The Iowa Consumer Data Protection Act (ICDPA) was signed on March 29, 2023 and entered into force January 1, 2025. It empowers Iowa residents with new rights governing how their personal data is collected, used, sold, shared, and processed.
To comply with ICPDA Iowa:
Update privacy and cookie policy:
Updating privacy and cookie policies with Iowa-specific disclosures.
Implement consent management:
Implementing cookie consent banners and opt-out mechanisms to obtain clear, affirmative consent
Data subject handling:
Establishing processes for handling data subject requests.
Data security:
Ensuring data security measures are in place.
Review and disclose data and cookie practices:
Disclose data handling practices, including collection, storage and sharing of cookie types, purposes, etc.
Response deadlines:
Responds to consumer rights requests within 90 days (plus possible 45-day extension)
Compliance is required for any business that controls or processes personal data of at least 100,000 Iowa residents annually or controls or processes data of at least 25,000 Iowa residents and earns over 50% of gross revenue from selling personal data.
This includes companies operating in Iowa or targeting Iowa consumers—even small businesses without revenue thresholds.
Iowa residents (consumers) gain several rights under ICDPA:
Consumers can access and confirm processing of personal data
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of some personal data
Unlike some states, Iowa does not grant the right to correct inaccurate data or the right to opt out of profiling or targeted advertising.
Cookies that store or collect personal data—especially for targeted advertising, sale of data, or processing sensitive info—are within the scope of ICDPA. Businesses must clearly disclose these cookies, provide options for users to opt-out of data sale or sensitive data collection, and ensure cookie banners and notices are compliant.
Since cookies that collect or process personal data are regulated, your site’s cookie policy and banner must categorize cookies by type (e.g., functional, analytics, targeting), disclose their purpose, and offer opt-out choices for personal data processing or sale. Persistent consent tracking and documentation may also be needed to prove compliance.
Iowa’s ICDPA is enforced exclusively by the Iowa Attorney General. Businesses receive a written warning and 90-day cure period to fix violations. Failure to resolve issues triggers maximum fines of 7,500 USD per violation. There is no private right of action—only AG enforcement.
To check your compliance with ICDPA, organizations should follow several data privacy best practices:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
ICDPA Iowa applies to controllers and processors that operate in Iowa or target Iowa residents, meeting thresholds: ≥ 100K residents’ data processed annually, or ≥ 25K residents’ data plus ≥ 50% of revenue derived from data sales.
Any information that identifies, relates to, describes, or is reasonably linkable to an individual—excluding publicly available data.
Data revealing racial or ethnic origin, religious beliefs, health data, precise geolocation, biometrics, sexual orientation, etc. Requires notice and optout before processing.
The Iowa Attorney General has exclusive enforcement power, including issuing cure notices and penalties.
Exemptions from ICDPA include: State/government entities Entities regulated under HIPAA, HITECH, or GLBA Financial institutions under GLBA Nonprofits and higher education institutions
Authoritative sources include the official statute (SF 262) within the Iowa legislature records.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
