Applies to businesses processing personal data of 100,000+ Iowa residents, or 25,000+ if you derive 50%+ of revenue from selling personal data. The most lenient of the comprehensive state privacy laws.
Effective
2025-01-01
Penalty max
$7,500
Cure period
90 days
Honor GPC
Not required
Overview
The Iowa Consumer Data Protection Act (ICDPA) took effect January 1, 2025. Iowa's law is structurally similar to Utah's — no GPC requirement, no right to correction, no profiling opt-out, no data protection assessment requirement — but with even longer response and cure windows: 90 days each. Iowa is therefore the lowest-enforcement-risk state in the comprehensive privacy law list, but compliance with the basic disclosure and opt-out requirements is still required if you cross the consumer or revenue thresholds.
Who it applies to
Businesses processing personal data of 100,000+ Iowa residents annually.
Businesses processing personal data of 25,000+ Iowa residents AND deriving 50%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
What this means for e-commerce
Iowa is the most lenient of the comprehensive state privacy laws — a 90-day consumer request response window (vs. the 45-day standard), a permanent 90-day cure period before enforcement, no GPC requirement, no right to correction, no profiling opt-out. Best treated as a baseline obligation rather than a high-risk enforcement target.
Penalties & enforcement
Enforced by the Iowa Attorney General. Penalties range from $0 to $7,500 per violation.
Iowa provides a 90-day cure period (permanent). The AG must give you written notice of an alleged violation and time to fix it before bringing an enforcement action.
Compliance checklist
Add an opt-out link for targeted advertising and data sales in your site footer
Update privacy policy with ICDPA-required disclosures
Respond to consumer requests within 90 days
Obtain opt-in consent before processing sensitive personal data
Update vendor and processor agreements
Does the ICDPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Iowa.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.