Iowa Consumer Data Protection Act

Posted: April 15 2026 | Revised: April 16 2026

The Iowa Consumer Data Protection Act (ICDPA) is a state law that provides residents of Iowa rights when interacting with businesses that collect, use, and sell their personal data.

History

2023

Senate File 262, also known as the Iowa Consumer Data Protection Act (ICDPA), was signed into law on March 28, 2023 by Governor Kim Reynolds.

2025

The ICDPA went into effect on January 1, 2025.

Scope

Who

The ICDPA is intended to protect personal data of consumers –residents of Iowa who are not acting as a business or employee.1

The ICDPA applies to entities that conduct business in Iowa or produce products or services that are targeted to residents of Iowa and that do one or more of the following during a calendar year2:

  • controls or processes personal data of at least 100,000 consumers, or
  • controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

The ICDPA distinguishes between controllers and processors.3 A controller is an entity that alone, or jointly with others, determines how personal data is processed.4 A processor is an entity that processes personal data on behalf of a controller. 5

Processing means any operation performed on personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.6

The ICDPA imposes restrictions and obligations on the relationship between controllers and processors – requiring that processors follow instructions from the controller related to how personal data may be processed.7 Contracts between controllers and processors must include the following8:

  • the types of personal data to be processed,
  • instructions for processing the personal data,
  • the nature and purpose for processing the personal data,
  • the duration of the processing,
  • rights and obligations of both parties,
  • a duty of confidentiality, meaning the data is protected from disclosure to or access by unauthorized parties
  • an obligation to delete or return personal data upon the controller’s request,
  • the ability to demonstrate compliance with the contractual requirements, and
  • an obligation that any subcontractors of the processor have controls to protect personal data that are at least as protective as the obligations in the agreement between the controller and the processor.

What

Personal Data

The ICDPA regulates how companies can collect, use, and share personal data. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable person, subject to some exceptions.9

Sensitive Data

The ICDPA provides additional protections around a subcategory of personal data – sensitive data.10 Sensitive data is treated differently because misuse, loss, or unauthorized disclosure of the data can have a more significant impact on consumers than with other types of personal data. For example, this data can facilitate discrimination, financial loss, identity theft, or reputational damage.

Sensitive data includes:11

  • racial or ethnic origin,
  • religious beliefs,
  • mental or physical health diagnosis,
  • sexual orientation,
  • citizenship or immigration status,
  • genetic or biometric data used for the purpose of uniquely identifying a person,
  • personal data of a known child (someone younger than 13 years of age), and
  • precise geolocation data (information that directly identifies the specific location of a person within a radius of 1,750 feet).

Exemptions

Exempt Entities

The ICDPA does not apply to the following entities12:

  • the state or any political subdivision of the state (e.g., local governments)
  • financial institutions, affiliates of financial institutions, or data subject to the Gramm-Leach-Bliley Act of 1999
  • entities subject to Tit. II, subtit. F, of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), Tit. XIII, subtit. D, of the federal Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
  • nonprofit organizations, and
  • higher education institutions.

Exempt Data

The following types of data are exempt from the ICDPA13:

  • Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA),
  • health records,
  • patient Identifying Information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services,
  • identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects,
  • identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, which govern research involving human subjects,
  • information and documents created for purposes of the Health Care Quality Improvement Act of 1986 (42 USC 11101 et seq.),
  • patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.),
  • information used for public health activities and purposes as authorized by HIPAA,
  • collection, maintenance, disclosure, sale, communication, or use of personal data bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.),
  • personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.),
  • personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.),
  • personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.),
  • data processed in the course of an individual applying to, being employed by, or acting as an agent or independent contractor to the extent that the data is collected and used within the context of that role,
  • data processed or maintained for applications for employment or employment purposes, including consumer health data collected in the employment context,
  • emergency contact information used for emergency contact purposes in an employment or contractor setting, and
  • data necessary to administer benefits in an employment or contractor setting.

Deidentified Data

The ICDPA includes an exemption for deidentified data.14

Deidentified data is data that cannot reasonably be used to infer information about or be linked to an identified individual or a device linked to such individual.15

Publicly Available Data

The ICDPA does not apply to publicly available information.16 Publicly available information is information that is17:

  • lawfully made available through government records, or
  • that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information (unless the consumer restricted the information to a specific audience).

Pseudonymous Data

Pseudonymous data is data that cannot be attributed to a specific individual without the use of additional information that is maintained separately.18 Where the controller is able to demonstrate that any information necessary to identify the individual is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information, the controller is not required to grant the individual rights to access, deletion or control over the individual’s data.19

Rights

Consumers have several rights under the ICDPA20:

  • Right to Know,
  • Right to Delete,
  • Right to Opt-Out, and
  • Right to Not Be Discriminated Against.

Right to Know

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.21 This includes the right to obtain a copy of their data in a format that is portable such that the consumer can transmit the data to another controller.22

Additionally, this right is embodied in the various disclosures that businesses must make in their privacy notice. The notice must include23:

  • the categories of personal data processed by the controller,
  • the purpose for processing personal data,
  • how consumers can exercise their rights,
  • the categories of personal data that the controller shares with third parties,
  • the categories of third parties with whom the controller shares personal data, and
  • a disclosure of any activities involving the sale of personal data or the use of personal data for targeted advertising purposes.

