Support Centre



Law: An Act relating to consumer data protection ('ICDPA')

Regulator: The Iowa Attorney General ('AG')

Summary: On 28 March 2023, the Iowa State Governor signed Senate File 262 for An Act relating to consumer data protection, thereby enacting the ICDPA which will enter into effect on 1 January 2025. The ICDPA introduces obligations for data controllers and processors including disclosure as well as vendor management requirements and establishes new consumer rights such as right to access, deletion, be informed (confirmation), and the right to opt out of targeted advertising and the sale of personal data. Furthermore, the ICDPA provides the AG with enforcement powers, but does not private a right of action.

In addition, under §715C.1 et seq. of Title XVI of the Iowa Code, there is a requirement to notify personal data breaches of both electronic and paper records to affected consumers as well as to the AG when the information of more than 500 residents is breached. Other applicable statutes in Iowa regulate the use of financial and health information as well as student data.

You can track other US State bills through our US State Law Tracker


On 29 March 2023, Iowa became the sixth state to pass a comprehensive data privacy law (in line behind Connecticut, Utah, Virginia, Colorado, and California). The Iowa Consumer Data Protection Act ('ICDPA') will go into effect on 1 January 2025.  While there are some familiar elements to other state laws that came before it (the law is most similar to that enacted recently in Utah) - there is still a lot that you need to do!

What are the key things for business to focus on if they are already CCPA compliant or compliant with another state privacy program?  What about for businesses who are not yet compliant with any state-specific privacy regulations? 

Odia Kagan and Melanie Notari, from Fox Rothschild LLP, provide an overview of some of the ICDPA's provisions and take a look at what needs to considered in order to comply with the law.

Senate File 262 for An Act relating to consumer data protection ('the Act') was introduced, on 23 January 2023, to the Iowa State Senate. In particular, the Act has passed both the State Senate as well as the House of Representatives, and was signed by Governor of Iowa, Kim Reynolds, on 28 March 2023. The Act introduces obligations for data controllers and duties for data processors, as well as consumer rights and will enter into effect on the 1 January 2025. OneTrust DataGuidance breaks down the key provisions of the Act.