Iowa has joined California, Colorado, Utah, Connecticut, and Virginia in the growing rank of states to enact a statewide consumer data privacy law. Dubbed the Iowa Consumer Data Protection Act (ICDPA), the regulation was unanimously approved by the Iowa House and Senate, and Governor Kim Reynolds signed it into law in the final week of March.
“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Governor Reynolds in a press release. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”
In this blog, we’ll provide a brief overview of the law, describe what makes it unique compared to other state privacy laws, and provide guidance on how businesses can stay compliant.
At its most basic level, the Iowa Consumer Data Protection Act is a consumer data privacy regulation. Businesses subject to the ICDPA are required to inform consumers about any data collection and processing that they engage in, give them a way to opt out of data collection, provide certain protections over the data they do collect, and more.
If businesses fail to live up to the ICDPA’s requirements, they could get fined. And although the ICDPA is quite similar to the other state privacy laws, it is—like the Utah Consumer Privacy Act (UCPA)—quite a bit more business-friendly. We’ll dive into that more later on in the article.
Iowa’s law will go into effect on January 1, 2025, giving businesses plenty of time to adjust their practices and prepare for compliance. It provides the most common consumer rights and has definitions many privacy professionals are used to in terms of personal data and sensitive personal data. That means compliance may be less burdensome than some of the law’s predecessors, like the California Privacy Rights Act (CPRA) or the Colorado Privacy Act (CPA).
The law applies to any business that:
Like the other five state laws, Iowa exempts data regulated by the Fair Credit Reporting Act. It also provides exemptions for state or any political subdivision of the state; financial institutions, affiliates of financial institutions, or data subject to Title V of the federal Gramm-Leach-Bliley Act of 1999; those subject to and who comply with federal Health Insurance Portability and Accountability Act (HIPAA) regulations; nonprofit organizations; or institutions of higher education.
Similar to other state acts, Iowa’s law provides consumers with:
In contrast with other state privacy laws, ICDPA does not explicitly provide consumers the right to opt out of the use of their personal data for targeted advertising. However, it does require businesses to clearly and conspicuously disclose the use of personal data for targeted advertising and give consumers a means of opting out. This just isn’t framed as a consumer right, per se.
Another difference is that Iowa’s law does not provide the right to correct personal data or the right to opt out of profiling, both of which seem like unusual omissions. Incorrect data can cause consumers plenty of issues, but profiling is a much trickier subject. Any form of automated processing of consumer data to predict an individual’s behavior, interests, preferences, and the like is considered profiling. Most data privacy laws ban this practice since its easy for biased decision-making to take place.
Another departure from other laws’ data subject rights practices is the timeline for data subject access requests (DSARs). Under the ICDPA, businesses must respond to requests from consumers within 90 days. An additional 45 days are allowed when “reasonably necessary upon considering the complexity and number of the consumer’s requests,” as long as the consumer is notified of the extension during the initial 90-day response period.
Lastly, information must be supplied free of charge up to twice annually per consumer (except if the request is “manifestly unfounded, excessive, repetitive, or technically unfeasible;” however, the burden of proof is on the business).
Iowa’s data privacy law will be enforced by the state attorney general. The regulation is somewhat more lenient than other state laws in that it provides a perpetual 90-day “cure period” for those found to be in violation of the law. Other states provide shorter cure periods or only offered cure periods temporarily to permit businesses time to adjust to the law. Since the ICDPA’s cure period will be permanent, it’s fair to say that the law is somewhat more business-friendly than other state data privacy laws.
If the controller or processor cures the noticed violation within the 90-day period and provides an “express written statement that the alleged violations have been cured and that no further such violations shall occur,” no action will be initiated. If not, the business is subject to a fine of $7,500 per violation.
The fine structure is the same as in Virginia and Utah. Connecticut’s cap is $5,000 per violation, California has a range of $2,500 to $7,500, and Colorado can fine violators up to $20,000 per instance (though the CPA’s fine structure has a ceiling of $500k). Iowa’s law does not stipulate a private right of action that enables consumers to file lawsuits for violations, but consumers can report violations to the attorney general.
Companies that are already complying with other state data privacy regulations (and international regulations like the GDPR) are in a good position to quickly become compliant with the ICDPA. However, it’s always best practice to review the text of the law, seek guidance from legal counsel, and learn what you can from subject matter experts.
This is especially true as the ICDPA is a relatively new law, and data privacy advocates are already calling on the state to strengthen it with additional protections.
“While the law includes some basic consumer rights for Iowans, such as the right to know the information companies have collected about them, the right to delete that information, and the right to limit some data disclosures, those rights are undercut by weak definitions of what constitutes a sale and targeted advertising,” said Consumer Reports said in a press release the day after the law was passed.
Among the criticisms include the lack of provisions covering universal opt-out mechanisms, such as the Global Privacy Control (GPC). Its enforcement has been criticized as being weak, and it also allows businesses to discriminate against consumers who opt out by denying services or charging extra.
Since the ICDPA is (as of this writing) the most recent addition to the U.S.’s data privacy landscape, we can expect that there will be at least some future changes to the law, either via rulemaking or an amendment (as was the case with the CCPA and CPRA).
To become compliant with the ICDPA as well as the numerous data privacy bills currently making their way through state legislatures, check out our checklist for 2023’s state privacy laws. Although we developed this resource before the ICDPA hit the scene, the guidance within will still apply.
And if you want to investigate how to comply with the technical and tedious aspects of the ICDPA or other state privacy laws, why not try a demo of the Osano platform? We’re happy to help with everything ranging from consent management to subject rights management and beyond.