Code/Regulations
Effective Date: January 1, 2025
Details
Threshold
Entities conducting business in Iowa or producing products or services targeted to Iowa residents that also do at least one of the following during a calendar year:
(1) Control or process personal data of at least 100,000 Iowa residents; or
(2) Control or process personal data of at least 25,000 Iowa residents and derive over 50 percent of gross revenue from the sale of personal data
Definition of "Personal Data"
Information that is linked or reasonably linkable to an identified or identifiable natural person. Does not include de-identified or aggregate data or publicly available information. Personal data does not include data from people acting in an employment or commercial context.
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Physical or mental health diagnosis; and
- Sexual orientation.
In addition, Iowa’s definition also includes:
- Precise geolocation data; and
- Personal data collected from a known child.
Definition of "Sale"
Exchange of personal data for monetary consideration by the controller to a third party
Data-Protection Assessments
No
Opt-In Consent Required for Processing Sensitive Data
No, notice and opt-out
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes, except no right to correct inaccuracies
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads
Yes
Consumer Right to Opt Out of Profiling
No
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
None
Data of Minors
Process personal data of a known child in accordance with COPPA
GLBA Exemption
Yes (both entity-level and data-level)
HIPAA Exemption
Yes (entity-level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context
Nonprofit Exemption
Yes
Private Right of Action
No
Cure Period
90 Days
Cure Period Expiration
None
Enforcement Authority/Damages
Attorney General/not to exceed $7,500 per violation
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.