Iowa just became the sixth state to adopt a comprehensive consumer data privacy law. In this article, we go over what your business needs to know and do to comply with ICDPA. We also share how Ethyca can make this process easier for you.
2023 is shaping up to be the year of new state privacy laws in the U.S.!
Five regulations are going into effect this year, and more are on their way through state legislatures.
Iowa recently became the sixth state to sign a comprehensive consumer data protection law. The House and Senate passed SF 262 on March 15, 2023, and Governor Kim Reynolds signed the bill on March 28, 2023.
The Iowa Consumer Data Protection Act (ICDPA) will go into effect on January 1, 2025, giving businesses a year and a half to start preparing for compliance.
Revamping your company’s privacy operations for California’s CPRA, Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, and Utah’s UCPA will give you a great head start preparing for Iowa’s privacy law. But, ICDPA has its own set of requirements businesses need to (or don’t need to) follow.
Let’s dive into the details of how your business can comply with Iowa’s privacy law, and how Ethyca can help.
Iowa’s privacy law applies to entities (“controllers”) that conduct business in Iowa or provide goods or services targeted to Iowa consumers. Additionally, these entities must either:
Unlike California and Utah, Iowa’s privacy law does not use a revenue threshold to determine which businesses are subject to the law. Check whether or not your business meets the criteria above to see if it falls under Iowa’s jurisdiction.
If your business is subject to Iowa’s privacy law, you’ll need to know what rights Iowan consumers have, what consent requirements you must enable, and what the consequences are for violations.
Like all the other state privacy laws, Iowans can exercise a set of consumer rights including:
Like in Utah, the right to correction and private right of action are absent from Iowa’s privacy law. Businesses also have 90 days to respond to consumer requests, which is longer than in other states. These exemptions are why Iowa’s privacy law is perceived to be more “business-friendly” than others.
Iowa has specific opt-in and opt-out requirements for certain kinds of data.
In terms of opt-out rights, consumers have the right to opt out of the sale of personal data. ICDPA strictly defines “sale” as “the exchange of personal data for monetary consideration by the controller to a third-party.” This contrasts with other state privacy laws like Colorado’s, which expands sales to include “other valuable consideration by a controller to a third party.”
It is unclear whether consumers are allowed to opt out of targeted advertising as the law does not explicitly say so. The right to opt out of profiling also isn’t addressed, unlike in other state privacy laws like California, Virginia, Colorado, and Connecticut. Additionally, ICDPA does not require businesses to recognize universal opt-out mechanisms to process users’ consent preferences.
In terms of opt-in rights, Iowa consumers have the right to opt in of the processing of “sensitive” data, which includes:
Although ICDPA is considered to favor business interests more, giving Iowans the choice to opt into the processing of SPI is a notable protection for consumers.
Iowa’s Attorney General has the sole authority of enforcing ICDPA. If a violation is found, controllers and processors have a 90-day cure period to correct it. This cure period is longer than other state privacy laws’, reinforcing ICDPA’s “business-friendly” reputation.
Continuous violations will result in a civil investigation. The Iowa Attorney General may order a civil penalty of up to $7,500 per violation.
Along with fulfilling Iowans’ consumer rights, data controllers must follow a specific set of obligations under ICDPA. In this section, we’ll go over what they are and how your business can comply.
Like with other state privacy laws, businesses operating in Iowa are required to provide privacy notices on their websites that inform consumers about:
Note: although this last point alludes to the ability to opt out of targeted advertising, it is not specified under Section 3 of the law, which describes consumer data rights.
Work with legal advisors to create your business’ privacy notice including all of the information above. Be sure to have it clearly accessible on your website by January 1, 2025.
Iowa’s privacy law also includes specific guidelines for data processors, or an entity that “processes personal data on behalf of a controller.”
One of these requirements is entering a data processing contract between the controller and processor. The contract must include:
If your business works with third-parties or subcontractors that process data on your behalf, be sure to work out a data processing contract with each of your vendors
Having to fulfill privacy obligations for various U.S. and international privacy laws can feel like a compliance nightmare. That’s why Ethyca built the Fides privacy intelligence platform to make privacy compliance with all regulations fast and easy.
Learn more about how Fides’s privacy intelligence platform can help your business seamlessly manage and automate privacy compliance.
Using the Fides privacy intelligence platform, businesses will be able to fulfill consumers’ requests to know, access, and delete their data (also called data subject requests or DSRs) in an automated way.
Users can access a Privacy Center on your website to easily submit their requests. You’ll also be able to verify users’ identities via SMS or email. After requests have been submitted, you can approve or deny them in an easy-to-use Admin UI.
Once the request is approved, users will receive an email containing a link to the data they requested in a machine-readable format or a confirmation that all of their data has been erased.
Fides will also maintain a log of all of the requests your business has processed. That way, you can prove your privacy practices are compliant with regulators.
Fides’ consent management capabilities enable your business to meet the various opt-in or opt-out requirements found in each state’s privacy law.
With Fides, you can set multiple opt-out links on your website footer, customize a Privacy Center for consent intake, and set single or multiple opt-in or opt-out consent preferences depending on where your consumers reside.
Like with DSRs, users will be able to submit their consent preferences via the same Privacy Center on your website. With the same Admin UI, you’ll also be able to easily process and record users’ consent preferences as proof of compliance.
DSR fulfillment and consent management may sound like all you need to do to run an efficient privacy program. But, it’d be impossible to do any of these things without Fides’ real-time data visualization capabilities.
Fides has the power to connect with all of your business’ internal and third-party databases and systems. After everything’s connected, Fides will produce a real-time data map of where the data resides and flows throughout your organization.
Unlike spreadsheets that immediately go out of date, Fides’ live data inventory will let you stay up-to-date with where your data is at all times, giving you the most accurate picture of your organization’s data flows.
In fact, connecting to all of your systems is how Fides can automate data subject requests and consent management for your business. Using Fides will help you integrate privacy across your entire business. That’s the true power of privacy intelligence.
Although the sixth U.S. state privacy law just got signed, businesses still need to look ahead and prepare for new and emerging regulations Thankfully, you don’t have to do it alone. Ethyca is here to help you fulfill your business’ privacy obligations every step of the way. If you have any questions about upcoming or current privacy laws, schedule a free 15-minute call with one of our privacy advisors right now.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo