How Your Business Can Prepare For Iowa’s Consumer Data Protection Act (ICDPA)

Introduction

2023 is shaping up to be the year of new state privacy laws in the U.S.! 

Five regulations are going into effect this year, and more are on their way through state legislatures. 

Iowa recently became the sixth state to sign a comprehensive consumer data protection law. The House and Senate passed SF 262 on March 15, 2023, and Governor Kim Reynolds signed the bill on March 28, 2023.

The Iowa Consumer Data Protection Act (ICDPA) will go into effect on January 1, 2025, giving businesses a year and a half to start preparing for compliance. 

Revamping your company’s privacy operations for California’s CPRA, Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, and Utah’s UCPA will give you a great head start preparing for Iowa’s privacy law. But, ICDPA has its own set of requirements businesses need to (or don’t need to) follow.

Let’s dive into the details of how your business can comply with Iowa’s privacy law, and how Ethyca can help.

Does Iowa’s Privacy Law Apply to My Business?

Iowa’s privacy law applies to entities (“controllers”) that conduct business in Iowa or provide goods or services targeted to Iowa consumers. Additionally, these entities must either:

1. Control or process the personal data of at least 100,000 consumers, or
2. Control or process the data of at least 25,000 consumers and earn over 50% of gross revenue from the sale of personal data.

Unlike California and Utah, Iowa’s privacy law does not use a revenue threshold to determine which businesses are subject to the law. Check whether or not your business meets the criteria above to see if it falls under Iowa’s jurisdiction.

What Your Business Needs to Know About Iowa’s Privacy Law

If your business is subject to Iowa’s privacy law, you’ll need to know what rights Iowan consumers have, what consent requirements you must enable, and what the consequences are for violations. 

Consumer Rights

Like all the other state privacy laws, Iowans can exercise a set of consumer rights including:

• Right to access
• Right to deletion
• Right to appeal
• Right to portability 
• Right to non-discriminatory behavior

Like in Utah, the right to correction and private right of action are absent from Iowa’s privacy law. Businesses also have 90 days to respond to consumer requests, which is longer than in other states. These exemptions are why Iowa’s privacy law is perceived to be more “business-friendly” than others.

Consent Requirements 

Iowa has specific opt-in and opt-out requirements for certain kinds of data. 

In terms of opt-out rights, consumers have the right to opt out of the sale of personal data. ICDPA strictly defines “sale” as “the exchange of personal data for monetary consideration by the controller to a third-party.” This contrasts with other state privacy laws like Colorado’s, which expands sales to include “other valuable consideration by a controller to a third party.”

It is unclear whether consumers are allowed to opt out of targeted advertising as the law does not explicitly say so. The right to opt out of profiling also isn’t addressed, unlike in other state privacy laws like California, Virginia, Colorado, and Connecticut. Additionally, ICDPA does not require businesses to recognize universal opt-out mechanisms to process users’ consent preferences. 

In terms of opt-in rights, Iowa consumers have the right to opt in of the processing of “sensitive” data, which includes:

• Racial or ethnic data.
• Religious beliefs.
• Mental or physical health.
• Sexual orientation.
• Citizenship or immigration status.
• Genetic or biometric data that uniquely identifies a person.
• Personal data of a known child (under 13 years old).
• Precise geolocation data. 

Although ICDPA is considered to favor business interests more, giving Iowans the choice to opt into the processing of SPI is a notable protection for consumers. 

Violations and Enforcement

Iowa’s Attorney General has the sole authority of enforcing ICDPA. If a violation is found, controllers and processors have a 90-day cure period to correct it. This cure period is longer than other state privacy laws’, reinforcing ICDPA’s “business-friendly” reputation. 

Continuous violations will result in a civil investigation. The Iowa Attorney General may order a civil penalty of up to $7,500 per violation.

