Iowa’s newly passed comprehensive data privacy law 

Iowa’s newly passed comprehensive data privacy law 

Article by Tsaaro

7 min read

Iowa’s newly passed comprehensive data privacy law 


The importance of data privacy has led many countries to pass privacy laws. As new technology develops, it gives rise to new privacy concerns. Therefore, legislators are enacting privacy laws, passing regulations, and making amendments to address the evolving challenges in data privacy law. The substantial penalties imposed on organizations that fail to comply with privacy laws underscore the value of data.


On March 29, 2023, Iowa passed its new comprehensive data privacy law. It became the sixth state to join with Colorado, California, Connecticut, and Utah. Iowa’s Consumer Data Protection Act (ICDPA) will become effective on January 1, 2025. 

On comparing the other state laws, it is comparable to the Utah Consumer Privacy Act. There are not many changes that are introduced compared to the above-mentioned state laws. So, the companies that comply with the other state laws need some minimal number of updates when it comes to ICDPA.  

ICDPA is considered to be more business-friendly compared to the other states. This law includes a 90-day cure period to correct the violations and there’s no requirement to conduct data protection or privacy risk assessments, practice purpose limitation, or data limitation. 


The applicability of this act is to the business that 

  1. controls or processes the data of at least 1,00,000 consumers of Iowa, or  
  1. controls or processes the data of at least 25,000 consumers of Iowa 

and derives 50% of gross revenue from the sale of personal data. ICDPA does not contain the revenue threshold, unlike states like California and Utah.


  1. Right to access – The consumers are provided with the right to confirm whether the controller is processing their personal data and access to that data. 
  1. Right to delete – The personal data provided to the controllers can be requested by the consumers to delete, which is a right provided by the law.   
  1. Right to portability – The copy of the personal data can be obtained by the consumers, except when the data is subject to security breach protection or if it was previously provided to the controller in a portable and readily usable format that allows a consumer to transmit the data to another controller without hindrance where the processing is carried out by automated means.  
  1. Right to opt out of sales – The consumers are provided with the right to opt out of the sale of their personal data. Where this Act defines the Sale of personal data for monetary consideration by the controller to a third party. The sale does not include disclosure of data to a processor, disclosure to a controller to fulfill a consumer request, disclosure made by public channels, or internal transfers. For the pseudonymized data, the opt-out rules do not apply.  


The ICDPA classifies the businesses that handle personal data as controllers or processors, which is like GDPR and other data protection and privacy laws.  

The ICDPA defines a controller as a person who determines the purpose and means of processing personal data and a processor as a person who processes that data on behalf of a controller. The following are the obligations of the data controllers. 

  1. Data security – Controllers must implement reasonable administrative, technical, and physical data security practices to protect the integrity, confidentiality, and availability of personal data.The laws also specify that the practices must be appropriate to the volume and nature of the personal data. 
  1. Nondiscrimination – The controllers must prohibit the processing of personal data if it violates state and federal laws that prohibit unlawful discrimination against consumers. There must also be no discrimination against consumers for exercising their rights within the Act. 
  1. Sensitive data – The controllers should not process the data unless they produce a clear notice and allow for opting out of data processing. Processing must comply with the Children’s Online Privacy Protection Act (COPPA) when processing a child’s sensitive data.he sensitive data includes the categories such as racial or ethnic origin, religious beliefs, genetic or biometric data, immigration status, geolocation data, and data collected from a child. 
  1. Transparency – Controllers must follow the principle of transparency by providing consumers with a notice that includes
  • The categories of the personal data produced. 
  • The purpose of processing the personal data 
  • How consumers may exercise their consumer rights according to the Act. 
  • The categories of personal data that the controller shares with the third parties if any, 
  • The categories of third parties to whom the controller shares the data, if any. 

The above-mentioned are the obligations of the data controllers specified in the law.  


The ICDPA defines a processor as a person who processes personal data on behalf of a controller. Determining who qualifies as a processor depends on the context in which they will process the personal data and is a fact-based determination.

The ICDA requires the processors to adhere to the instructions of the controllers, assistance to controllers in fulfilling their obligations to respond to consumer rights requests, and to fulfill their data security and breach notification obligations.  


Iowa exempts the personal data covered by the existing federal laws, including (Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) , the Driver’s Privacy Protection Act, and the Farm Credit Act. 

It also exempts the health records, human subjects research data covered by federal law or other standards, and the data processed or maintained for employment purposes. This law does not apply to the government or state entities, and financial institutions.  


The violation of ICDPA is subject to a $7,500 fine on each violation. And, complying with ICDPA is necessary to protect the data of Iowa consumers. It is significant for an organization that uses the data of Iowa consumers to build trust and to avoid penalties. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today

Tsaaro helps in compliance with the privacy laws, with the skilled privacy professionals in the market.  

1 thought on “Iowa’s newly passed comprehensive data privacy law ”

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data …

Shubham Bansal

Introduction  The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to …

Shubham Bansal

INTRODUCTION:  The enactment of data protection legislation across various jurisdictions have necessitated strict mandates to protect people’s personal information. India …

Shubham Bansal

Introduction  In today’s digital age, data protection and privacy are crucial for businesses, especially those operating online. As companies increasingly …

Shubham Bansal

INTRODUCTION Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data …


Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them