Iowa Consumer Data Protection Act (ICDPA)

Signed into law by Governor Kim Reynolds on March 28, 2023, the law took effect on January 1, 2025.

ICDPA defines personal data as any information linked or reasonably linkable to an identified or identifiable natural person.

Controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Controllers are barred from discriminating against consumers who exercise their rights under the law or process their personal data in violation of state and federal laws prohibiting unlawful discrimination.

Applicable organizations must provide a clear privacy policy notice, limit data collection to necessary purposes, and offer an opt-out of data sales.

ICDPA grants Iowa residents rights such as access, deletion, opt-out and portability of their personal data.

Enforced by the Iowa Attorney General, who can issue civil investigative demands to the controllers and processors and initiate a civil action for non-cured violations.

Continuous violations or breaches of an express written statement regarding the cure of the violation may result in civil penalties of up to $7,500 for each violation.

ICDPA is similar to privacy laws in California, Colorado, Connecticut, Utah, and Virginia, minimizing additional compliance burdens for businesses already ensuring compliance with those regulations.