Iowa Consumer Data Protection Act: A Guide for Small Business Owners
Understand Iowa's ICDPA privacy law: applicability thresholds, consumer rights, enforcement, and compliance steps for small businesses effective Jan 2025.
Last updated: 2026-02-08
Iowa became the sixth state to enact a comprehensive consumer data privacy law when Governor Kim Reynolds signed Senate File 262 on March 28, 2023. The Iowa Consumer Data Protection Act (ICDPA) took effect on January 1, 2025, and it brings a new set of privacy requirements to businesses that handle data from Iowa residents. But there is an important distinction: the ICDPA is notably narrower than the privacy laws in most other states, making it one of the more business-friendly frameworks in the country.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Iowa Consumer Data Protection Act (Iowa Code ch. 715D), as of the date of publication.
If you are a small business owner wondering whether this law affects you -- and what you actually need to do about it -- this guide covers the essentials without the legal jargon. For context on how Iowa fits into the broader landscape, see our multi-jurisdiction compliance guide.
Does This Law Apply to Your Business?
The ICDPA applies to businesses that conduct business in Iowa or produce products or services targeted at Iowa consumers and meet at least one of the following thresholds during a calendar year:
- Control or process the personal data of 100,000 or more Iowa consumers.
- Control or process the personal data of at least 25,000 Iowa consumers and derive more than 50% of gross revenue from the sale of personal data.
These thresholds are identical to those in Virginia's VCDPA and several other state privacy laws. But there is a critical detail: the term "consumers" under the ICDPA refers to Iowa residents acting in an individual or household context. It does not cover employees or B2B contacts.
Example: A regional retailer based in Nebraska operates an online store that ships to Iowa. Over the past year, 115,000 unique Iowa residents have created accounts or made purchases. The retailer meets the 100,000-consumer threshold and must comply with the ICDPA, even though it is not based in Iowa.
Example: A small data broker based in Des Moines processes personal data on 30,000 Iowa consumers and earns 55% of its revenue from selling that data. It meets the second threshold and is covered.
Exemptions. The ICDPA exempts government entities, nonprofits, higher education institutions, and entities or data subject to HIPAA, GLBA, FCRA, FERPA, the Driver's Privacy Protection Act, and the Farm Credit Act. Employee data and B2B contact data are excluded from the definition of "consumer."
One notable exemption: the ICDPA also exempts data processed for certain insurance-related purposes governed by Iowa insurance law.
What Rights Do Consumers Have?
This is where the ICDPA diverges from most other state privacy laws. Iowa provides a narrower set of consumer rights than states like Virginia, Colorado, or Connecticut. Most significantly, the ICDPA does not include a right to correction and does not include a right to opt out of profiling.
Right to Access. Consumers can confirm whether a business is processing their personal data and obtain access to that data.
Right to Deletion. Consumers can request deletion of their personal data that the business has obtained.
Right to Data Portability. Consumers can obtain a copy of their data in a portable, readily usable format that allows transfer to another entity.
Right to Opt Out of Sale. Consumers can direct a business to stop selling their personal data.
Right to Opt Out of Targeted Advertising. Consumers can opt out of the processing of personal data for purposes of targeted advertising.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and access personal data |
| Correction | ❌ | Not included in the ICDPA |
| Deletion | ✅ | Delete personal data obtained from or about the consumer |
| Data Portability | ✅ | Provide data in a portable, readily usable format |
| Opt-Out of Targeted Ads | ✅ | Consumer can opt out of targeted advertising |
| Opt-Out of Data Sales | ✅ | Consumer can opt out of sale of personal data |
| Opt-Out of Profiling | ❌ | Not included in the ICDPA |
| Right to Non-Discrimination | ✅ | Cannot discriminate against consumers exercising rights |
The absence of a correction right and a profiling opt-out right makes the ICDPA one of the narrowest comprehensive state privacy laws. Businesses that already comply with Virginia's VCDPA or similar laws will find Iowa's requirements a subset of what they are already doing.
Businesses must respond to consumer requests within 90 days. Unlike most other state privacy laws, which provide a 45-day standard window, Iowa gives businesses a full 90 days to respond with no extension available beyond that period.
What Your Business Must Do
Even though the ICDPA is narrower than many state privacy laws, compliance still requires deliberate action.
Provide a reasonably accessible and clear privacy notice. Your privacy policy must disclose the categories of personal data you process, the purpose of processing, how consumers can exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties. Iowa's disclosure requirements are largely consistent with other state privacy laws.
Establish consumer request processes. You need a process for receiving, verifying, and responding to access, deletion, portability, and opt-out requests. The 90-day response deadline is more generous than the 45 days most states allow, but you should still build processes that can respond well within that window. For a practical framework, see our DSAR workflow guide.
