Iowa became the sixth state to enact a comprehensive data privacy law, following in the footsteps of Connecticut, Utah, Virginia, Colorado, and California, when it formally passed this extensive privacy legislation on the 29th of March, 2023.
The bill was passed after an increasing demand for heightened data privacy protection, greater transparency, and more control over personal data.
In this article, we’ll discuss the ICDPA’s scope, applicability, and the essential steps your business should take to prepare for compliance.
- Iowa’s Consumer Data Protection Act is a state-level privacy legislation that will take effect on January 1, 2025.
- To comply with ICDPA, businesses must create privacy policies, enhance security, facilitate consumer opt-outs, and secure informed consent.
- Iowa’s Attorney General enforces ICDPA, applying penalties for violations. Compliance is important to safeguard consumer data and avoid legal consequences.
Table of Contents
What Is the Iowa Consumer Data Protection Act (ICDPA)?
The Iowa Consumer Data Protection Act (ICDPA) is a state-level data privacy law enacted to safeguard the rights and personal data of Iowa residents, requiring businesses to adhere to specific regulations regarding data handling and consumer privacy.
The roots of the Iowa Consumer Data Protection Act can be traced back to 2020 when Iowa’s legislature initially sought to address consumer data privacy. However, it wasn’t until March 28, 2023, that it was officially signed into law.
The legislation is scheduled to take effect on January 1, 2025, giving organizations 21 months to adapt to the new requirements.
Additionally, businesses must implement extensive security measures, allow consumers to opt out of data sales, secure consent before data processing, and process data without discrimination based on consumers’ data-related choices.
The law also emphasizes the establishment of clear data processing contracts between the controller and the processor that outline how personal data will be processed, including its purpose, type, and duration. These contracts should also define the rights and responsibilities of both parties.
The primary authority responsible for enforcing ICDPA is the Iowa Attorney General. This means the Attorney General has exclusive authority to investigate and take legal action against individuals or entities violating the law.
What Are the General Definitions of the ICDPA?
ICDPA outlined key terms that serve as the cornerstone for compliance with this law. Below is a concise breakdown of these essential terms:
- Consent: Consent means a clear, affirmative action showing a consumer’s voluntary, specific, informed, and unambiguous agreement to process their personal data. This agreement can take various forms, including a written statement or clear affirmative action.
- Consumer: A consumer in this law refers to an individual who lives in the state and uses services for personal or household purposes, excluding those acting in a business or employment context.
- Controller: A controller is an individual or an entity that decides why and how personal data is processed, either on their own or jointly with others.
- Processor: A processor is an entity or individual that processes personal data on behalf of a controller.
- Personal Data: Personal data is any information directly or reasonably linked to an identifiable natural person. This excludes aggregate data or publicly available information.
- Processing: Processing means any action or series of actions performed on personal data, manually or through automated methods. This includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
- Sale of Data: Data sale involves exchanging personal data for money the controller facilitates with a third party.
- Pseudonymous Data: Data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and subject to appropriate technical and organizational safeguards
- Sensitive Data: Sensitive personal data includes information about race, religion, health, genetic or biometric data, sexual orientation, and more. It also covers data collected from known children and precise geolocation data.
These key terms and their precise definitions are the cornerstone for compliance with the Iowa data privacy law. Familiarizing oneself with these concepts is essential to navigate the intricacies of this legislation effectively.
Who Does the ICDPA Apply To?
The legislation’s primary focus is on entities engaged in business activities within the state of Iowa or those offering products or services to residents of Iowa. However, unlike other state privacy laws, the ICDPA does not impose a revenue threshold for applicability.
So, who does the ICDPA apply to? Here’s a comprehensive breakdown:
- Entities Operating in Iowa: The ICDPA encompasses entities conducting business operations within Iowa. If your organization operates from Iowa, this law is of direct relevance.
- Entities Targeting Iowa Consumers: The ICDPA extends its reach beyond its borders to entities that produce products or offer services aimed at Iowa residents. Even if your business is not physically located in Iowa but caters to its consumers, this law becomes applicable.
The ICDPA sets out specific thresholds for entities that control or process personal data to further specify its applicability. This includes entities that, during a calendar year, either:
- Control or process the personal data of a minimum of 100,000 Iowa residents.
- Control or process the personal data of at least 25,000 Iowa residents and derive over 50 percent of their gross revenue from the sale of personal data.
The sale of personal data refers to exchanging personal data for monetary consideration facilitated by your business to a third party. It’s important to note that this definition excludes certain scenarios. Exceptions include:
- Disclosure of personal data to a processor that processes the data on behalf of the controller.
- Disclosure of personal data to a third party to fulfill a product, consumer request, or a service to a child’s parent.
- Disclosure or transfer of personal data to an affiliate of the controller.
