Iowa Consumer Data Protection Act (ICDPA): Complete 2026 Compliance Guide

Iowa’s Business-Friendly Approach to Data Privacy

The Iowa Consumer Data Protection Act (ICDPA) took effect on January 1, 2025, after being signed into law on March 28, 2023. Iowa is widely recognized as having enacted the most business-friendly comprehensive state privacy law in the United States, offering fewer consumer rights, a longer cure period, and more flexibility for businesses than any other state privacy law.

If your company operates in Iowa or serves Iowa consumers, the ICDPA may apply to you — but its generous thresholds and enforcement provisions make compliance more straightforward than most state laws. Use our Privacy Law Calculator to check whether your business is covered.

Who Must Comply with the ICDPA?

The ICDPA applies to entities that conduct business in Iowa or produce products or services targeted to Iowa consumers, AND meet either of these thresholds:

• Control or process personal data of 100,000 or more Iowa consumers during a calendar year, OR
• Control or process personal data of 25,000 or more Iowa consumers AND derive over 50% of gross revenue from the sale of personal data

These thresholds use OR logic between the two tiers, meaning you only need to meet one of them to be covered. The 50% revenue requirement for the lower tier is the highest among all state privacy laws, significantly limiting which smaller businesses are subject to the law.

Exemptions

The ICDPA exempts several categories of entities and data types:

• Entity exemptions: Government bodies, financial institutions subject to GLBA, entities covered by HIPAA, nonprofit organizations, and institutions of higher education
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, and certain employment and B2B contact data

Consumer Rights Under the ICDPA — The Most Limited Set

Iowa grants its consumers fewer rights than any other state privacy law. Iowa residents have these rights:

• Right to confirm and access — Confirm whether a controller is processing their personal data and access that data
• Right to delete — Request deletion of personal data provided by the consumer
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out — Opt out of the sale of personal data and targeted advertising

Critically, the ICDPA does not include:

• No right to correction — consumers cannot request correction of inaccurate data
• No right to opt out of profiling — unlike most other state laws
• No appeal right — there is no mandated appeals process for denied consumer requests

Controllers must respond to consumer requests within 90 days (the longest response window among state privacy laws), with one 45-day extension if reasonably necessary.

Key Business Obligations

Privacy Notices

Controllers must provide a reasonably accessible, clear privacy notice that includes: categories of personal data processed, purposes of processing, how consumers can exercise their rights, categories of data shared with third parties, and categories of third parties with whom data is shared.

Sensitive Data Consent

Processing sensitive data requires the consumer’s opt-in consent. Sensitive data under the ICDPA includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, and biometric data used for identification.

Data Processing Agreements

Controllers engaging data processors must establish written contracts governing: the nature and purpose of processing, the type of data subject to processing, the duration of processing, the rights and obligations of both parties, and requirements for confidentiality.

No Universal Opt-Out Requirement

The ICDPA does not require businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC). This is a significant distinction from states like California, Colorado, Connecticut, Montana, and Delaware. Check your GPC obligations across states with our GPC Compliance Checker.

No Data Protection Assessments

Unlike many state privacy laws, Iowa does not require controllers to conduct data protection impact assessments (DPIAs) for high-risk processing activities. This further reduces compliance burden for Iowa-covered businesses.

Enforcement and Penalties

The Iowa Attorney General has exclusive enforcement authority under the ICDPA. There is no private right of action.

• Penalties: Up to $7,500 per violation
• Cure period: 90 days — the longest cure period of any state privacy law

The 90-day cure period is permanent (no sunset clause), providing businesses ample time to address any alleged violations before the AG can pursue enforcement action. By comparison, states like California, Colorado, and Delaware have eliminated their cure periods entirely. View enforcement trends on our Enforcement Tracker.

How Iowa Compares to Other State Privacy Laws

Iowa’s ICDPA stands apart from other state laws in multiple ways:

• Fewest consumer rights: No right to correction, no profiling opt-out, no appeal right — fewer rights than every other state
• Longest cure period: 90 days with no sunset vs. 60 days in Tennessee, 30 days in Nebraska and Indiana
• No GPC requirement: Businesses do not need to honor universal opt-out signals
• No DPIAs required: Unlike California, Colorado, Connecticut, Virginia, and most other states
• Highest data sale revenue threshold: 50% of gross revenue vs. 25% in most other states
• Longest response window: 90 days to respond to consumer requests vs. 45 days in most states

Use our State Comparison Tool for a detailed side-by-side comparison with other state laws.

6-Step ICDPA Compliance Plan

1. Assess applicability — Determine if your business processes data of 100,000+ Iowa consumers, or 25,000+ Iowa consumers while deriving 50%+ of revenue from data sales. Use the Privacy Law Calculator for a multi-state assessment.
2. Update your privacy notice — Ensure it covers all categories of data collected, processing purposes, consumer rights, and third-party sharing categories.
3. Implement opt-out mechanisms — Provide clear methods for consumers to opt out of targeted advertising and the sale of personal data.
4. Obtain consent for sensitive data — Ensure opt-in consent is collected before processing any sensitive data categories.
5. Build consumer rights processes — Establish intake, verification, and fulfillment workflows for access, deletion, portability, and opt-out requests. Set up a 90-day response timeline.
6. Review processor contracts — Ensure all data processor agreements include ICDPA-mandated provisions governing processing scope, confidentiality, and data return or deletion.

For a detailed walkthrough, visit our Iowa Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.