Law: An Act relating to consumer data protection ('ICDPA')
Regulator: The Iowa Attorney General ('AG')
Summary: On 28 March 2023, the Iowa State Governor signed Senate File 262 for An Act relating to consumer data protection, thereby enacting the ICDPA which will enter into effect on 1 January 2025. The ICDPA introduces obligations for data controllers and processors including disclosure as well as vendor management requirements and establishes new consumer rights such as right to access, deletion, be informed (confirmation), and the right to opt out of targeted advertising and the sale of personal data. Furthermore, the ICDPA provides the AG with enforcement powers, but does not private a right of action.
In addition, under §715C.1 et seq. of Title XVI of the Iowa Code, there is a requirement to notify personal data breaches of both electronic and paper records to affected consumers as well as to the AG when the information of more than 500 residents is breached. Other applicable statutes in Iowa regulate the use of financial and health information as well as student data.
You can track other US State bills through our US State Law Tracker.