What Your Business Needs to Do To Comply with Iowa’s Privacy Law

Along with fulfilling Iowans’ consumer rights, data controllers must follow a specific set of obligations under ICDPA. In this section, we’ll go over what they are and how your business can comply. 

Privacy Notices

Like with other state privacy laws, businesses operating in Iowa are required to provide privacy notices on their websites that inform consumers about:

• The categories of personal data processed.
• The purpose of processing the categories of personal data.
• How consumers can exercise their consumer rights.
• Categories of personal data shared with third-parties.
• Categories of third-parties the controller shares personal data with.
• If the entity participates in the selling of personal data or targeted advertising, and how the consumer can opt out.

Note: although this last point alludes to the ability to opt out of targeted advertising, it is not specified under Section 3 of the law, which describes consumer data rights.

Work with legal advisors to create your business’ privacy notice including all of the information above. Be sure to have it clearly accessible on your website by January 1, 2025.

Data Processing Contracts 

Iowa’s privacy law also includes specific guidelines for data processors, or an entity that “processes personal data on behalf of a controller.” 

One of these requirements is entering a data processing contract between the controller and processor. The contract must include:

• The duties and responsibilities of the controller and processor.
• Steps for processing personal data.
• Why the personal data is processed.
• The type of data subjects.
• The duration of processing.

If your business works with third-parties or subcontractors that process data on your behalf, be sure to work out a data processing contract with each of your vendors

How Ethyca Can Help Your Business Comply with Iowa’s Privacy Law

Having to fulfill privacy obligations for various U.S. and international privacy laws can feel like a compliance nightmare. That’s why Ethyca built the Fides privacy intelligence platform to make privacy compliance with all regulations fast and easy.

Learn more about how Fides’s privacy intelligence platform can help your business seamlessly manage and automate privacy compliance.

Consumer Rights Fulfillment and Automation

Using the Fides privacy intelligence platform, businesses will be able to fulfill consumers’ requests to know, access, and delete their data (also called data subject requests or DSRs) in an automated way.

Users can access a Privacy Center on your website to easily submit their requests. You’ll also be able to verify users’ identities via SMS or email. After requests have been submitted, you can approve or deny them in an easy-to-use Admin UI.

Once the request is approved, users will receive an email containing a link to the data they requested in a machine-readable format or a confirmation that all of their data has been erased. 

Fides will also maintain a log of all of the requests your business has processed. That way, you can prove your privacy practices are compliant with regulators.

Easy Consent Management 

Fides’ consent management capabilities enable your business to meet the various opt-in or opt-out requirements found in each state’s privacy law. 

With Fides, you can set multiple opt-out links on your website footer, customize a Privacy Center for consent intake, and set single or multiple opt-in or opt-out consent preferences depending on where your consumers reside.

Like with DSRs, users will be able to submit their consent preferences via the same Privacy Center on your website. With the same Admin UI, you’ll also be able to easily process and record users’ consent preferences as proof of compliance. 

Real-time Data Visualization 

DSR fulfillment and consent management may sound like all you need to do to run an efficient privacy program. But, it’d be impossible to do any of these things without Fides’ real-time data visualization capabilities. 

Fides has the power to connect with all of your business’ internal and third-party databases and systems. After everything’s connected, Fides will produce a real-time data map of where the data resides and flows throughout your organization.

Unlike spreadsheets that immediately go out of date, Fides’ live data inventory will let you stay up-to-date with where your data is at all times, giving you the most accurate picture of your organization’s data flows. 

In fact, connecting to all of your systems is how Fides can automate data subject requests and consent management for your business. Using Fides will help you integrate privacy across your entire business. That’s the true power of privacy intelligence.

Conclusion

Although the sixth U.S. state privacy law just got signed, businesses still need to look ahead and prepare for new and emerging regulations Thankfully, you don’t have to do it alone. Ethyca is here to help you fulfill your business’ privacy obligations every step of the way. If you have any questions about upcoming or current privacy laws, schedule a free 15-minute call with one of our privacy advisors right now.