Iowa is known for being a leading producer of corn, soybeans, pork, and eggs and is often called the “Food Capital of the World,” but you can now add data privacy legislation to what Iowa has produced.

The Iowa Consumer Data Protection Act (ICDPA), signed into law in March 2023, marks Iowa’s entry into the growing list of U.S. states enacting comprehensive data privacy regulations. The ICDPA closely resembles privacy laws like the Virginia Consumer Data Protection Act (VCDPA) and Utah’s Consumer Privacy Act (UCPA), creating a framework that ensures transparency and gives Iowa residents control over their personal data.

Understanding and adhering to the ICDPA is crucial for organizations operating in Iowa or serving Iowa residents to avoid penalties and foster consumer trust.

Key Features of the Iowa Consumer Data Protection Act

1. Scope & Application of the Law

The ICDPA applies to organizations that:

  • Conduct business in Iowa or produce products or services targeted at Iowa residents.
  • Meet at least one of the following thresholds:
    • Control or process the personal data of 100,000 or more consumers annually.
    • Derive 50% or more of gross revenue from the sale of personal data and process the personal data of at least 25,000 consumers.

Exemptions include:

  • Government agencies.
  • Entities already governed by other federal privacy laws such as HIPAA, GLBA, or FERPA.
  • Nonprofits and institutions of higher education.

2. Consumer Data Rights

ICDPA provides similar data rights to other state consumer privacy laws, defining a consumer as an individual residing in Iowa and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. The ICDPA grants Iowa residents robust rights to control their personal data, including:

  • Right to Access: Consumers can request access to their personal data held by organizations.
  • Right to Delete: Consumers can request the deletion of their personal data.
  • Right to Data Portability: Consumers can obtain their data in a portable and usable format.
  • Right to Opt-Out: Consumers can opt out of the processing of personal data for targeted advertising, data sales, or profiling that produces significant legal or similar effects.

Organizations must respond to consumer rights requests within 90 days, with an optional 45-day extension if necessary.

3. Obligations for Organizations

Transparency and Privacy Notices

Organizations must provide clear and concise privacy notices that include:

  • Categories of personal data processed.
  • Purposes for data collection and use.
  • Information about consumer rights and how to exercise them.
  • Whether personal data is sold or shared and how consumers can opt-out.

Consent for Processing Sensitive Data

Explicit consumer consent is required for processing sensitive data, which includes:

  • Racial or ethnic origin.
  • Religious beliefs.
  • Genetic or biometric data for identification purposes.
  • Data concerning health or sexual orientation.

Data Minimization and Purpose Limitation

Organizations may only collect and retain personal data that is strictly necessary for specific, disclosed purposes. Processing personal data for unrelated purposes requires explicit consent from consumers.

Security Requirements

The ICDPA mandates the implementation of reasonable technical, administrative, and physical measures to secure personal data against breach, loss, or unauthorized access.

Processor Contracts

Organizations that share data with third-party processors must establish contracts to ensure processors adhere to ICDPA requirements.

Enforcement & Penalties for ICDPA Non-Compliance

Non-compliance with the ICDPA can result in significant penalties, including fines of up to $7,500 per violation. The Iowa Attorney General can enforce the law and can impose fines on businesses that are non-compliant, but are given a “cure period” to address violations before any legal action.

Steps to Achieve Compliance with the ICDPA

1. Conduct a Data Inventory and Mapping Exercise

Identify and map all personal data collected, processed, or stored within your organization. Understand the lifecycle of this data, from collection to deletion, to ensure compliance with data minimization and purpose limitation requirements.

2. Update Privacy Notices

Revise your privacy policies and notices to include all required disclosures under the ICDPA. Ensure they are easily accessible, written in clear language, and provide instructions for exercising consumer rights.

3. Implement a Consumer Rights Management Process

Set up a streamlined process for receiving, verifying, and responding to consumer data rights requests. Leverage automation tools to meet the 90-day response deadline efficiently.

4. Assess and Minimize Data Collection Practices

Adopt data minimization practices by limiting data collection to what is strictly necessary for your disclosed purposes. Organizations should also periodically audit data to delete unnecessary or outdated information.

5. Strengthen Data Security Practices

Ensure your organization employs state-of-the-art security measures, such as encryption, security audits, vulnerability assessments, and access controls based on the principle of least privilege.

6. Review Contracts with Processors

Audit agreements with third-party processors to ensure compliance with the ICDPA. Include provisions that require processors to protect personal data, delete data upon request, and immediate notification in the event of a data breach.

7. Train Employees

Educate employees, especially those in customer-facing roles or data management, about the requirements of the ICDPA and their responsibilities. Include guidance on handling consumer rights requests and avoiding dark patterns.

How BigID Can Help Organizations Achieve ICDPA Compliance

BigID provides organizations with the technology to streamline their data privacy, security, compliance, and AI data management practices. From advanced data discovery to automated data rights management, BigID’s capabilities align closely with the ICDPA’s requirements, enabling organizations to:

Schedule a 1:1 demo to see how BigID can accelerate ICDPA compliance.