Privacy laws · Iowa

Iowa Consumer Data Protection Act.

Business-friendly law similar to Utah. No data minimization requirement. 90-day cure period is the longest among state laws.

/ Diagnostic check ClearConsent scans your storefront for signals related to this law — consent banner state, GPC support, Do Not Sell links, privacy policy disclosures, cookies, and trackers.

/ Effective

2025-01-01

Effective date

When the law took effect or will take effect.

/ Consumers

100,000

Consumer threshold

The number of Iowa residents whose data triggers compliance.

/ Revenue

None

Revenue threshold

Annual revenue trigger for compliance, if applicable.

01 / Key requirements

What the law requires.

01Privacy notice
02Right to access and delete personal data
03Right to data portability
04Right to opt-out of sale and targeted advertising
05No data minimization requirement
06Consent for sensitive data
07Processor contracts required

02 / Enforcement

Penalties & cure period.

Penalties

Up to $7,500 per violation.

Cure period

90-day cure period (permanent)

Enforcement agency

Attorney General

03 / E-commerce

What this means for
your store.

Most business-friendly: no data minimization, no right to correct, longest cure period. Standard thresholds.

Scan your store for ICDPA privacy gaps →

Run the diagnostic

Iowa Consumer Data Protection Act.

What the law requires.

Penalties & cure period.

What this means foryour store.

What this means for
your store.