Skip to content
Schedule a Call
Call Now

Iowa’s newly passed comprehensive data privacy law 

Article by Tsaaro

7 min read

INTRODUCTION  

The importance of data privacy has led many countries to pass privacy laws. As new technology develops, it gives rise to new privacy concerns. Therefore, legislators are enacting privacy laws, passing regulations, and making amendments to address the evolving challenges in data privacy law. The substantial penalties imposed on organizations that fail to comply with privacy laws underscore the value of data.

IOWA’S NEW PRIVACY LAW 

On March 29, 2023, Iowa passed its new comprehensive data privacy law. It became the sixth state to join with Colorado, California, Connecticut, and Utah. Iowa’s Consumer Data Protection Act (ICDPA) will become effective on January 1, 2025. 

On comparing the other state laws, it is comparable to the Utah Consumer Privacy Act. There are not many changes that are introduced compared to the above-mentioned state laws. So, the companies that comply with the other state laws need some minimal number of updates when it comes to ICDPA.  

ICDPA is considered to be more business-friendly compared to the other states. This law includes a 90-day cure period to correct the violations and there’s no requirement to conduct data protection or privacy risk assessments, practice purpose limitation, or data limitation. 

SCOPE AND APPLICABILITY  

The applicability of this act is to the business that 

  1. controls or processes the data of at least 1,00,000 consumers of Iowa, or  
  1. controls or processes the data of at least 25,000 consumers of Iowa 

and derives 50% of gross revenue from the sale of personal data. ICDPA does not contain the revenue threshold, unlike states like California and Utah.

RIGHTS OFFERED TO CONSUMERS  

  1. Right to access – The consumers are provided with the right to confirm whether the controller is processing their personal data and access to that data. 
  1. Right to delete – The personal data provided to the controllers can be requested by the consumers to delete, which is a right provided by the law.   
  1. Right to portability – The copy of the personal data can be obtained by the consumers, except when the data is subject to security breach protection or if it was previously provided to the controller in a portable and readily usable format that allows a consumer to transmit the data to another controller without hindrance where the processing is carried out by automated means.  
  1. Right to opt out of sales – The consumers are provided with the right to opt out of the sale of their personal data. Where this Act defines the Sale of personal data for monetary consideration by the controller to a third party. The sale does not include disclosure of data to a processor, disclosure to a controller to fulfill a consumer request, disclosure made by public channels, or internal transfers. For the pseudonymized data, the opt-out rules do not apply.  

OBLIGATIONS OF DATA CONTROLLERS 

The ICDPA classifies the businesses that handle personal data as controllers or processors, which is like GDPR and other data protection and privacy laws.  

The ICDPA defines a controller as a person who determines the purpose and means of processing personal data and a processor as a person who processes that data on behalf of a controller. The following are the obligations of the data controllers. 

  1. Data security – Controllers must implement reasonable administrative, technical, and physical data security practices to protect the integrity, confidentiality, and availability of personal data.The laws also specify that the practices must be appropriate to the volume and nature of the personal data. 
  1. Nondiscrimination – The controllers must prohibit the processing of personal data if it violates state and federal laws that prohibit unlawful discrimination against consumers. There must also be no discrimination against consumers for exercising their rights within the Act. 
  1. Sensitive data – The controllers should not process the data unless they produce a clear notice and allow for opting out of data processing. Processing must comply with the Children’s Online Privacy Protection Act (COPPA) when processing a child’s sensitive data.he sensitive data includes the categories such as racial or ethnic origin, religious beliefs, genetic or biometric data, immigration status, geolocation data, and data collected from a child. 
  1. Transparency – Controllers must follow the principle of transparency by providing consumers with a notice that includes
  • The categories of the personal data produced. 
  • The purpose of processing the personal data 
  • How consumers may exercise their consumer rights according to the Act. 
  • The categories of personal data that the controller shares with the third parties if any, 
  • The categories of third parties to whom the controller shares the data, if any. 

The above-mentioned are the obligations of the data controllers specified in the law.  

OBLIGATIONS OF PROCESSORS 

The ICDPA defines a processor as a person who processes personal data on behalf of a controller. Determining who qualifies as a processor depends on the context in which they will process the personal data and is a fact-based determination.