- Disclosure of information intentionally made public by the consumer through mass media without audience restrictions.
- Disclosure or transfer of personal data at the direction of the consumer or as part of the consumer’s interaction with third parties.
- Disclosure or transfer of personal data to a third party as part of a proposed or completed merger, acquisition, bankruptcy, or similar transaction where the third party assumes control of some or all of the controller’s assets.
ICDPA distinguishes itself from other state legislations, like the Utah Consumer Privacy Act and the California Consumer Privacy Act.
They both have revenue thresholds in their data privacy laws. Iowa’s approach is more inclusive, encompassing businesses of all sizes that meet the specified criteria. This means that regardless of your organization’s size, compliance with the ICDPA is essential if you fall within these parameters.
Exemptions Under the Iowa Consumer Data Privacy Act (ICDPA)
While the ICDPA establishes extensive privacy regulations, there are exceptions for certain entities and data types that fall outside the purview of the ICDPA. Here’s a closer look at the exclusions:
- Government Entities: The ICDPA does not apply to government entities, ensuring that government operations and data management remain governed by separate regulations.
- Nonprofit Organizations: Nonprofit organizations are exempt from the ICDPA’s obligations, acknowledging their distinct operational context and objectives.
- HIPAA-Covered Entities and Business Associates: Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) and their business associates are not subject to the ICDPA. HIPAA already imposes stringent data privacy and security requirements on healthcare-related data.
- Higher Educational Institutions: Public and private institutions are exempt, recognizing the complexities of managing data in an educational setting.
- Gramm-Leach-Bliley Act-Regulated Entities: Entities regulated under the Gramm-Leach-Bliley Act, which primarily addresses financial institutions and their handling of personal financial information, are also excluded from ICDPA obligations.
Additionally, specific categories of data are exempt from ICDPA provisions, including:
- Health Records: Personal data related to health records is exempted, as it falls under the purview of other comprehensive healthcare data protection laws.
- Scientific Research Data: Data used for scientific research is exempt, encouraging innovation and research endeavors.
- Consumer Credit-Reporting Data: Data governed by the Fair Credit Reporting Act (FCRA) and used for consumer credit reporting is not subject to the ICDPA.
- Family Educational Rights and Privacy Act (FERPA) Data: Data covered by FERPA, which safeguards educational records, maintains its separate regulatory framework.
- Federal Farm Credit Act Data: Data regulated by the Federal Farm Credit Act, primarily related to agricultural credit, is outside the scope of the ICDPA.
- Employment-Related Information: Certain employment-related information is also exempted from ICDPA provisions.
What Are the Data Subject Rights Under the ICDPA?
The Iowa Consumer Data Privacy Act strongly emphasizes safeguarding consumers’ rights and interests concerning their personal data by granting them these fundamental rights:
- Right to Access: This essential right enables consumers to inquire and confirm whether your business processes their personal information. Moreover, they are entitled to access and review your business’s specific personal data about them.
- Right to Delete: Consumers possess the right to request the deletion of the personal data they have provided to your business.
- Right to Data Portability: Consumers also have the right to obtain a copy of the personal data provided to the controller. However, this right is subject to certain conditions. For instance, it does not apply when the data is subject to security breach protection or has already been provided to the consumer in a portable and readily usable format.
- Right to Opt Out of Sales: ICDPA grants consumers the right to opt out of selling their personal data. The law also specifies that opt-out rights do not apply to pseudonymous data.
Consumers can exercise these rights by submitting a request specifying their rights. Your organization, in turn, must respond within 90 days of receiving the request.
In complex or high-volume situations, the controller may extend this period by 45 days after notifying the consumer. This provision allows flexibility while ensuring consumers’ rights are upheld effectively and responsibly.
How Can Businesses Comply With the ICDPA?
To ensure compliance with the Iowa Consumer Data Privacy Act, businesses must undertake important measures. These steps are essential for ICDPA compliance, protection of consumer data, and upholding citizen rights.
- The categories of personal data processed.
- The purpose for processing personal data.
- Information on how consumers may exercise their rights, including the process for appealing your business decision.
- The categories of personal data shared with third parties, if any.
- The categories of third parties, if any, with whom your business shares personal data.
2. Implement Reasonable Security Measures
Businesses must adopt and enforce strong administrative, technical, and physical data security practices. These measures must safeguard the confidentiality, integrity, and accessibility of personal data. The level of security should be commensurate with the volume and nature of the data being processed.
These practices protect the personal data you handle, ensuring that it remains shielded from unauthorized access, breaches, and tampering.
One of the primary objectives of these security practices is to safeguard:
- Data Confidentiality: Only authorized individuals, such as employees with legitimate access rights, should be able to view and utilize this data.
- Data Integrity: Involves preventing any unauthorized alterations, deletions, or modifications to personal data.
