Iowa’s newly passed comprehensive data privacy law 

Iowa’s newly passed comprehensive data privacy law 

Article by Tsaaro

7 min read

Table of Contents

Iowa’s newly passed comprehensive data privacy law 


The importance of data privacy has led many countries to pass privacy laws. As new technology develops new privacy concerns are emerging, so privacy laws are enacted, regulations are passed, and amendments are made sticking to the evolving problems faced in data privacy. The huge penalties that are imposed on organizations that don’t adhere to privacy laws imply the value of data.  


On March 29, 2023, Iowa passed its new comprehensive data privacy law. It became the sixth state to join with Colorado, California, Connecticut, and Utah. Iowa’s Consumer Data Protection Act (ICDPA) will become effective on January 1, 2025. 

On comparing the other state laws, it is comparable to the Utah Consumer Privacy Act. There are not many changes that are introduced compared to the above-mentioned state laws. So, the companies that comply with the other state laws need some minimal number of updates when it comes to ICDPA.  

ICDPA is considered to be more business-friendly compared to the other states. This law includes a 90-day cure period to correct the violations and there’s no requirement to conduct data protection or privacy risk assessments, practice purpose limitation, or data limitation. 


The applicability of this act is to the business that 

  1. controls or processes the data of at least 1,00,000 consumers of Iowa, or  
  1. controls or processes the data of at least 25,000 consumers of Iowa 

and derives 50% of gross revenue from the sale of personal data. The revenue threshold is not contained in ICDPA when compared to the states like California and Utah. 


  1. Right to access – The consumers are provided with the right to confirm whether the controller is processing their personal data and access to that data. 
  1. Right to delete – The personal data provided to the controllers can be requested by the consumers to delete, which is a right provided by the law.   
  1. Right to portability – The copy of the personal data can be obtained by the consumers, except when the data is subject to security breach protection or if it was previously provided to the controller in a portable and readily usable format that allows a consumer to transmit the data to another controller without hindrance where the processing is carried out by automated means.  
  1. Right to opt out of sales – The consumers are provided with the right to opt out of the sale of their personal data. Where this Act defines the Sale of personal data for monetary consideration by the controller to a third party. The sale does not include disclosure of data to a processor, disclosure to a controller to fulfill a consumer request, disclosure made by public channels, or internal transfers. For the pseudonymized data, the opt-out rules do not apply.  


The ICDPA classifies the businesses that handle personal data as controllers or processors, which is like GDPR and other data protection and privacy laws.  

The ICDPA defines a controller as a person who determines the purpose and means of processing personal data and a processor as a person who processes that data on behalf of a controller. The following are the obligations of the data controllers. 

  1. Data security – Reasonable administrative, technical, and physical data security practices must be implemented by the controllers to protect the integrity, confidentiality, and availability of personal data. The laws also specify that the practices must be appropriate to the volume and nature of the personal data. 
  1. Nondiscrimination – The controllers must prohibit the processing of personal data if it violates state and federal laws that prohibit unlawful discrimination against consumers. There must also be no discrimination against consumers for exercising their rights within the Act. 
  1. Sensitive data – The controllers should not process the data unless a clear notice is produced and opt-out of processing the data. The processing must comply with the Children’s Online Privacy Protection Act (COPPA) when a child’s sensitive data is being processed. The sensitive data includes the categories such as racial or ethnic origin, religious beliefs, genetic or biometric data, immigration status, geolocation data, and data collected from a child. 
  1. Transparency – There must be the principle of transparency followed by the controllers where they must provide the consumers with the notice that includes, 
  • The categories of the personal data produced. 
  • The purpose of processing the personal data 
  • How consumers may exercise their consumer rights according to the Act. 
  • The categories of personal data that the controller shares with the third parties if any, 
  • The categories of third parties to whom the controller shares the data, if any. 

The above-mentioned are the obligations of the data controllers specified in the law.  


ICDPA defines a processor as a person that processes personal data on behalf of a controller, determining who qualifies as a processor is a fact-based determination that depends upon the context in which the personal data is to be processed.  

The ICDA requires the processors to adhere to the instructions of the controllers, assistance to controllers in fulfilling their obligations to respond to consumer rights requests, and to fulfill their data security and breach notification obligations.  


Iowa exempts the personal data covered by the existing federal laws, including (Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Driver’s Privacy Protection Act, and the Farm Credit Act. 

It also exempts the health records, human subjects research data covered by federal law or other standards, and the data processed or maintained for employment purposes. This law does not apply to the government or state entities, and financial institutions.  


The violation of ICDPA is subject to a $7,500 fine on each violation. So, complying with ICDPA is necessary to protect the data of Iowa consumers. It is significant for an organization that uses the data of Iowa consumers to build trust and to avoid penalties.  

Tsaaro helps in compliance with the privacy laws, with the skilled privacy professionals in the market.  

Leave a Reply

Your email address will not be published. Required fields are marked *


White Paper Personal Data Protection Law In this White Paper, we will enumerate and elucidate the various provisions of PDPL, …


In a world where data is the new oil, a threat to data is directly proportional to a threat to …


A moreprivate, open web accessible to everyone. IntroductionIn August 2019, Google announced a new initiative (known as Privacy Sandbox) to …


Introduction South Korea’s data protection watchdog recently imposed a hefty penalty on a startup for leaking a massive amount of …


DOMINOS INDIA DATA BREACH. Introduction Pizza delivery service Dominos India is the latest victim of a massive data breach that …

Recent Comments


    Would you like to read regular updates from Tsaaro.
    Subscribe to our newsletter

    Our Latest Blogs

    Read what the latest hapennings in the cyber world are and learn what the
    experts have to say about them