The ICDA requires the processors to adhere to the instructions of the controllers, assistance to controllers in fulfilling their obligations to respond to consumer rights requests, and to fulfill their data security and breach notification obligations.  

EXEMPTIONS  

Iowa exempts the personal data covered by the existing federal laws, including (Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) , the Driver’s Privacy Protection Act, and the Farm Credit Act. 

It also exempts the health records, human subjects research data covered by federal law or other standards, and the data processed or maintained for employment purposes. This law does not apply to the government or state entities, and financial institutions.  

CONCLUSION 

The violation of ICDPA is subject to a $7,500 fine on each violation. And, complying with ICDPA is necessary to protect the data of Iowa consumers. It is significant for an organization that uses the data of Iowa consumers to build trust and to avoid penalties. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today

Tsaaro helps in compliance with the privacy laws, with the skilled privacy professionals in the market.  

1,061 thoughts on “Iowa’s newly passed comprehensive data privacy law ”

  197. Tallahassee Diamonds

    There are certainly numerous details like that to take into consideration. That is a nice point to bring up. I supply the ideas above as basic inspiration but clearly there are questions just like the one you carry up the place a very powerful thing will likely be working in honest good faith. I don?t know if finest practices have emerged around things like that, but I’m sure that your job is clearly recognized as a fair game. Both girls and boys feel the influence of only a moment’s pleasure, for the rest of their lives.

  679. camping

    Thanks so much for giving everyone such a superb opportunity to discover important secrets from this web site. It is often so fantastic plus packed with amusement for me and my office friends to search the blog the equivalent of 3 times in a week to see the new guides you will have. And indeed, I’m just usually happy for the astounding creative ideas you give. Some 3 ideas in this post are in fact the best we have all had.

  696. وان ایکس بت

    of course like your web-site but you need to check the spelling on several of your posts. Several of them are rife with spelling issues and I find it very troublesome to tell the truth nevertheless I will surely come back again.

  857. judi

    Hey, you used to write wonderful, but the last several posts have been kinda boring?K I miss your tremendous writings. Past few posts are just a little bit out of track! come on!

  894. Witness Locating

    What¦s Taking place i am new to this, I stumbled upon this I have discovered It absolutely helpful and it has aided me out loads. I hope to give a contribution & help other customers like its helped me. Great job.

  1035. waterloo kitchener limo

    Greetings from Colorado! I’m bored to tears at work so I decided to check out your site on my iphone during lunch break. I really like the information you provide here and can’t wait to take a look when I get home. I’m surprised at how fast your blog loaded on my phone .. I’m not even using WIFI, just 3G .. Anyways, wonderful site!

Leave a Reply

Your email address will not be published. Required fields are marked *

Eu Ai act
First Rules of the EU AI Act Come into Effect: What Does it Mean?
Krishna

First Rules of the EU AI Act Come into Effect: What Does it Mean?

The evolving digital landscape in the 21st century have placed a challenge for governments and organizations as they attempt to …

March 7, 2025
Digital Personal Data Protection (DPDP) Act
Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  
Tsaaro Consulting

Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  

Introduction  The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive …

February 27, 2025
cybersecurity,
WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 
Tsaaro Consulting

WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 

In today’s interconnected world, cybersecurity plays a crucial role in protecting our digital lives. From protecting personal data to safeguarding …

February 21, 2025
Transfer Impact Assessments
Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 
Tsaaro Consulting

Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 

Introduction  A Transfer Impact Assessment (TIA) is a critical evaluation conducted under the General Data Protection Regulation (GDPR) to assess …

February 20, 2025
Draft DPDP Rules
The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?
Tsaaro Consulting

The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?

Introduction The Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 have ushered in a new …

February 12, 2025
Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

© 2024 Tsaaro Consulting. All rights reserved.
Linkedin Instagram Youtube

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

Tsaaro Pune Office

Tech Centre, Rajiv Gandhi Infotech Park, Hinjewadi, Pune, Maharashtra

Tsaaro Noida Office

302, Tower C, ATS Bouquet, Noida Sector – 132, Uttar Pradesh, India

Tsaaro Bengaluru Office I

Manyata, Embassy Business Park, Outer Ring Road, Bengaluru, Karnataka

Tsaaro Bengaluru Office II

Second State, CMH Road, Indiranagar, Bengaluru, Karnataka

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.