Iowa Consumer Data Protection Act (CDPA)

The Iowa Consumer Data Protection Act (CDPA) was signed into law on March 28, 2023. It will take effect on January 1, 2025.

This article explains what the law aims to accomplish, who it applies to, what it requires, and offers strategies for compliance.

What is the Iowa Consumer Data Protection Act (CDPA)?

The Iowa Consumer Data Protection Act (CDPA) is a comprehensive consumer privacy regulation that's designed to protect the personal information of Iowa residents. It imposes specific requirements on certain businesses and organizations that handle personal data.

It ensures that organizations operating within the state are held accountable for protecting the data privacy of its residents by increasing transparency requirements, granting rights to consumers, and holding businesses accountable for violations of the law.

Who Does the Iowa Consumer Data Protection Act (CDPA) Apply to?

The Iowa Consumer Data Protection Act (CDPA) applies to data controllers and processors that either:

• Conduct business in Iowa, or
• Produce services or products targeted to Iowa residents

AND, during a calendar year, satisfy at least one of the following criteria:

• Control or process the personal data of no less than 100,000 Iowa residents, or
• Control or process no fewer than 25,000 Iowa residents' personal data, and derive more than 50% of their total revenue from the sale of personal data

A data controller is an entity or person who specifies the purpose and means of processing personal data.

A data processor is an entity or person that processes personal data on behalf of a controller.

Who is Exempt From the Iowa Consumer Data Protection Act (CDPA)?

The Iowa Consumer Data Protection Act (CDPA) does not apply to the following:

• Government entities
• Financial institutions and their affiliates, and entities subject to the Gramm-Leach-Bliley Act
• Entities subject to and compliant with the Health Information Technology for Economic and Clinical Health (HITECH) Act and/or HIPAA
• Nonprofit organizations
• Higher education institutions

What Personal Data is Exempt From the Iowa Consumer Data Protection Act (CDPA)?

The following types of personal data are exempt from the Iowa privacy law, as existing federal laws already cover them:

• Health records
• Research data about human subjects covered by federal law or other standards
• Data processed or maintained for employment purposes
• Exempted Entities

What are the Impacts of the Iowa Consumer Data Protection Act (CDPA)?

The Iowa CDPA has impacts on both businesses and consumers. Businesses will have obligations to meet and compliance requirements, while consumers are granted rights under this law.

How are Businesses Impacted by the Iowa Consumer Data Protection Act (CDPA)?

Businesses that fall under the scope of the Iowa CDPA are impacted in that they must do a number of things to ensure they are complying with the law. Otherwise, they will be found to be in violation of the CDPA.

We outline what businesses need to do to comply with the CDPA later in this article.

How are Consumers Impacted by the Iowa Consumer Data Protection Act (CDPA)?

Consumers are impacted by the Iowa CDPA in that they receive a number of rights that they will be able to hold businesses accountable for granting.

What Consumer Rights are Granted by the Iowa Consumer Data Protection Act (CDPA)?

The Iowa CDPA aims to protect consumers' rights by providing them with control over their personal data. The law grants these main rights to Iowa residents, referred to as "consumers."

• Right to access: Consumers have the right to see and confirm if a controller is processing their personal data.
• Right to delete: Consumers can request the deletion of personal data they provided to the controller.
• Right to data portability: Consumers can obtain a copy of their personal data provided to the controller, except when subject to security breach protection or when the data is already in a portable and readily usable format.
• Right to opt out of the sale of personal data: Consumers can opt out of the sale of personal data. The law defines "sale" in a specific manner and states that opt-out rights do not apply to pseudonymous data, which is personal data that cannot be attached to a specific person without additional information.

The CDPA doesn't explicitly give consumers the right to opt out of having their personal data used for targeted advertising. However, it does require businesses to clearly and conspicuously disclose the use of personal data for targeted advertising and give consumers a means of opting out, so in effect they are given this right.

How Do I Comply with the Iowa Consumer Data Protection Act (CDPA)

Under the Iowa Consumer Data Protection Act (CDPA), businesses or "controllers" must adhere to specific obligations related to the processing of personal data. These obligations include the following.

Limit Data Processing

Controllers can only process personal data that is reasonably required and proportional to the purposes listed in the Iowa Consumer Data Protection Act (CDPA), ensuring the data is relevant, adequate, and limited to what is necessary for the specified purposes.

For example, University 365 lets users know in its Privacy Policy that it's obligated by law to only collect limited data that's necessary for specified purposes:

Disclose User Rights and Honor Rights Requests

Disclose what rights users have in your Privacy Policy, like so:

Let users know how to exercise their rights.

After users do make rights requests, you must respond within 90 days.

If you need an extra 45 days to respond, you can do this if doing so is “reasonably necessary upon considering the complexity and number of the consumer’s requests.”

If you do take an extra 45 days, you must notify the consumer of this sometime during the first 90 day response window.

Consumers can exercise their rights to receive requested information for free up to twice per year unless a request is proven to be “manifestly unfounded, excessive, repetitive, or technically unfeasible."

Implement Data Security Practices

Controllers must implement reasonable technical, administrative, and physical data security practices to guard the integrity, confidentiality, and availability of personal data on the basis of the nature and volume of the data.

Notice that Amazon details the security measures it implements to protect its users personal data within its Privacy Policy as seen below:

Allow Consumers to Opt Out of Data Processing

The Iowa CDPA has an opt-out method of consent. This means that consent is not required, but that consumers must be given a way to opt out of some things such as their data being used for tailored advertising, and being sold to third parties.

