February 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

An Act relating to consumer data protection ('ICDPA') was signed by the Iowa State Governor on 28 March 2023 and enters into effect on 1 January 2025.

1.2. Guidelines

No further information.

1.3. Case law

No further information.

2. Scope of Application

2.1. Personal scope

The ICDPA applies to a person conducting business in Iowa or producing products or services that are targeted to consumers who are Iowa residents and, that during a calendar year, does either of the following (§715D.2(1) of the ICDPA):

• controls or processes personal data of at least 100,000 consumers; or
• controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

The ICDPA does not apply to (§715D.2(2) of the ICDPA):

• the state or any political subdivision of the state;
• financial institutions, affiliates of financial institutions;
• data subject to Title V of the Gramm-Leach-Bliley Act of 1999 ('GLBA');
• persons who are subject to and comply with regulations pursuant to Title II (F) of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules established pursuant to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA');
• Title XIII (D) of the Health Information Technology for Economic and Clinical Health Act of 2009;
• non-profit organizations; or
• institutions of higher education.

2.2. Territorial scope

The ICDPA applies to a person conducting business in Iowa or producing products or services that are targeted to consumers who are Iowa residents (§715D.2(1) of the ICDPA).

2.3. Material scope

The ICDPA applies to the personal data of individuals, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified or aggregate data or publicly available information (§715D.1(18) of the ICDPA).

However, the ICDPA outlines that certain data is exempt from its scope, including (§715D.2(3) of the ICDPA):

• protected health information under HIPAA;
• health records;
• patient identifying information for purposes of §§290dd-2 of Title 42 of the U.S. Code, as part of the Public Health Service Act
• personal data used or shared in research conducted in accordance with the requirements of the ICDPA, or other research conducted in accordance with other laws;
• the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorised under the Fair Credit Reporting Act of 1970 ('FCRA')
• Personal data regulated by the Family Educational Rights and Privacy Act 1974 ('FERPA')
• data processed or maintained:
  • in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
  • as the emergency contact information of an individual under this chapter used for emergency contact purposes; and/or
  • that is necessary to retain to administer benefits for another individual relating to the individual under point one and used for the purposes of administering the same; and/or
• personal data used in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA').

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Iowa Attorney General ('AG') is the regulator within Iowa.

3.2. Main powers, duties and responsibilities

In accordance with §715D.8(1) of the ICDPA, the AG will have exclusive authority to enforce the ICDPA and may, whenever they have reasonable cause to believe that any person has engaged in, or is engaging in, or is about to engage in any violation of the ICDPA, issue a civil investigative demand.

4. Key Definitions

Data controller: Is defined as a person that, alone or jointly with others, determines the purpose and means of processing personal data (§715D.1(8) of the ICDPA).

Data processor: Is defined as a person that processes personal data on behalf of a controller (§715D.1(21) of the ICDPA).

Personal data: Is defined as any information that is linked or is reasonably linkable to an identified or identifiable natural person. Personal data is provided to not include de-identified or aggregate data or publicly available information (§715D.1(18) of the ICDPA).

Sensitive data: Is defined as a category of personal data which includes (§715D.1(26) of the ICDPA):

• racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship and immigration status except where such data is used to avoid discrimination on the basis of protected classes that would violate a federal or state anti-discrimination law;
• genetic or biometric data processed for the purpose of uniquely identifying a natural person;
• the personal data collected from a child; and
• precise geolocation data.

Health data: Is not specifically defined under the ICDPA, but 'health record' is defined as any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health services to an individual concerning the individual and the services provided, including health information provided in confidence to a health-care provider (§715D.1(14) of the ICDPA).

Biometric data: Is defined as data generated by automated measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. Biometric data does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA (§715D.1(4) of the ICDPA).

Pseudonymization: 'pseudonymous data' is defined under the ICDPA as personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (§715D.1(23) of the ICDPA).

5. Legal Bases

5.1. Consent

The ICDPA does not outline consent as a lawful basis for data processing. However, in cases of processing the sensitive personal data of a known child, the personal data must be processed in accordance with COPPA (§715D.4(2) of the ICDPA).

Nevertheless, 'consent' is defined as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action (§715D.1(6) of the ICDPA).

5.2. Contract with the data subject

The ICDPA provides that nothing provided within may restrict a controller or processor's ability to provide products or services specifically requested by a consumer or parent or guardian of a child, performing a contract to which the consumer or parent or guardian of a child is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent or guardian of a child prior to entering into a contract (§715D.7(1)(e) of the ICDPA).