- Data Accessibility: Data security practices should also help ensure that data remains accessible to those with proper permissions while keeping it safe from unauthorized access.
Recognizing that not all data is equal, the ICDPA significantly emphasizes proportionality regarding security measures. Businesses are expected to customize their security practices according to the following criteria:
- Volume of Data: The amount of personal data a business processes varies widely. Some businesses may handle large volumes of data, while others may deal with relatively small datasets. For instance, businesses processing extensive datasets may require advanced data protection systems and sophisticated access controls, while those with smaller datasets may implement more streamlined security measures.
- Nature of Data: Highly sensitive personal data, such as financial records or healthcare information, demands stringent security measures. In contrast, less sensitive data may require a more moderate level of protection. Your business must align its security practices with the sensitivity and criticality of the data it handles.
3. Facilitate Consumer Opt-Out of Data Sales
Businesses must empower consumers by offering a straightforward and easily accessible means to opt out of selling their personal data.
It’s important to understand that the ICDPA’s definition of “sale” extends beyond direct monetary transactions. It includes any exchange of personal data for monetary consideration.
Therefore, businesses need to be vigilant in recognizing various forms of data sales, such as sharing consumer data with third parties in exchange for financial gain.
- Clear and Accessible Opt-Out Mechanisms: Your business must prioritize creating and maintaining user-friendly opt-out mechanisms. These mechanisms should be clear, readily accessible, and easy for consumers to ensure consumers can opt-out without encountering unnecessary barriers or complexities.
- Transparent Disclosure: ICDPA mandates transparency in disclosing data sales activities. This transparency encompasses not only the fact that data sales occur but also how these activities are conducted. You should clearly and conspicuously inform consumers about data sales within its privacy policies and privacy notices.
4. Secure Consent Before Data Processing
Securing consent is a cornerstone of ICDPA compliance, and it strongly emphasizes respecting consumer autonomy and choice. Under the ICDPA, businesses are mandated to secure consent from consumers before engaging in any personal data processing activities, and this consent should be:
- Clear and Informed: Consumers should comprehensively understand what they are consenting to. You should provide consumers with transparent information about the purposes of data processing, the types of data involved, and how their data will be used in a way free from ambiguity or hidden clauses.
- Freely Given: ICDPA emphasizes that consent must be freely given, meaning that consumers should not feel pressured into granting consent. You should avoid any practices that could potentially manipulate consumers into providing consent. Consent should be a genuine choice made by the consumer without external influence.
- Specific to Intended Processing Activities: Consent should be specific and tied directly to the intended data processing activities. Generic or overly broad consent statements are not compliant with ICDPA. You should seek separate consent for distinct processing purposes. For example, if a business intends to use consumer data for marketing and customer support, separate consent should be obtained for each purpose.
Consumers also have the right to withdraw their consent at any time.
ICDPA mandates that businesses provide consumers with an equally accessible and straightforward mechanism to revoke their consent as the one used to grant it. You must promptly honor withdrawal requests and cease the processing activities for which consent was withdrawn.
For children under 13 years of age, businesses must process the data in line with the protection of minors’ privacy rights, which is known as the Children’s Online Privacy Protection Act (COPPA)
PRO TIP: Consent should not be a one-time event. Businesses should periodically review and refresh consent, particularly if there are significant changes to data processing practices or the original consent has expired.
5. Conduct Data Processing Without Discrimination
Under ICDPA, businesses are bound by a fundamental principle: non-discrimination. This principle prohibits businesses from treating consumers unfairly based on their data-related choices. Discrimination, in this context, covers various aspects of consumer-business interactions.
Firstly, businesses are barred from denying goods or services to consumers simply because they exercise their data rights. Additionally, ICDPA mandates uniform pricing and service quality, ensuring that consumers are not charged differently or provided with varying levels of service based on their data privacy preferences.
6. Develop Clear Data Processing Contracts
Businesses are entrusted with the responsibility of developing comprehensive data processing contracts when engaging the services of data processors.
Contracts between data controllers and processors must be meticulously drafted to govern data processing procedures. Contracts between data controllers and processors must leave no room for ambiguity. This clarity ensures that all parties involved precisely understand their responsibilities.
Here are key aspects of developing clear data processing contracts:
- Rights and Duties Clarification: ICDPA mandates that data processing contracts clearly articulate the rights and duties of both the data controller and the data processor. This includes stipulating the processor’s obligations to maintain the data’s confidentiality, promptly delete or return data at the controller’s request, and cooperate fully in audits to demonstrate compliance with ICDPA.
- Data Security and Confidentiality: A fundamental aspect of data processing contracts is the commitment to data security and confidentiality. Processors must uphold the utmost confidentiality regarding the data they handle, including implementing robust security measures to protect data integrity and prevent unauthorized access.
