Iowa Consumer Data Protection Act (ICDPA)
View Law TextNeed Help with Iowa Consumer Data Protection Act (ICDPA) Compliance?
Get expert guidance on implementing Iowa's privacy requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The Iowa Consumer Data Protection Act establishes comprehensive privacy rights for Iowa residents and obligations for businesses processing personal data.
Key Facts
- Expected to be enacted in 2024
- Enforced by Iowa Attorney General
- Includes consumer rights and business obligations
Key Principles
Consumer Rights
Rights granted to Iowa consumers regarding their personal data.
Requirements
- Right to confirm processing
- Right to delete
- Right to data portability
- Right to opt-out of sales
- Right to opt-out of targeted advertising
Examples
- Confirmation procedures
- Deletion mechanisms
- Data portability tools
- Opt-out systems
Transparency
Clear disclosure of data processing activities to consumers.
Requirements
- Privacy notice requirements
- Processing disclosures
- Categories of data
- Sharing practices
- Consumer rights information
Examples
- Privacy policies
- Rights notifications
- Processing disclosures
- Data sharing notices
Data Security
Implementation of reasonable security procedures.
Requirements
- Security assessments
- Technical safeguards
- Administrative measures
- Staff training
- Incident response
Examples
- Security policies
- Training programs
- Incident plans
- Assessment reports
Compliance Requirements
Consumer Request Handling
Procedures for handling and responding to consumer rights requests.
Implementation Steps
- Establish request procedures
- Implement verification methods
- Set response timelines
- Train staff
- Document responses
Required Documentation
- Request procedures
- Verification methods
- Response templates
- Training materials
- Request logs
Opt-Out Implementation
Implementation of mechanisms for sales and targeted advertising opt-outs.
Implementation Steps
- Develop opt-out systems
- Create user interface
- Process opt-outs promptly
- Maintain records
- Regular testing
Required Documentation
- Opt-out procedures
- Technical specifications
- Processing records
- Testing logs
- Maintenance records
Privacy Notice Requirements
Development and maintenance of compliant privacy notices.
Implementation Steps
- Create privacy notice
- Include required elements
- Make easily accessible
- Update regularly
- Document changes
Required Documentation
- Privacy notice
- Update history
- Distribution records
- Review logs
- Change documentation
Enforcement & Penalties
Attorney General Enforcement
The Iowa Attorney General has exclusive authority to enforce the ICDPA.
Penalty Categories
Example Cases
Cure Period
Organizations have 30 days to cure violations after notification.