5.3. Legal obligations

The ICDPA also provides that nothing provided within may restrict the ability of controllers or processors to (§715D.7(1)(a),(b), and (c) of the ICDPA):

• comply with federal, state, or local laws, rules, or regulations;
• investigate, establish, exercise, prepare, or defend legal claims;
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; or
• cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.

5.4. Interests of the data subject

The ICDPA also provides that nothing within may restrict the ability of controllers or processors to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another natural person, and where the processing cannot be manifestly based on another legal basis (§715D.7(1)(f) of the ICDPA).

5.5. Public interest

The ICDPA also provides that nothing within may restrict the ability of controllers or processors to engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine the following (§715D.7(1)(j) of the ICDPA):

• if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
• the expected benefits of the research outweigh the privacy risks; or
• if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

5.6. Legitimate interests of the data controller

The ICDPA does not explicitly address the legitimate interest of the controller.

However, the ICDPA provides that nothing within may restrict the ability of controllers or processors to (§715D.7(1)(b) of the ICDPA):

• prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
• preserve the integrity or security of systems; and
• investigate, report, or prosecute those responsible for any such action.

Likewise, the obligations imposed on a controller or processor under the ICDPA will not restrict the controller's or processor's ability to collect, use, or retain data to (§715D.7(2) of the ICDPA):

• conduct internal research to develop, improve, or repair products, services, or technology;
• effectuate a product recall;
• identify and repair technical errors that impair existing or intended functionality; and
• performing internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or parent or guardian of a child or the performance of a contract to which the consumer or parent or guardian of a child is a party.

5.7. Legal bases in other instances

The obligations imposed on controllers or processors under the ICDPA will not apply where compliance by the controller or processor would violate an evidentiary privilege under the laws of the state. In addition, nothing with the ICDPA should be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the state as part of a privileged communication (§715D.7(3) of the ICDPA).

6. Principles

Data controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and availability of personal data. On this point, the ICDPA stipulates that such practices should be appropriate to the volume and nature of the personal data at issue (§715D.4(1) of the ICDPA).

In addition, personal data processed by a controller in regard to the limitation under §715D.7 of the ICDPA may be processed to the extent that such processing is (§715D.7(6) of the ICDPA):

• reasonably necessary and proportionate to the purposes listed;
• adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section;
• personal data collected, used, or retained is pursuant to §7 of the Act, where applicable, taking into account the nature and purpose or purposes of such collection, use, or retention; and
• subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

The ICDPA does not specifically address data transfers, but defines the 'sale of personal data' as the exchange of personal data for monetary consideration by the controller to a third party, noting that the 'sale of personal data' does not include (§715D.1(25) of the ICDPA):

• the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer or a parent of a child;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
• the disclosure or transfer of personal data when a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties; or
• the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

Furthermore, the ICDPA stipulates that a controller or processor that discloses personal data to a processor or third-party controller in accordance with the ICDPA shall not be deemed to have violated the same if the processor or third-party controller that receives and processes such personal data violates said sections, provided, at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate the ICDPA (§715D.7(4) of the ICDPA). In addition, a third-party controller or processor receiving personal data from a controller or processor in compliance with ICDPA is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data (§715D.7(4) of the ICDPA). 

7.3. Data processing records

The ICDPA does not address data processing records.

7.4. Data protection impact assessment

The ICDPA does not address data protection impact assessments.

7.5. Data protection officer appointment

The ICDPA does not address the appointment of data protection officers.

7.6. Data breach notification

Not applicable.

However, there are data breach requirements outlined in the §715C.1 et seq. of Title XVI of the Iowa Code ('the Iowa Code').

For further information see Iowa - Data Breach.

7.7. Data retention

The ICDPA does not address data retention requirements.

7.8. Children's data

Notably, the ICDPA provides that a known child's parent or legal guardian may invoke consumer rights on behalf of the known child regarding processing personal data belonging to a child (§715D.3(1) of the ICDPA). In cases of processing the sensitive personal data of a known child, the personal data must be processed in accordance with COPPA (§715D.4(2) of the ICDPA).

7.9. Special categories of personal data

Controllers must not process sensitive data collected from a consumer for a non-exempt purpose under the ICDPA, without the consumer's having been presented with a clear notice and an opportunity to opt out of such processing (§715D.4(2) of the ICDPA).

7.10. Controller and processor contracts

The ICDPA requires a contract between controllers and processors that sets forth the instructions for processing personal data, the duration of the processing, the type of data subject to processors, and the rights and duties of both parties. Controller processor contracts under the ICDPA must (§715D.5(2) of the ICDPA):

• ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in the ICDPA; and
• engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to personal data.

Notably, the ICDPA provides that determining whether a person is acting as a controller or processor with respect to the specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to the specific processing of personal data remains a processor (§715D.5(4) of the ICDPA).