Obtain consent for sensitive data. The ICDPA requires opt-in consent before processing sensitive personal data. Sensitive data includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data processed to identify a person, personal data from a known child, and precise geolocation data.
Implement data processing agreements. Contracts with processors (third-party vendors that handle data on your behalf) must clearly define the instructions for processing, the nature and purpose of processing, the type of data being processed, confidentiality obligations, and requirements for data security.
Practice data minimization. The ICDPA requires that personal data collection be adequate, relevant, and reasonably necessary for the disclosed purpose. Collect only what you need.
Conduct data protection assessments. Businesses must conduct assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, sale of personal data, processing of sensitive data, and any processing that presents a heightened risk of harm. These assessments must weigh the benefits against the risks.
Ensure security practices. The ICDPA requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security practices. These practices should be proportionate to the volume and nature of the personal data at issue.
How Is It Enforced?
The ICDPA is enforced exclusively by the Iowa Attorney General. There is no private right of action -- consumers cannot sue businesses directly for violations.
Iowa's enforcement framework stands out for its generous cure period. Before bringing an enforcement action, the Attorney General must give the business a 90-day cure period -- the longest of any state privacy law. During this window, the business can remedy the alleged violation and avoid penalties. Critically, this cure period does not have a sunset date. It remains in place indefinitely, unlike Virginia (whose cure period sunset in 2025) and Indiana (which sunsets in 2028).
If a violation is not cured, the Attorney General can pursue enforcement action under Iowa's consumer protection statutes. Penalties can reach up to $7,500 per violation. The Attorney General can also seek injunctive relief to stop ongoing violations.
The combination of a 90-day response window and a permanent 90-day cure period makes Iowa one of the most forgiving enforcement environments for businesses working in good faith to comply.
How This Compares to Other State Laws
Iowa's narrower scope and generous timelines set it apart. Here is how it compares:
| Feature | Iowa (ICDPA) | Virginia (VCDPA) | Nebraska (NDPA) |
|---|---|---|---|
| Effective Date | Jan 1, 2025 | Jan 1, 2023 | Jan 1, 2025 |
| Consumer Threshold | 100K consumers | 100K consumers | No threshold |
| Right to Correction | No | Yes | Yes |
| Opt-Out of Profiling | No | Yes | Yes |
| Response Deadline | 90 days | 45 days (+45 ext.) | 45 days (+45 ext.) |
| Cure Period | 90 days (permanent) | 30 days (sunset) | 30 days (sunset 2026) |
| Private Right of Action | No | No | No |
| Max Penalty | $7,500/violation | $7,500/violation | $7,500/violation |
Nebraska's privacy law, which also took effect in 2025, is broader than Iowa's -- it applies to all businesses processing Nebraska consumer data with no minimum threshold. Iowa is among the most business-friendly state privacy laws by comparison. If your business already complies with Virginia or California, Iowa compliance will require minimal additional effort. The main advantage for Iowa-only compliance is the longer timelines and narrower rights, but businesses operating in multiple states should build processes around the stricter requirements.
Action Checklist for Small Businesses
-
Determine if the ICDPA applies to you. Count the number of Iowa consumers whose personal data you process annually. If you reach 100,000 (or 25,000 with 50%+ revenue from data sales), you are covered.
-
Audit your data inventory. Map what personal data you collect from Iowa consumers, where it comes from, where it is stored, and who you share it with.
-
Update your privacy notice. Ensure it addresses all ICDPA-required disclosures, including categories of data, purposes, third-party sharing, and consumer rights.
-
Build your request response process. Set up workflows for access, deletion, portability, and opt-out requests. The 90-day deadline is generous, but do not wait until the last minute. See our how to respond to a DSAR guide.
-
Implement opt-out mechanisms. Provide clear methods for consumers to opt out of data sales and targeted advertising.
-
Obtain consent for sensitive data. Ensure you have opt-in consent workflows for any sensitive data categories you process.
-
Review and update vendor contracts. Ensure data processing agreements are in place with all third-party processors.
-
Document your data protection assessments. Complete assessments for processing activities that carry heightened risk.
Key Dates
- March 28, 2023: ICDPA signed into law (Senate File 262).
- January 1, 2025: ICDPA takes effect. Full compliance required.
- No sunset on cure period: The 90-day cure period remains indefinitely.
References
- Iowa Consumer Data Protection Act: Iowa Code ch. 715D (Senate File 262, 2023). Full text on Iowa Legislature website
- Virginia Consumer Data Protection Act (VCDPA): Va. Code §§ 59.1-575 through 59.1-585.
- Nebraska Data Privacy Act (NDPA): Neb. Rev. Stat. §§ 87-1101 through 87-1116 (LB 1074, 2024).
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Ready to streamline your consumer request process? Our DSAR Compliance Guide gives you a step-by-step framework for handling access, deletion, and opt-out requests across multiple state privacy laws -- including Iowa's 90-day timeline.