Make sure you have something in place to allow consumers to exercise their opt-out right, like this page with detailed and helpful information:

Don't Discriminate Against Consumers Who Exercise Rights

Controllers are forbidden from processing personal data in breach of state and federal laws that prohibit unlawful discrimination against consumers and cannot make a distinction against consumers for exercising their rights under the privacy law.

Apple has a clause in its Privacy Policy addressing compliance with regulations prohibiting unlawful discrimination against consumers. In the "Your Rights" section of Apple's Privacy Policy, the company writes the following:

"... if you choose to exercise these privacy rights, you have the right not to be treated in a discriminatory way nor to receive a lesser degree of service from Apple."

Be Transparent by Having a Privacy Policy

Controllers must provide a clear and meaningful Privacy Policy that includes:

• The categories of personal data processed
• The reason why personal data is processed
• How to utilize your rights as a consumer and challenge a controller's judgment
• The types of personal data that may have been disclosed to other parties
• The kinds of third parties, if any, with whom personal data is shared

Include this information in clauses, similar to this one:

Make sure the information is well-organized and easy to read. Consider formatting styles like charts to help with readability. Here's an example of this:

Have Data Processing Contracts in Place

Controllers must have contracts with their processors outlining the details of processing personal data, including the rights and duties of both parties and processes for retention, deletion, access, and subcontractor accountability.

Make sure the contract includes details on the following:

• The data processors must have a duty of confidentiality for the data shared with them to process.
• The data controller has the right to request that the data processer either delete all personal data or return it to the data controller, unless the data is required to be retained by law.
• The data controller can make a resonable request at any time for the data processor to make all information available to the controller to help the controller comply with the CDPA.
• Any subcontractors must also be under agreements outlining the above 3 points.

You can state in your Privacy Policy that you contract with third parties regarding the use of personal data, like so:

Keep Your Privacy Policy Up to Date

Always keep your Privacy Policy up to date to reflect any changes in the ways you process personal data. Make customers aware of any new rights they have, and how they may use those rights.

You can include a clause in your Privacy Policy that lets users know you may update the Privacy Policy from time to time, and how that will be handled, as seen here:

Here's how users can be made aware of new rights:

You can also let users know about actual updates and material changes in a notice like the following:

Learn more about this process in our article: Best Practices for Material Updates to Your Privacy Policy

How Will the Iowa Consumer Data Protection Act (CDPA) be Enforced?

The Iowa Consumer Data Protection Act (CDPA) lacks a private right of action, granting exclusive enforcement power to the attorney general. Here's a breakdown of how the enforcement process works:

• Civil Investigative Demands: The attorney general enforces the act using civil investigative demands, which are legal requests for information or documents from a party alleged to have violated the law.
• Written Notice: Before taking any further action, the attorney general must send a written notice to the violating party detailing the specific violations.
• 90-Day Cure Period: The violating party has 90 days to remedy the listed violations, after which they must notify the attorney general of the cure and provide a statement affirming that no further violations will occur.
• Civil Proceedings: If the controller or processor fails to cure the violations within the allotted time or continues to violate the law after submitting their statement, the attorney general can begin civil proceedings against them.
• Fines: Controllers or processors found to be in violation of the Iowa privacy law are subject to a fine of USD 7,500 per violation. These fines are paid into the consumer education and litigation fund, which supports consumer protection initiatives.

Checklist for Compliance With the Iowa Consumer Data Protection Act (CDPA)

To ensure compliance with the Iowa Consumer Data Protection Act (CDPA), follow this checklist:

• Determine if the Iowa Consumer Data Protection Act (CDPA) applies to your company. Confirm whether your entity meets the jurisdictional threshold, which specifically does not include a minimum revenue threshold.
• Update your Privacy Policy. Revise your policy to reflect personal data processing activities, communicate new consumer rights, and identify mechanisms for consumers to exercise those rights.
• Implement reasonable security practices. Assess your cybersecurity practices and controls to ensure they align with industry-recognized standards.
• Enable consumers to opt out of the sale of personal data and other uses of their data. Create a system that complies with consumer requests to not have their personal information sold, etc. Note that the Iowa Consumer Data Protection Act (CDPA) defines sale as the exchange of money and excludes the disclosure of personal data to processors or third parties for providing requested products or services.
• Provide notice for collecting sensitive data and provide opt-out mechanisms. If your business processes non-exempt sensitive data from consumers, provide clear notice and an opportunity to opt out.
• Respond to inquiries for consumer rights as soon as possible. Create systems for accepting, monitoring, validating, and granting requests for consumer rights, such as those granted by the Iowa Consumer Data Protection Act (CDPA), which includes the right to access, portability, erasure, and opt-out.
• Implement a training program. Ensure employees responsible for handling consumer rights requests are trained to understand and manage those requests in a timely and compliant manner. If employees handle consumer inquiries under other U.S. state privacy laws, train them to understand the nuances of each.

Summary

While the Iowa Consumer Data Protection Act (CDPA) offers many of the same protections as other comprehensive state privacy laws, it is less prescriptive concerning business compliance.

This more flexible approach sets a new precedent for states that have been unable to pass their own privacy laws in recent years because of concerns about business impact and costs.

As a result, businesses can benefit from this balanced approach that carefully considers both privacy rights and operational considerations.

We hope the compliance steps and checklist above help you navigate preparing for this law to take effect in 2025.