Privacy Laws in Iowa: What You Need to Know

Iowa became one of the first states in the Midwest to enact comprehensive consumer privacy legislation when Governor Kim Reynolds signed the Iowa Consumer Data Protection Act on March 28, 2023. The ICDPA took effect on January 1, 2025, and while it gives Iowans important new rights over their personal data, it is also one of the most business-friendly privacy laws in the country. Here is what Iowa residents need to know, including what the law covers, what it does not, and how to protect yourself.

The Iowa Consumer Data Protection Act (ICDPA)

The ICDPA establishes a framework for consumer data rights in Iowa, but it was deliberately designed to minimize the burden on businesses. In many ways, it is similar to the Utah Consumer Privacy Act and represents the most conservative end of the state privacy law spectrum.

The law applies to businesses that conduct business in Iowa or produce products and services targeted at Iowa residents and meet at least one of the following thresholds:

• Process the personal data of 100,000 or more Iowa consumers during a calendar year, or
• Process the personal data of 25,000 or more Iowa consumers and derive more than 50% of gross revenue from the sale of personal data.

These thresholds are consistent with Virginia, Indiana, and several other states. Most major data brokers and people search sites meet these thresholds and are covered by the law.

Your Rights Under the ICDPA

As an Iowa resident, you have the following rights under the ICDPA:

Right to Access

You can confirm whether a business is processing your personal data and request access to the specific information it holds about you.

Right to Delete

You can request that a business delete the personal data it has collected from you or about you, subject to limited exceptions for legal obligations and transaction completion.

Right to Data Portability

You can obtain a copy of your personal data in a portable, readily usable format that allows you to transfer it to another service.

Right to Opt Out

Iowa law gives you the right to opt out of two types of data processing:

• Sale of personal data — the exchange of your data for monetary consideration
• Targeted advertising — ads based on personal data collected from your activities across different websites and platforms

Sensitive Data: Opt-Out, Not Opt-In

Most state privacy laws require businesses to obtain your explicit opt-in consent before processing sensitive personal data such as health information, biometric data, racial or ethnic origin, religious beliefs, and precise geolocation. The ICDPA takes a different approach.

Under Iowa's law, businesses are only required to provide a mechanism for you to opt out of the processing of sensitive data. This means a company can collect and process your sensitive information by default and is only obligated to stop if you actively tell them to. This is a significantly weaker protection than the opt-in standard used in Virginia, Indiana, Colorado, and most other states.

This distinction matters. Under an opt-in regime, businesses must ask before they collect your health data or biometric scans. Under Iowa's opt-out regime, they can collect it first and only stop if you discover they are doing it and take affirmative steps to object.

The 90-Day Cure Period

The ICDPA includes a 90-day cure period, which is the longest of any state privacy law in the country. When the Iowa Attorney General identifies a potential violation, the business has a full 90 days to fix the problem before any enforcement action is taken.

For comparison:

• Indiana: 30-day cure period
• Virginia: Cure period eliminated in 2025
• Colorado: 60-day cure period (expired January 2025)
• Delaware: Cure period expired January 2026
• Iowa: 90-day cure period with no expiration date

This extended cure period means that businesses in Iowa have three full months to correct a privacy violation after being notified, with no penalties during that window. Consumer advocates have criticized this provision as effectively giving businesses a free pass for initial violations.

Enforcement

The ICDPA is enforced exclusively by the Iowa Attorney General. There is no private right of action, so Iowa residents cannot sue businesses directly for privacy violations. The AG can pursue civil penalties of up to $7,500 per violation.

If you believe a business has violated your privacy rights under the ICDPA, your recourse is to file a complaint with the Iowa Attorney General's Consumer Protection Division. The AG's office will review your complaint and determine whether to pursue an investigation.

Exemptions

The ICDPA exempts several types of entities and data from its requirements:

• HIPAA-covered entities and protected health information
• Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
• Data regulated by the Fair Credit Reporting Act (FCRA)
• Nonprofit organizations

As with other state laws, these exemptions apply to specific data types governed by federal law, not to all data those entities may hold.

How the ICDPA Compares to Other State Laws

The ICDPA sits at the business-friendly end of the state privacy law spectrum. Here is how it compares:

• Utah: The ICDPA is most similar to the Utah Consumer Privacy Act, sharing the opt-out-only approach to sensitive data and the absence of a correction right.
• Virginia and Indiana: Both provide stronger consumer protections, including the right to correct data and opt-in consent for sensitive data processing.
• California: The CCPA and CPRA offer the broadest protections, including a private right of action for data breaches, lower business thresholds, and the centralized DELETE Act platform.
• Colorado and Delaware: Both require recognition of Universal Opt-Out Mechanisms like Global Privacy Control. Iowa does not.

How to Exercise Your ICDPA Rights

Despite its limitations, the ICDPA still gives you actionable rights. Here is how to use them:

1. Search for yourself online. Look up your name on Google, Bing, and major people search sites like Spokeo, Whitepages, BeenVerified, TruePeopleSearch, and PeopleFinders. Document every site where your personal information appears.
2. Submit opt-out and deletion requests. Visit each data broker's privacy or opt-out page and submit removal requests. Reference the ICDPA and note that the business is required to respond to your request.
3. File complaints for non-compliance. If a business ignores your request, file a complaint with the Iowa Attorney General's Consumer Protection Division at iowaattorneygeneral.gov.
4. Monitor regularly. Data brokers re-add information constantly. Check back every few months to see if your data has reappeared, and repeat the opt-out process as needed.

Let PrivacyOn Fill the Gaps

The ICDPA gives Iowa residents a starting point, but its limitations leave significant gaps in your protection. You cannot correct inaccurate data under Iowa law. You cannot opt out of profiling. And businesses have 90 days to fix violations before facing any consequences.

PrivacyOn fills those gaps by automating data removal across more than 100 data broker sites, continuously monitoring for re-listings, and re-submitting removal requests whenever your information reappears. Our service does not depend on any single state law. We work directly with data brokers to get your information removed regardless of where you live or which state regulations apply.

We also include dark web monitoring to alert you if your personal data surfaces in places that no opt-out form or state privacy law can reach. Family plans cover up to five people, so everyone in your household is protected.

Iowa's privacy law is a step in the right direction, but it was designed with businesses in mind, not consumers. PrivacyOn is designed with you in mind. Let us handle the ongoing work of keeping your personal data private while you focus on everything else.