Right to Delete

Consumers have the right to request that a controller delete any personal data provided by the consumer.24

Right to Opt Out

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, and the processing of sensitive data.25

Targeted advertising is when a controller displays advertisements to a consumer where the advertisements are selected based on the consumer’s personal data that has been obtained over time and from across nonaffiliated websites or online applications and is used to predict the consumer's preferences or interests.26 Targeted advertising does not include27:

  • advertisements based on a consumer’s activities within a controller's own (or affiliated) websites or online applications,
  • advertisements based on the context of a consumer's current search query or current visit to a website or online application,
  • advertisements directed to a consumer in response to the consumer's request for information or feedback, and
  • personal data processed solely for measuring or reporting advertising performance.

Sale of data occurs when a controller exchanges personal data with a third party for monetary consideration.28 Sale does not include29:

  • disclosure of personal data to a processor that processes the personal data on behalf of the controller,
  • disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer or the parent/legal guardian of a child,
  • disclosure or transfer of personal data to an affiliate of the controller,
  • disclosure of personal data that the consumer intentionally made available to the general public and did not restrict to a specific audience,
  • disclosure or transfer of personal data when a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties, and
  • disclosure of personal data as part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

Sensitive Data presents a greater risk of harm if misused or inappropriately disclosed to third parties. Accordingly, consumers have the right to opt out of the processing of sensitive data.30

Right to Not Be Discriminated Against

Consumers’ personal data may not be processed in violation of state and federal laws that prohibit unlawful discrimination.31 Consumers also have the right to not be discriminated against by a controller for exercising their consumer rights.32 A controller cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer because that consumer exercised their ICDPA rights.33

However, the ICDPA does not prevent a controller from offering different prices, rates, levels, qualities, or selections of goods or service if such difference is unrelated to the consumer’s assertion of their consumer rights.34

Exercising Rights

A consumer may exercise their rights to know, delete, or opt out under the ICDPA by submitting a request to the controller that specifies the right they wish to invoke.35

Within the controller’s privacy notice, the controller must describe one or more means by which a consumer can submit a request to exercise their consumer rights.36 This mechanism cannot require the creation of a new account to exercise the consumer’s rights.37

A controller must respond to the consumer’s request within 90 days of receipt and may request additional information needed to authenticate the consumer and their request.38 If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 90-day period of such extension and provides a reason for the extension.39

Furthermore, a controller must provide information in response to a consumer request free of charge, up to two times per year.40 If a consumer’s requests are unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or refuse to act on the request.41 A controller may also refuse the request if they cannot reasonably authenticate the consumer.42

Controllers must establish an appeals process for a consumer to appeal any refusal by the controller to take action on a request.43

Enforcement

The Attorney General of Iowa has sole authority to enforce the provisions of the ICDPA.44 Prior to initiating an enforcement action, the Attorney General must provide the subject of their investigation with a written explanation of each allegation and an opportunity to cure the violation within 90 days.45 If the violation is not cured, penalties may include an injunction related to any violations and civil penalties of up to $7,500 per violation.46 Any money recovered from violations shall be deposited into the consumer education and litigation fund established under Iowa Code § 714.16C.47

Notes

  1. Iowa Code § 715D.1(7).
  2. Iowa Code § 715D.2(1).
  3. Iowa Code § 715D.1.
  4. Iowa Code § 715D.1(8).
  5. Iowa Code § 715D.1(21).
  6. Iowa Code § 715D.1(20).
  7. Iowa Code § 715D.5(1)-(2).
  8. Iowa Code § 715D.5(2).
  9. Iowa Code § 715D.1(18).
  10. Iowa Code § 715D.4(2).
  11. Iowa Code § 715D.1(26).
  12. Iowa Code § 715D.2(2).
  13. Iowa Code § 715D.2(3).
  14. Iowa Code § 715D.1(18).
  15. Iowa Code § 715D.1(10).
  16. Iowa Code § 715D.1(18).
  17. Iowa Code § 715D.1(24).
  18. Iowa Code § 715D.1(23).
  19. Iowa Code § 715D.6(3).
  20. Iowa Code §§ 715D.3(1), 715D.4(3).
  21. Iowa Code § 715D.3(1)(a).
  22. Iowa Code § 715D.3(1)(c).
  23. Iowa Code § 715D.4(5)
  24. Iowa Code § 715D.3(1)(b).
  25. Iowa Code §§ 715D.3(1)(d), 715D.4(2),(6).
  26. Iowa Code § 715D.1(28).
  27. Iowa Code § 715D.1(28).
  28. Iowa Code § 715D.1(25).
  29. Iowa Code § 715D.1(25).
  30. Iowa Code § 715D.4(2).
  31. Iowa Code § 715D.4(3).
  32. Id.
  33. Id.
  34. Id.
  35. Iowa Code § 715D.3(1).
  36. Iowa Code § 715D.4(7).
  37. Id.
  38. Iowa Code § 715D.3(2)(a).
  39. Id.
  40. Iowa Code § 715D.3(2)(c).
  41. Id.
  42. Iowa Code § 715D.3(2)(d).
  43. Iowa Code § 715D.3(3).
  44. Iowa Code § 715D.8(1).
  45. Iowa Code § 715D.8(2).
  46. Iowa Code § 715D.8(3).
  47. Id.