SecurePrivacy Logo

Iowa Consumer Data Protection Act (ICDPA)

View Law Text
Maximum Fine
$7,500 per violation
Scope
State
Regulator
AG
Status
Pending

Need Help with Iowa Consumer Data Protection Act (ICDPA) Compliance?

Get expert guidance on implementing Iowa's privacy requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Iowa Consumer Data Protection Act establishes comprehensive privacy rights for Iowa residents and obligations for businesses processing personal data.

Key Facts

  • Expected to be enacted in 2024
  • Enforced by Iowa Attorney General
  • Includes consumer rights and business obligations

Key Principles

Consumer Rights

Rights granted to Iowa consumers regarding their personal data.

Requirements

  • Right to confirm processing
  • Right to delete
  • Right to data portability
  • Right to opt-out of sales
  • Right to opt-out of targeted advertising

Examples

  • Confirmation procedures
  • Deletion mechanisms
  • Data portability tools
  • Opt-out systems

Transparency

Clear disclosure of data processing activities to consumers.

Requirements

  • Privacy notice requirements
  • Processing disclosures
  • Categories of data
  • Sharing practices
  • Consumer rights information

Examples

  • Privacy policies
  • Rights notifications
  • Processing disclosures
  • Data sharing notices

Data Security

Implementation of reasonable security procedures.

Requirements

  • Security assessments
  • Technical safeguards
  • Administrative measures
  • Staff training
  • Incident response

Examples

  • Security policies
  • Training programs
  • Incident plans
  • Assessment reports

Compliance Requirements

Consumer Request Handling

Procedures for handling and responding to consumer rights requests.

Implementation Steps

  • Establish request procedures
  • Implement verification methods
  • Set response timelines
  • Train staff
  • Document responses

Required Documentation

  • Request procedures
  • Verification methods
  • Response templates
  • Training materials
  • Request logs

Opt-Out Implementation

Implementation of mechanisms for sales and targeted advertising opt-outs.

Implementation Steps

  • Develop opt-out systems
  • Create user interface
  • Process opt-outs promptly
  • Maintain records
  • Regular testing

Required Documentation

  • Opt-out procedures
  • Technical specifications
  • Processing records
  • Testing logs
  • Maintenance records

Privacy Notice Requirements

Development and maintenance of compliant privacy notices.

Implementation Steps

  • Create privacy notice
  • Include required elements
  • Make easily accessible
  • Update regularly
  • Document changes

Required Documentation

  • Privacy notice
  • Update history
  • Distribution records
  • Review logs
  • Change documentation

Enforcement & Penalties

Attorney General Enforcement

The Iowa Attorney General has exclusive authority to enforce the ICDPA.

Penalty Categories

Civil Penalties
Up to $7,500 per violation
For each violation of the Act
Injunctive Relief
Court Orders
Orders to cease violations
Actual Damages
Varies
Recovery of actual damages

Example Cases

Hypothetical Case 1
$100,000
2024 - Multiple violations of consumer rights
Hypothetical Case 2
$75,000
2024 - Failure to implement opt-out mechanisms

Cure Period

Organizations have 30 days to cure violations after notification.

Penalty Categories

Initial Notice
No immediate penalty
30-day opportunity to cure violation
Failure to Cure
Up to $7,500 per violation
If violation not cured within 30 days
Repeat Violations
Up to $7,500 per violation
No cure period for repeat violations

Example Cases

Hypothetical Case 3
Cured - No Fine
2024 - Violation remedied within cure period
Hypothetical Case 4
$50,000
2024 - Failed to cure violation within 30 days