An Overview of Iowa Consumer Data Protection Act (ICDPA)

The Iowa Consumer Data Protection Act (ICDPA) is the latest addition to the growing list of U.S. state-level privacy laws.

Iowa has passed its own consumer data privacy law, becoming the sixth U.S. state to do so—following California, Colorado, Utah, Connecticut, and Virginia. The Iowa House and Senate unanimously passed the Iowa Consumer Data Protection Act (ICDPA).

“In today’s online era, it is more important than ever to assert clearly that consumers have the right to reasonable transparency and control over their data,” Reynolds stated in a press release.

This article explores ICDPA’s key features, how it differs from other state privacy laws, and what businesses need to do to stay compliant.

What is the Iowa Consumer Data Protection Act (ICDPA)

ICDPA, the sixth US privacy law, was signed on March 28, 2023. The law establishes consumer rights, business obligations, notice requirements, and other related provisions. Although it is similar to other US privacy laws, there are significant differences in the response and cure periods.

Unlike other privacy laws, the ICDPA does not provide special protections for ‘sensitive data’ such as racial or health information, which are commonly regulated more strictly in other states.

Unlike global standards that typically require opt-in for sensitive data, the ICDPA permits businesses to rely on opt-out mechanisms—marking a significant difference.

Notably, ICDPA has no right to correct. Unlike most US privacy laws, it also doesn’t use the terms profiling or data protection assessments.

The enforcement of the act is the responsibility of the Iowa Attorney General, who imposes fines for each violation.

Key Terms and Definitions of Iowa CDPA

The term is defined in several key ways in the new Iowa data privacy law via Section 1, 715D.1 

An understanding of these definitions is key for compliance with the requirements of the new law; thus, we set out here the key terms exactly as they are stated in the law:

• Consent: Consent means any clear affirmative act establishing a consumer’s free, specific, informed, and unambiguous will concerning the processing of his or her data. Consent may be given by a written statement, including a statement given by electronic means or any other unambiguous affirmative action.
• Consumer: A natural person, a state resident, is involved only in an individual or household context, whereas such a person is excluded from acting in a commercial or employment context.
• Controller: A natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.
• Personal data: Any information linked or reasonably linkable to an identifiable natural person. De-identified or aggregated data are excluded from the scope of this definition, as this information is provided to the public.
• Processing: Processing means any operation or set of operations performed, whether by manual or automated means, upon personal data or sets of personal data, such as collection, use, storage, disclosure, analysis, deletion, or alteration of personal data.
• Processor: Any person who processes personal data on behalf of a controller.
• Sale of data: Sale of data refers to the transfer of personal data by a controller to a third party in exchange for monetary consideration.
  • Does not include disclosing personal data to third-party service providers involved in delivering a requested product or service to the consumer or their child;
  • The disclosure or transfer of personal data to an affiliate of the data controller;
  • The disclosure of information that the consumer has intentionally made available to the general public via a mass media channel with no restrictions on any specific audience;
  • The disclosure or transfer of personal data when a consumer uses or specifically directs a controller to disclose such personal data or intentionally interacts with one or more third parties;
  • The disclosure or transfer of personal data to a third party in connection with any actual or proposed merger, acquisition, bankruptcy, or other transaction under which the third party assumes control, in whole or in part, of the controller’s assets.
• Sensitive data : It can be described as data denoting racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal information from any child known to the collector, and precise locations.

Who Must Comply With the Iowa Data Privacy Act?

The law applies to any business operating in Iowa or targeting its residents with products or services, provided they meet one of the following thresholds in a calendar year: 

• It controls or processes the data of 100,000 or more consumers.
• It controls or processes data of at least 25,000 consumers and makes more than 50% of its gross annual revenue from the sale of personal data.

What Are the Consumer Rights Under ICDPA Law

Under the Iowa Consumer Data Protection Act (ICDPA), Consumers have the following five rights that they can exercise.