The ICDPA also stipulates that processors must assist a controller in their duties, taking into account the nature of processing and the information available to the processor by appropriate technical and organizational measures, in order to (§715D.5(1) of the ICDPA):

• fulfil the controller's obligation to respond to consumer rights requests; and
• meet the controller's obligations in relation to the security of processing personal data and in relation to the notification of a security breach of the processor.

8. Data Subject Rights

The ICDPA establishes consumer data rights that may be invoked at any time by submitting a request to the controller, through means specified by the controller (§715D.3(1)(a) of the ICDPA). Further, the ICDPA stipulates that controllers must respond to consumers without undue delay, but in all cases within 90 days of receipt of a request. The timeframe for a response may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of consumer requests (§715D.3(2)(a) of the ICDPA). The consumer must be informed of the extension within the original 90-day timeframe, together with the reason for the extension. Equally, the ICDPA stipulates that controllers must inform data subjects without undue delay when declining to take action, except in case of suspected fraudulent requests where the controller may state they were unable to authenticate the request. Importantly, the controller must also provide instructions for appealing the decision pursuant to 715D.3(3) of the ICDPA (§715D.3(2)(b) of the ICDPA).

More specifically, on appealing decisions, a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action. Within 60 of receipt of an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the controller shall also provide the consumer with an online mechanism through which the consumer may contact the AG to submit a complaint (§715D.3(3)(b) of the ICDPA).

A controller must not discriminate against a consumer for exercising their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in the ICDPA should be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer’s right to opt out or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program (§715D.4(3) of the Act). 

8.1. Right to be informed

The ICDPA provides that controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following (§715D.4(5) of the ICDPA):

• the categories of personal data processed by the controller;
• the purpose for processing personal data;
• how consumers may exercise their consumer rights including how a consumer may appeal a controller's decision with regard to the consumer's request;
• the categories of personal data that the controller shares with third parties, if any; and
• the categories of third parties, if any, with whom the controller shares personal data.

Where controllers sell a consumer's personal data to a third party or engage in targeted advertising, the controller must clearly and conspicuously disclose such activity (§715D.4(6) of the ICDPA).

A controller must establish, and describe in a privacy notice, secure and reliable means for consumers to submit a request to exercise their consumer rights. This should consider the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. A controller must not require a consumer to create a new account in order to exercise consumer rights pursuant to section §715D.3 of the ICDPA but may require a consumer to use an existing account (§715D.4(7) of the ICDPA).

8.2. Right to access

The ICDPA provides consumers with the right to access their personal data (§715D.3(1)(a) of the ICDPA).

8.3. Right to rectification

The ICDPA does not provide for the right to rectification.

8.4. Right to erasure

The ICDPA provides consumers with the right to delete the personal data provided by the consumer (§715D.3(1)(b) of the ICDPA).

8.5. Right to object/opt-out

The ICDPA provides consumers with the right to opt out of the sale of personal data (§715D.3(1)(d) of the ICDPA). Specifically, where a controller sells a consumer's personal data to third parties or engages in targeted advertising, the controller must clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity (§715D.4(6) of the ICDPA).

8.6. Right to data portability

The ICDPA provides consumers with the right to obtain a copy of their personal data that the consumer previously provided to the controller in a portable, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means (§715D.3(1)(c) of the ICDPA).

The above does not apply where the personal data defined as 'personal information' pursuant to the Iowa Code is subject to a security breach protection,

8.7. Right not to be subject to automated decision-making

The ICDPA does not provide for the right not to be subject to automated decision-making.

8.8. Other rights

No further information.

9. Penalties

The AG has the authority to issue a civil investigation where there is a reasonable cause to believe any person is engaging in, or is about to engage in, any violation of the ICDPA (§715D.8(1) of the ICDPA). Importantly, the AG must provide controllers or processor's 90 days written notice identifying the provisions alleged to or that have been violated, before initiating any action. If within the 90-days, the controller or processor rectifies the aforementioned violation and provides the AG an express written statement that the alleged violations have been resolved and that no further such violations shall occur, no action can be initiated against the controller or processor (§715D.8(2) of the ICDPA).

Where controllers or processors continue to violate the ICDPA following the cure period noted above or breach an express written statement provided to the AG, the AG may seek an injunction to restrain violations of the ICDPA and civil penalties up to $7,500 for each violation under the ICDPA (§715D.8(3) of the ICDPA).

Notably, the ICDPA clarifies that nothing within should be construed as providing the basis for, or be subject to, a private right of action for violations under the Act or under any other law (§715D.8(4) of the ICDPA).

9.1 Enforcement decisions

Not applicable.