U.S. Consumer Data Privacy Law Guide: Iowa

Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust and Competition Law

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Environmental, Sustainability, and Product Stewardship

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Food and Beverage

Gaming

Governmental Entities

Health Care

Hospitality

Manufacturing

Real Estate

Retail

Seniors Housing and Long Term Care

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

U.S. Consumer Data Privacy Law Guide: Iowa

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Iowa.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Iowa Consumer Data Protection Act (Iowa CDPA)

Effective Date: January 1, 2025

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the Iowa CDPA applies to a legal or natural person doing business in Iowa or producing products/services that are targeted to residents of Iowa that during a calendar year, controls or processes personal data of:

100,000+ Iowa consumers; or
25,000+ Iowa consumers and derive more than 50 percent of revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Narrowly defined as "the exchange of personal data for monetary consideration by the Controller to a third party" subject to a few exemptions.

3. Business Obligations:

Iowa CDPA imposes additional obligations on individuals or legal entities that determine the purpose and means of processing personal information (Controller):

Data Processing Agreement (DPA): Processing activities by a supplier (known as Processor) shall be governed by a DPA between the Controller and Processor.
Privacy Notice: Yes, a Controller must provide consumers with a privacy notice, including:
- Disclosure of Data Sales and Targeted Advertising: Controllers must "clearly and conspicuously disclose" the fact that they sell personal data to third parties or engage in targeted advertising, as well as the manner through which a consumer may opt out of such activity. Notably, Iowa CDPA is one of those outliers that do not provide a definition for "profiling" or require a Controller to conduct any data protection assessment.

4. Consumer Rights:

Under the Iowa CDPA, Iowa consumers have the right to:

Confirm whether a Controller is processing their personal data and provide access to that data;
Notably, the Iowa CDPA does not provide consumers the right to correct inaccuracies in their personal data;
Delete personal data subject to certain exceptions;
Obtain a copy of or summary of their personal data provided to the Controller in a readily usable format; and
Opt-out of the sale of personal data (but no right to opt out of target advertising or profiling).

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: The state attorney general has sole authority to enforce the statute, at a maximum of $7,500 per violation.

Cure Period: 90-day cure period, which is longer than the standard 30-day cure period seen in other state privacy laws; unlike some states, this is a permanent cure period that does not have a cutoff date.

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Related Practices

Resources

Download PDF version

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.