- Subcontractor Engagement: In some cases, data processors may engage subcontractors or agents to assist in data processing. Data processing contracts should extend their obligations to these subcontractors, ensuring that all parties involved are aligned with ICDPA requirements.
- Liability and Compliance: It’s essential to emphasize that these contracts do not absolve the data controller or the data processor from their liabilities as defined by ICDPA. Both parties remain accountable for their roles in the data-processing relationship.
7. Conduct Employee Training
Adequate training and awareness programs must be established for employees involved in data processing. Employees should understand their responsibilities in protecting personal data and ensuring compliance with ICDPA.
Businesses must diligently follow these steps to adhere to ICDPA and build trust with consumers by respecting their privacy rights and ensuring the security of their personal data.
Who Enforces the ICDPA?
The Iowa Consumer Data Privacy Act is enforced primarily by the Attorney General of Iowa, who possesses exclusive authority to ensure compliance with the provisions of this data privacy legislation. The enforcement mechanisms within the ICDPA are designed to uphold consumer rights, data protection, and privacy standards.
When there is reasonable cause to believe that an individual or entity has violated or is on the verge of violating the ICDPA, the Attorney General is authorized to issue a civil investigative demand, a tool that allows them to conduct investigations and inquiries into potential violations.
It is important to clarify that the ICDPA does not grant individuals a basis for initiating private legal actions against alleged violators of the act. Enforcement is exclusively vested in the hands of the Attorney General.
What Are the Penalties for Violating the ICDPA?
The ICDPA has a comprehensive system of penalties designed to uphold compliance with its data privacy regulations. These penalties serve as a deterrent against violations and emphasize the significance of safeguarding consumer data. Here’s an overview of the penalties under the ICDPA:
- Civil Penalties: The ICDPA authorizes the Attorney General of Iowa to seek civil penalties in cases of non-compliance. The legislation sets a maximum civil penalty of $7,500 for each violation, providing a substantial financial incentive for businesses and entities to adhere to the data privacy regulations outlined in the ICDPA.
- Enforcement by the Attorney General: In instances where there is reasonable cause to believe that an individual or entity has violated the ICDPA, the Attorney General can initiate legal action. This action may involve seeking injunctive relief to halt ongoing violations and imposing civil penalties.
- Notice and Opportunity to Cure: The Attorney General must provide a written notice to the entity suspected of violating the act before commencing legal action. This notice outlines the specific provisions of the ICDPA allegedly violated, granting the entity 90 days to rectify these violations, and if they successfully remedy the issues and provide an express written statement to the Attorney General confirming compliance, no legal action will be initiated against them.
- Consumer Education and Litigation Fund: Funds collected through civil penalties, costs, attorney fees, or other designated sources are directed to the consumer education and litigation fund. This fund supports educational initiatives and litigation on consumer rights and data privacy.
How Does the ICDPA Compare to Other Data Privacy Laws?
The Iowa Consumer Data Privacy Act finds its place among other prominent data privacy laws worldwide, each with its unique features and approaches
Compared to the California Privacy Rights Act (CCPA), the ICDPA shares commonalities in granting consumers rights over their data, including access, deletion, and the right to opt out of data sales. However, the ICDPA distinguishes itself by not imposing revenue thresholds for compliance, applying to a broader spectrum of businesses, and having a distinct approach to pseudonymous data.
When viewed against the European General Data Protection Regulation (GDPR), the ICDPA is more sectoral and applies only within Iowa, whereas the GDPR has a broader geographical scope and encompasses various industries across the European Union.
GDPR is renowned for its comprehensive framework and adherence to key principles such as data minimization, purpose limitation, and accountability. GDPR also imposes stringent requirements on data protection officers and international data transfers, making it one of the most robust data privacy laws globally.
Finally, in contrast to the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the ICDPA is more granular in defining sensitive data categories, albeit narrower in its jurisdiction. Canada’s Consumer Privacy Law extends its reach to federal works, undertakings, and businesses, offering more comprehensive coverage in certain aspects.
Frequently Asked Questions
What is the Iowa Consumer Data Protection Act (ICDPA)?
ICDPA is Iowa’s comprehensive data privacy legislation aimed at enhancing data protection and consumer rights in the state.
Who does ICPDA apply to?
ICDPA applies to individuals and entities that process personal data in Iowa, including businesses, organizations, and public entities, regardless of their size or sector.
Does ICPDA apply to businesses outside of Iowa?
Yes, ICDPA applies to businesses outside Iowa if they process the personal data of individuals in Iowa, irrespective of their geographical location.
Who enforces compliance with ICDPA?
ICDPA is enforced by the Iowa Attorney General, who has the exclusive authority to ensure compliance with the law.
What are the penalties for violating ICDPA?
Violations of ICDPA can result in civil penalties of up to $7,500 per violation. The Attorney General can also seek injunctive relief to prevent further violations.