protection ICDPA?

The ICDPA, or the Iowa Consumer Data Protection Act, is a data privacy law that regulates data processing activities of businesses that operate in Iowa, process personal data of more than 100,000 residents of Iowa, or derive at least 50% of their gross revenue from the sale of personal data of Iowa residents.

What Is The Senate File 262 Iowa Data Privacy Law?

The Senate File 262, “An Act Relating to Consumer Data Protection,” or the Iowa Consumer Data Protection Act, governs how businesses that operate in Iowa or process the personal data of residents of Iowa and sell products and services to them.

What is the Consumer Data Protection Act USA?

The USA doesn’t have a consumer data protection law that applies to the entire federal territory. Instead, introducing and enacting those laws falls to the individual states.

At the moment, five states, California, Colorado, Virginia, Utah, and Connecticut, have a data protection law that is officially in effect, while in states like Iowa, Delaware, New Jersey, Montana, New Hampshire, Indiana, Oregon, Texas, and Tennessee such laws also exist, but are not yet effective.

Who Regulates Data Protection In The US?

No single authority body regulates data protection in the US as a whole. Instead, individual states empower their agencies or, in some cases, state attorney general to regulate data protection.

Namely:

• California ****CCPA is regulated by the California Privacy Protection Agency (CPPA)
• Connecticut CTDPA, Iowa CDPA, and Virginia VCDPA are regulated by their attorney generals.
• Utah UCPA by the Utah Division of Consumer Protection
• Colorado CPA by the attorney general and district attorneys
• And so on

How Can Captain Compliance Help?

With more than 3 million residents, Iowa is the 31st state in population. It will also be the ninth state to have a data protection law after California, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, and Montana after its Iowa Consumer Data Protection Act becomes effective on 1st January 2025 (Delaware and New Hampshire will also make their laws effective on this day).

This means you have less than a year to prepare your business to be ICDPA-compliant. To help you with this, Captain Compliance has a leading team of experts ready to tackle any and all issues you had with our years of tried and true experience.

Start now and get in touch for a consultation from data protection experts at Captain Compliance.