---
name: iowa-consumer-privacy
title: Iowa Consumer Data Protection Act (ICDPA)
description: Iowa Consumer Data Protection Act (ICDPA) compliance. Effective January 1, 2025. Covers consumer rights (access, delete, opt-out), controller thresholds at 100,000 consumers, sensitive data opt-in consent, 90-day cure period, and AG-only enforcement. Iowa Code Chapter 715D.
author: mukul975
author_url: https://github.com/mukul975/Privacy-Data-Protection-Skills/tree/main/plugins/privacy-skills-complete/skills/iowa-consumer-privacy
license: Apache-2.0
version: 0.1.0
execution_mode: open
jurisdiction: us
practice: data-protection
language: en
---

# Iowa Consumer Data Protection Act (ICDPA)

## Overview

The Iowa Consumer Data Protection Act (ICDPA), codified as Iowa Code Chapter 715D (SF 262), was signed into law on March 28, 2023, and became effective **January 1, 2025**. Iowa follows a business-friendly model with fewer consumer rights than most states (no right to correct or right to portability), a 90-day cure period (the longest among state privacy laws), and AG-only enforcement. The ICDPA is considered one of the least restrictive comprehensive state privacy laws.

## Applicability (§715D.2)

The ICDPA applies to persons that conduct business in Iowa or produce products or services targeted to Iowa consumers AND during a calendar year:

1. Control or process personal data of at least **100,000** Iowa consumers; OR
2. Control or process personal data of at least 25,000 Iowa consumers AND derive more than **50%** of gross revenue from the sale of personal data.

**Exemptions (§715D.3):**
- State and local government entities
- GLBA-covered financial institutions (entity-level)
- HIPAA covered entities and business associates (entity-level)
- Nonprofit organizations
- Institutions of higher education
- Data governed by GLBA, HIPAA, FERPA, FCRA, DPPA, COPPA, Farm Credit Act

**Liberty Commerce Inc. Assessment:**
Liberty Commerce Inc. processes personal data of approximately 52,000 Iowa consumers. It does not meet either threshold but maintains monitoring as part of its multi-state privacy compliance program.

## Consumer Rights (§715D.4)

### Three Consumer Rights

Iowa provides fewer rights than most comprehensive state privacy laws:

1. **Right to Access** (§715D.4(1)(a)): Confirm whether controller is processing personal data and access that data
2. **Right to Delete** (§715D.4(1)(b)): Delete personal data provided by or obtained about the consumer
3. **Right to Opt Out** (§715D.4(1)(c)):
   - Sale of personal data
   - Targeted advertising

**Notable omissions:**
- No right to correct inaccuracies
- No right to data portability
- No right to opt out of profiling

### Response Requirements (§715D.5)

- Respond within **90 days** (longest response window among state privacy laws)
- No extension provision — the 90-day period is the full window
- At least one free response per 12 months
- Appeal: controller must establish an internal appeals process and respond within 60 days
- If appeal denied: inform consumer of right to contact the AG

## Sensitive Data (§715D.1(24))

### Categories
1. Racial or ethnic origin
2. Religious beliefs
3. Mental or physical health diagnosis
4. Sexual orientation
5. Citizenship or immigration status
6. Genetic data
7. Biometric data for identification
8. Personal data of a known child
9. Precise geolocation data

### Consent Requirement
Processing sensitive data requires **opt-in consent** before processing. Iowa follows the Virginia model requiring clear affirmative consent.

## Controller Obligations (§715D.4)

1. **Purpose limitation**: Processing limited to what is adequate, relevant, and reasonably necessary
2. **Data minimization**: Collection limited to what is adequate, relevant, and reasonably necessary for disclosed purposes
3. **Data security**: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices
4. **Non-discrimination**: Shall not process personal data in violation of state and federal antidiscrimination laws
5. **Sensitive data consent**: Opt-in consent required before processing
6. **Privacy notice**: Clear and reasonably accessible privacy notice

### Privacy Notice Requirements (§715D.4(6))
- Categories of personal data processed
- Purpose for processing personal data
- How consumers may exercise their rights
- Categories of personal data shared with third parties
- Categories of third parties with whom data is shared

### Data Protection Assessments

**Iowa does NOT require data protection assessments (DPIAs).** This is a notable omission compared to most comprehensive state privacy laws. However, organizations subject to multiple state laws should conduct DPIAs as required by other applicable jurisdictions.

## Processor Requirements (§715D.5)

Processing must be governed by a contract that includes:
- Instructions for processing
- Nature, purpose, and duration of processing
- Type of personal data and categories of consumers
- Rights and obligations of both parties
- Confidentiality requirements
- Return or deletion of data upon termination
- Cooperation with assessments
- Sub-processor requirements

## Enforcement (§715D.6)

### Attorney General Authority
- **Exclusive enforcement** — no private right of action
- AG investigates and brings actions under Iowa Consumer Fraud Act (Iowa Code Chapter 714H)

### 90-Day Cure Period (§715D.6(2))
- AG must provide written notice of alleged violation
- Controller has **90 days** to cure the violation
- If cured and express written statement provided: AG may not bring action
- **No sunset provision** — the 90-day cure period is permanent
- This is the **longest cure period** among state privacy laws

### Penalties
- Civil penalties up to $7,500 per violation
- Injunctive relief
- Costs and attorney fees

## Comparison: Iowa vs. Other State Privacy Laws

| Feature | Iowa ICDPA | Virginia VCDPA | Connecticut CTDPA | Colorado CPA |
|---------|-----------|----------------|-------------------|--------------|
| Effective | Jan 1, 2025 | Jan 1, 2023 | Jul 1, 2023 | Jul 1, 2023 |
| Consumer threshold | 100,000 | 100,000 | 100,000 | 100,000 |
| Right to correct | No | Yes | Yes | Yes |
| Right to portability | No | Yes | Yes | Yes |
| Opt-out of profiling | No | Yes | Yes | Yes |
| DPIA required | No | Yes | Yes | Yes |
| Universal opt-out | No | No | Yes | Yes |
| Response window | 90 days | 45 days | 45 days | 45 days |
| Cure period | 90 days | 30 days | 60 days | 60 days |
| Enforcement | AG only | AG only | AG only | AG only |

## Implementation Timeline

| Milestone | Date | Action |
|-----------|------|--------|
| Law enacted | March 28, 2023 | SF 262 signed by Governor |
| Compliance planning | April 2023 - June 2024 | Gap analysis, privacy notice updates |
| Technical implementation | July - November 2024 | Consumer rights portal, opt-out mechanisms |
| Staff training | November - December 2024 | Privacy team and customer service training |
| **Effective date** | **January 1, 2025** | **Full compliance required** |

## Key Regulatory References

- Iowa Code Chapter 715D (ICDPA)
- Iowa Code Chapter 714H (Iowa Consumer Fraud Act — enforcement)
- Iowa AG Consumer Protection Division guidance
