Iowa is the Sixth State to Adopt Comprehensive Data Privacy Law

Iowa has become the sixth state in the country to enact a comprehensive consumer privacy law, joining California, Virginia, Colorado, Connecticut, and Utah. The “Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions Act” (the “Iowa Act”) will apply to businesses producing products or providing services that are targeted to Iowa residents and that either (a) control or process personal data of at least 100,000 Iowa consumers during a calendar year; or (b) control or process personal data of at least 25,000 Iowa consumers and derive more than 50% of their annual gross revenue from the sale of personal data. “Consumers” are defined as a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context. The Iowa Act does not apply to non-profit organizations. The new law will go into effect on January 1, 2025.

The Iowa Act adopts a virtually identical definition of “controller” and “processor” as the Virginia, Colorado, Connecticut and Utah laws. Controllers determine the purposes for and means by which personal data is processed, and processors process personal data on behalf of controllers.

Highlighted Provisions

Similar to other state privacy laws, the Iowa Act gives consumers the following rights:

    • To confirm whether a controller is processing their personal data and to access the data;
    • To delete data provided by the consumer to the controller;
    • To obtain a copy of personal data they provided to the controller; and
    • To opt-out of the “sale” of their personal data.

Notably, the Iowa Act does not: (1) give consumers a right to correct inaccuracies in their personal data; (2) include any requirement for controllers to conduct data protection assessments, or (3) hamper controllers with obligations to minimize data collection only to what is reasonably necessary.

The Iowa Act mandates the following duties to controllers and processors:

    • Provide reasonably accessible and clear notice to consumers that includes: (1) what categories of personal data will be processed, (2) the purpose for the processing personal data, (3) how consumers may exercise their rights, (4) the categories of personal data the controller shares with third parties, and (5) the categories of third parties with whom the controller shares personal data;
    • Respond to consumer requests within 90 days (the longest of any state law), and a 45-day extension option provided notice of the extension is given within the initial period; and
    • Provide consumers notice after “sensitive data” is collected and the opportunity for consumers to opt-out from any processing of such data.


The Iowa Act will be exclusively enforced by the State Attorney General and does not provide for a consumer’s private right of action. Iowa provides controllers and processors a permanent 90-day cure period to fix alleged violations before the Attorney General can commence an enforcement action, and damages are limited to civil penalties of up to $7500 per violation.

If you have questions about the Iowa Act or other state privacy law compliance, contact an attorney in our Privacy, Data Protection, and Cybersecurity practice group.