Why is the ICDPA considered the most business-friendly state privacy law?

The ICDPA provides the fewest consumer rights (no correction, no profiling opt-out, no appeal right), has the longest cure period at 90 days, and does not require universal opt-out signal recognition.

Who does the ICDPA apply to?

The ICDPA applies to entities conducting business in Iowa or targeting Iowa consumers that process data of 100,000+ consumers, or 25,000+ consumers while deriving 50%+ of revenue from data sales.

Iowa Privacy Law

Q: What are the penalties under the ICDPA?

Penalties are up to $7,500 per violation, enforced exclusively by the Iowa Attorney General. There is no private right of action.

Iowa Consumer Data Protection Act

Effective: January 1, 2025Active

Overview

The Iowa Consumer Data Protection Act (ICDPA) was signed into law on March 28, 2023, and became effective on January 1, 2025. Iowa's privacy law is widely considered the most business-friendly comprehensive state privacy law, providing fewer consumer rights and more flexibility for businesses than nearly all other state privacy laws. The ICDPA grants Iowa consumers limited rights, including the right to access, delete, and obtain a portable copy of their personal data, and the right to opt out of the sale of personal data and targeted advertising. Notably, the ICDPA does not include a right to correction, a right to opt out of profiling, or an appeals process for denied consumer requests, making it the most limited state privacy law in terms of consumer protections. The law applies to entities conducting business in Iowa or targeting Iowa consumers that control or process personal data of 100,000 or more consumers, or process personal data of 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data. The ICDPA provides a generous 90-day cure period — the longest among state privacy laws — and penalties of up to $7,500 per violation, enforced exclusively by the Iowa Attorney General.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

100,000+

Iowa consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Law became effective January 1, 2025 — first full year of enforcement in 2025-2026
Iowa AG developing enforcement priorities and compliance guidance
The 90-day cure period remains in effect with no sunset provision
Monitoring potential amendments as Iowa evaluates early enforcement experience

Enforcement Details

Enforced By

Iowa Attorney General

Penalty Per Violation

$7,500

Cure Period

90 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The ICDPA does not require businesses to honor universal opt-out mechanisms such as GPC. Iowa took the most business-friendly approach to consumer privacy legislation.

Minor / Child Protections

The ICDPA requires opt-in consent before processing sensitive personal data of known children under 13, consistent with COPPA. There are no additional specific protections for teens aged 13-17 beyond what is required under federal law.

Compliance Checklist

1Determine whether your organization meets the ICDPA applicability thresholds for Iowa consumer data
2Update privacy notices to include ICDPA-required disclosures about data processing and consumer rights
3Implement opt-out mechanisms for the sale of personal data and targeted advertising
4Obtain opt-in consent for processing sensitive personal data categories
5Establish processes to respond to consumer rights requests within the 90-day response window
6Review data processing contracts with processors to ensure ICDPA compliance

Iowa Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.