← Back to Blog

Iowa Consumer Data Protection Act: What You Need to Know

Iowa's privacy law is one of the most business-friendly state privacy laws. Here's how it compares and what it requires.

2026-03-02

The Iowa Consumer Data Protection Act (ICDPA) took effect on January 1, 2025. It's considered one of the most business-friendly state privacy laws because it has fewer consumer rights, narrower scope, and a permanent cure period.

Who Does Iowa's Law Apply To?

The ICDPA applies to businesses that conduct business in Iowa or target Iowa residents and meet either threshold:

  • Control or process personal data of at least 100,000 Iowa consumers per year, OR
  • Control or process personal data of at least 25,000 Iowa consumers and derive more than 50% of gross revenue from selling personal data

Government entities, nonprofits, HIPAA-covered entities, and financial institutions under GLBA are exempt.

Consumer Rights — More Limited Than Other States

Iowa provides fewer consumer rights than most state privacy laws:

  • Access their personal data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale and targeted advertising

Notably missing: There is no right to correct inaccurate data and no right to opt out of profiling. Iowa also does not require businesses to honor universal opt-out signals like GPC.

Response deadline: 90 days (longer than most states' 45-day window).

Key Requirements

Privacy Notice

Standard disclosures: categories of data, purposes, third-party sharing, consumer rights, and whether you sell data or use targeted advertising.

Sensitive Data

Opt-in consent required before processing sensitive data, including racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric/genetic data, children's data, and precise geolocation.

No Data Protection Assessments

Unlike most other state privacy laws, Iowa does not require data protection assessments. This reduces compliance burden significantly.

Enforcement

Enforced by the Iowa Attorney General. No private right of action. Iowa has a permanent 90-day cure period — the most generous of any state. If you receive a notice, you have 90 days to fix the violation before enforcement action.

Iowa Compliance Checklist

  • Privacy policy with required disclosures
  • Cookie consent banner with opt-out for sale and targeted advertising
  • Consumer request process — 90-day response window
  • Sensitive data consent — opt-in
  • No DPA required (but still recommended as best practice)

How Iowa Compares

| Feature | Iowa | Virginia | California |

|---|---|---|---|

| Cure period | 90 days (permanent) | Expired | None |

| Right to correct | No | Yes | Yes |

| GPC required | No | No | Yes |

| DPAs required | No | Yes | Yes |

| Response deadline | 90 days | 45 days | 45 days |

Iowa's law is the easiest to comply with, but if you're already compliant with stricter states like California or Virginia, you're automatically covered for Iowa.

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including Iowa's ICDPA.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free