• Right to verify: Consumers can verify whether businesses are processing their data. 
• Right to access: Consumers have the right to access the data the business processes.
• Right to erase: Consumers can ask businesses to erase their submitted personal information. In most US privacy laws, consumers can erase their data regardless of the source.
• Right to portability: Customers can get a copy of their data in a portable, readable medium. The above right is only limited to:
  • Information that the customer directly provided.
  • Personal data that falls outside the scope of a defined security breach.
• Right to opt-out: The legislation grants customers the right to opt out of data sales. The law does not explicitly give consumers the right to opt out of targeted advertising, but companies may still be required to offer such opt-outs.

The law requires companies to disclose how consumers can exercise the right to opt out of targeted advertising. Moreover, companies that employ cookies to collect personal information for targeted advertising must disclose this to consumers and offer them the ability to opt out of processing in this manner.

How Businesses Can Comply With ICDPA Regulations

To comply with ICDPA requirements, businesses must follow the following: 

1. Update Privacy Policy

Companies affected by Iowa’s new data privacy law should prepare to revise their privacy policies to comply with all stipulated requirements.

2. Implement Consent Management

Businesses should also implement a Consent Management Platform (CMP) with a proper consent banner and preference center. This platform enables users to exercise their privacy rights by opting out of data sales and ad tracking.

3. Provide a Data Subject Access Request Form

Providing a Data Subject Access Request (DSAR) form on your website allows users to exercise their rights and contest decisions made by the data controller.

4. Create Data Processing Agreements

Suppose a company depends on any third parties to process information. In that case, it needs to utilize a Data Processing Agreement (DPA) containing all the clauses outlined by the Iowa CDPA.

ICDPA Penalties and Fines for Non-Compliance

The State of Iowa grants the Attorney General the authority to enforce the ICDPA. Failure to comply could result in significant penalties per violation.

The law imposes a maximum penalty of up to $7500 for each violation. Attorneys can also file for a restraining order against violators.

Companies have 90 days to cure the violation. Once the violation is cured, notify the attorney in writing. Legal action will be taken if it is not cured within that timeframe.

The attorney can proceed with legal action also in case of a violation of the written notice provided to the attorney indicating the cure of the violation.

The attorney general will put the money collected for the violations into the consumer education and litigation fund.

How Can WP Legal Pages Compliance Platform Help With Iowa CDPA Compliance?

WP Legal Pages Compliance Platform offers an all-in-one solution for legal policies and cookie consent, helping website owners stay compliant effortlessly.

WP Legal Pages Compliance Platform’s Privacy Policy Generator and Consent Management can assist companies in complying with the Iowa CDPA.

The privacy policy generator asks basic questions about your company and its data collection practices, and it employs those responses to create a complete, customized privacy policy.

Below is an example of what the privacy policy generator is like:

You can also use WP Cookie Consent’s Consent Management Platform. It is compliant with the Iowa CDPA’s consumer opt-out requirements for targeted advertising and the sale of personal data.

Below is a screenshot of the opt-out feature for your reference, highlighting how WP Cookie Consent’s platform allows users to manage their preferences in line with the Iowa CDPA requirements.

FAQ

Conclusion 

Ensure compliance with the Iowa Consumer Data Protection Act by fulfilling all of its requirements responsibly.

To ensure your business complies with ICDPA, you must update or create your privacy policy and include opt-out options for visitors over sensitive personal information, targeted advertising, and the sale of personal data.

Your business can simplify compliance by combining tools such as the privacy policy generator and consent management in one unified platform, the WP Legal Pages Compliance Platform.

If you like this article, you might also like:

• What is Quebec’s Law 25? – A Detailed Guide on Compliance
• EU-US Data Privacy Framework (DPF) – A Complete Guide
• Florida Digital Bill of Rights (FDBR) — A Complete Guide

Are you looking to comply with ICDPA? Then grab the WP Legal Pages Compliance Platform for quick solutions!