Iowa Consumer Data Protection Act

Known informally as the Consumer Data Protection Act, Iowa’s privacy law is based closely on its Virginia counterpart, with a few important distinctions. Here’s a quick introduction to its key features.

What Are the Key Obligations for Businesses?

The overarching requirements imposed by the Iowa Consumer Data Protection are similar to other state privacy laws. These obligations can be broken broadly into three categories:

  • Data Minimization - Businesses must restrict their collection and use of personal data to what is necessary and proportionate to their purposes.
  • Privacy Notices - Businesses must describe how they collect and use personal data by disclosing information such as the categories of personal data processed, the purposes for processing, and categories of third parties that receive that personal data.
  • Privacy Rights - Consumers have a new set of privacy rights that translate into various privacy requests they can make to businesses.

What Privacy Rights Are Included?

Iowa consumers will now have the following privacy rights:

  • Right to Access - Consumers can request access to any personal data a business has collected about them.
  • Right to Delete - Upon request, businesses must delete any personal data they have collected about a consumer (subject to some important exceptions).
  • Right to Opt Out - Businesses must allow consumers to opt out of targeted advertising, the processing of sensitive data, and the sale of their personal data.
  • Right to Non-discrimination - Businesses may not discriminate against consumers who have exercised their privacy rights, such as by charging a different price or offering a different quality of service. However, there are broad exceptions for customer loyalty and rewards programs, if a consumer exercises their right to opt out.

How Much Do Violations Cost?

Businesses face civil fines of up to $7,500 per violation.

Is There a Private Right of Action?

There is no private right of action for Iowa consumers, meaning they cannot sue businesses over violations.

How Is Iowa’s Privacy Law Different from Laws in Other States?

While most of the new generation of data privacy laws share many common features, none of them are identical. Iowa’s privacy law differs from other states in ways that are generally more permissive. These differences include:

  • Opt-Outs for Sensitive Data - Before processing sensitive data such as protected characteristics, geolocation data, and personal data from children, Iowa’s law requires businesses to give notice and a chance to opt out before any such processing. This is in contrast to the consent requirement in other laws.
  • Data Protection Assessments - Iowa does not require businesses to complete a data protection assessment.
  • Right to Correct - Iowa’s privacy law does not give consumers the right to correct inaccurate personal data.
  • No Appeals Process - While other laws require that businesses offer consumers a way to appeal any denial of a privacy request, Iowa’s law has no such requirement.

This is far from a full list, but it gives a general idea of how the Iowa law differs from others.