Iowa Privacy Law Overview
Iowa's privacy law took effect January 1, 2025 and is deliberately narrow. Compared with other states, Iowa consumers have fewer rights — no correction, and no opt-out of targeted advertising or profiling — and businesses get an unusually generous 90 days to cure alleged violations before the Attorney General can act.
The Iowa Consumer Data Protection Act (ICDPA)
Iowa's law is the most limited comprehensive state privacy law. It grants access, deletion, portability and an opt-out of data sales, but does not provide a right to correct data or an opt-out of targeted advertising or profiling, and it handles sensitive data through notice and opt-out rather than opt-in consent. Its 90-day cure period is the longest in the nation.
ICDPA: Quick Overview
- Effective Date: January 1, 2025
- Citation: Iowa Code ch. 715D
- Enforced By: Iowa Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 90 days (permanent)
Who Must Comply
The ICDPA applies to businesses that meet Iowa's applicability thresholds:
- Controls or processes the personal data of 100,000+ Iowa consumers per year, or
- Processes data of 25,000+ consumers and derives over 50% of gross revenue from selling personal data
What makes Iowa different: Iowa offers the fewest consumer rights of any comprehensive law — no correction or targeted-ad/profiling opt-out — and the longest 90-day cure period.
Consumer Rights Under the ICDPA
Iowa residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to delete personal data
- Right to data portability
- Right to opt out of the sale of personal data
Sensitive personal data: notice and opportunity to opt out
Data Breach Notification in Iowa
Iowa requires notice to affected residents without unreasonable delay and to the Attorney General within five business days when 500 or more residents are notified.
- Deadline to notify residents: Without unreasonable delay
- Attorney General notice: Notify the Iowa Attorney General within 5 business days if 500 or more residents are notified
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Iowa
Even where Iowa law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Iowa Privacy Law FAQ
How limited is Iowa's privacy law?
How long does an Iowa business have to fix a violation?
How a Iowa Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Iowa Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Iowa Privacy Attorney?
Whether you are a business working toward compliance or a Iowa resident whose privacy has been violated, our network of Iowa-licensed attorneys can help.
Find a Iowa Privacy Attorney