The Iowa Consumer Data Privacy Act (ICDPA), scheduled to come into force from January 2025, introduces specific requirements for organizations which process the data of Iowa residents.
Iowa has its own data privacy laws that organizations need to be aware of. The Iowa Consumer Data Privacy Act (ICDPA) was enacted in 2020 and it requires businesses to provide consumers with more control over their personal information. This law will come into force on January 1st 2025, giving organizations a buffer of time within which they are expected to come into compliance. It’s important for organizations to review and understand the specific requirements of the ICDPA to ensure compliance and protect consumer data. The law is rather similar in content to the Virginia Consumer Data Protection Act (VCDPA), so organizations which have already achieved compliance with the VCDPA, as well as the GDPR, may not need to make many changes in order to achieve compliance with the ICDPA.
The ICDPA applies to organizations that collect, use and disclose the personal information of Iowa residents, with various exemptions.
The Iowa Consumer Data Privacy Act applies to businesses that collect, use, and disclose personal information of Iowa residents. This includes businesses that meet specific criteria such as having annual gross revenue over $25 million, processing the personal information of over 100,000 consumers, or deriving over 50% of their revenue from selling personal information if they control or process the personal data of at least 25,000 Iowa consumers. Iowa defines a “consumer” as a natural person who is a resident of the state acting in a noncommercial and nonemployment context, and outlines rights of consumers under this law.
The ICDPA includes several exemptions based on the nature of the data collected and its usage by businesses. These exemptions safeguard personal information that falls under the purview of existing federal laws. Additionally, the law does not apply to certain types of data, such as de-identified or publicly available information.
Health Information:
The Health Insurance Portability and Accountability Act (HIPAA) takes precedence over the Iowa privacy law when handling personal data in the healthcare sector. Health records and medical information are considered sensitive and are exempted from the Iowa privacy law.
Children’s Privacy:
The Children’s Online Privacy Protection Act (COPPA) is a federal law that governs the collection, use, and disclosure of personal information from children under the age of 13. Businesses that comply with COPPA are exempt from the Iowa privacy law in this regard.
Educational Data:
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student educational records. Institutions and agencies that adhere to FERPA’s guidelines are exempted from the Iowa privacy law concerning educational data.
Driver’s Privacy:
The Driver’s Privacy Protection Act safeguards personal information related to motor vehicle records. Businesses that comply with this federal law are exempt from the Iowa privacy law in relation to driver’s privacy.
Farm Credit Data:
The Farm Credit Act regulates the collection and use of personal information by farm credit institutions. Businesses that adhere to the Farm Credit Act are exempted from the Iowa privacy law concerning farm credit data.
Human Subjects Research Data:
Human subjects research data protected by federal laws or institutional review board standards is also exempt from the ICDPA. This exemption upholds ethical considerations and privacy safeguards in research settings.
Employment Data:
Personal data processed or maintained for employment purposes, such as employee records and payroll information, is exempt from the Iowa privacy law. This exemption ensures that businesses can manage internal HR functions without conflicting with the state law.
The ICDPA outlines specific consumer rights which organizations falling under the scope of this law are obligated to uphold.
The Iowa Consumer Data Privacy Act upholds several consumer rights to protect their personal information. These rights include the right to know what personal information is being collected, the right to access and request a copy of their personal information, the right to request deletion of their personal information, the right to opt-out of sale of their personal information, and the right to non-discrimination for exercising their privacy rights. These rights are aimed at giving consumers more control over their personal data and ensuring their privacy is respected by businesses operating in Iowa.
Under the Iowa Consumer Data Privacy Act, covered entities are obligated to provide consumers with notices about the collection of their personal information, provide notice before processing sensitive information, implement data security measures to protect personal information, and provide consumers rights to access, delete, and correct their information. Entities are also required to comply with consumer requests to opt-out of the sale of their personal information, similar to the CCPA, which allows consumers to opt out of sensitive data processing. The Act also requires organizations to ensure that consumers are not discriminated against for exercising their privacy rights.
The enforcement of the ICDPA is the exclusive responsibility of the Iowa Attorney General, and provides organizations with a 90 day grace period in order to correct violations.
The Iowa Attorney General has exclusive authority to issue civil investigative demands and conduct enforcement actions. In the event that the Attorney General wishes to initiate an action against a business for any violation of the law, the office of the Attorney General must first provide the business with written notice of the violation and 90 days to ameliorate the situation. This grace period is longer than the typical grace period provided under any similar statute. Although the Iowa legislature has aligned with most other state legislatures enacting similar laws, except California, in that the State Attorney General has exclusive enforcement authority and there is no private right of action, the ICDPA allows the Attorney General to issue fines of up to $7,500 per violation, and does not distinguish between unintentional or intentional violations.
Discover how Aphaia can elevate your data protection strategy to new heights. We specialize in empowering organizations like yours with cutting-edge solutions designed to not only meet but exceed the demands of today’s data security landscape. Contact Aphaia today to find out more.