People communication

On March 29, 2023, Iowa became the sixth U.S. state to pass comprehensive consumer privacy legislation. The new law will go into effect on January 1, 2025. Iowa’s privacy law bears substantial similarity to the Virginia, Colorado, Connecticut and Utah privacy laws, which should facilitate compliance for businesses subject to those laws. Likewise, businesses familiar with the California Consumer Privacy Act (CCPA) will find overlap with the CCPA, though Iowa’s law is not as far-reaching and provides a more limited slate of consumer rights.    


Companies are subject to the Iowa privacy law if they do business in Iowa or target products or services to Iowa consumers, and meet one of the following criteria during a calendar year:

  1. Control or process personal data of at least 100,000 Iowa consumers.
  2. Control or process personal data of at least 25,000 Iowa consumers and derive over 50 percent of gross revenue from the sale of personal data.

Unlike the CCPA, the Iowa law does not include a revenue-based applicability threshold. The law expressly applies only to consumers acting in an “individual or household context” and excludes anyone “acting in a commercial or employment context.” It also includes both entity-level and data-level exemptions for companies and information subject to other privacy laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act, among others.

Overview of Requirements

The Iowa law requires businesses to be transparent about their processing activities by providing a privacy notice that includes the following:

  1. The categories of personal data processed.
  2. The purposes for which personal data is processed.
  3. How Iowans can exercise their consumer data rights.
  4. The categories of personal data shared with third parties.
  5. The third parties with which personal data is shared.

Generally, though, the Iowa law is not particularly prescriptive in terms of how notice must be provided (other than making it “reasonably accessible”), does not mandate any special links or forms for websites, and does not necessarily require any specific reference to Iowa within a privacy policy that otherwise meets the above requirements. This approach should help with interoperability with the other state privacy laws.

The Iowa privacy law will provide Iowa consumers with the following limited slate of data privacy rights:

  1. The right to confirm whether a controller is processing a consumer’s personal data and to access their personal data.
  2. The right to obtain a portable copy of personal data the consumer previously provided to the business.
  3. The right to delete personal data provided to the business by the consumer.
  4. The right to opt out of the sale of personal data (defined as an exchange of data for monetary consideration).

The law also requires that businesses provide consumers with an opportunity to opt out of the processing of sensitive personal data and the right to appeal the denial of a consumer data rights request. The Iowa law does not include a right to correct or a right to opt out of profiling. Although the law does not include a right to opt out of targeted advertising among the express list of consumer data rights, it does include a somewhat cryptic requirement that “[i]f a controller . . . engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.” Businesses will have 90 days to respond to consumer data rights requests, which may be extended by 45 days if needed.

The law includes specific contractual requirements for agreements between controllers and processors that overlap with those mandated under other state privacy laws. The law does not require data protection assessments.

Penalties and Enforcement

Enforcement authority lies exclusively with the Iowa Attorney General. The law provides for civil penalties of up to $7,500 per violation in the event a business is not able to remedy a violation within the 90-day cure period. There is no private right of action.

Key Takeaways

Although the patchwork of state privacy laws developing in the United States is certainly a challenge for businesses and will continue to grow more challenging with each additional law, the Iowa law presents an approach to data privacy regulation that provides rights to consumers while balancing the compliance costs for businesses. Although the law does not take effect until January 2025, companies that do business in Iowa or target goods or services to consumers in the state should assess the impact of this law and prepare for compliance with it.