Understanding the Iowa Consumer Data Protection Act (ICDPA)
The Iowa Consumer Data Protection Act, or ICDPA, is a privacy legislation enacted to empower Iowa citizens and residents with more control over personal information. Signed on March 28, 2023, this law is going into full effect on January 1, 2025. In essence, this law will serve to protect consumer’s data and set rules on business practices regarding the collection, use, and storage of personal information.
Who Does the ICDPA Apply To?
The Iowa Consumer Data Protection Act applies to businesses operating in Iowa or handling the personal data of Iowa residents. Specifically, the law applies to businesses that meet the following criteria:
- Control or process the personal data of at least 100,000 Iowa consumers annually, OR
- Control or process the personal data of at least 25,000 Iowa consumers and derive 50% or more of their revenue from the sale of personal data.
These conditions are similar to those seen in other state privacy laws, such as Virginia’s and Colorado’s. However, small businesses or organizations that do not meet these thresholds are largely exempt.
Effect on Businesses
The Iowa Consumer Data Protection Act (ICDPA) brings new obligations to the business world in handling personal data. The ICDPA distinguishes between two roles:
- Controllers: Businesses that determine how and why personal data is processed.
- Processors: Entities that process data on behalf of controllers based on instructions provided.
If your business handles substantial amounts of consumer data, particularly for targeted advertising or selling data, the ICDPA likely applies to you.
Key Duties of Data Controllers
Under the ICDPA, controllers—businesses that manage personal data—must comply with several important responsibilities:
Implement Data Security Measures
Controllers are required to establish reasonable security measures to protect personal data. These measures should be appropriate to the volume and sensitivity of the data being processed. This means businesses must adopt best practices such as encryption, access controls and secure storage methods to reduce the risk of data breaches.
Handling Sensitive and Children’s Data
The ICDPA places restrictions on processing sensitive data, which includes:
- Racial or ethnic origin
- Religious beliefs
- Genetic or biometric data
- Health information
- Data of children under 13
Controllers must inform consumers if they process sensitive data and provide an opt-out mechanism to allow consumers to decline. For children’s data, businesses must comply with the federal Children’s Online Privacy Protection Act (COPPA), which requires obtaining parental consent for data collection.
Non-Discrimination
Businesses cannot discriminate against consumers for exercising their rights under the ICDPA. This includes:
- Denying services
- Charging higher prices
- Offering lower quality of service
Provide Clear Privacy Notices
Controllers must publish a clear and accessible privacy notice that includes:
- The types of personal data being collected.
- The purpose of data collection.
- How consumers can exercise their rights.
- The categories of third parties with whom data is shared.
The privacy notice must be easy to understand, ensuring consumers are fully informed about how their data is being used.
Allow Consumers to Opt Out
If a business sells personal data or uses it for targeted advertising, it must:
- Clearly disclose this activity to consumers.
- Provide a simple mechanism for consumers to opt out of data sales or targeted ads.
Controllers must respect opt-out requests promptly to comply with the law.
Key Duties of Data Processors
Processors—businesses that handle personal data on behalf of controllers—also have specific responsibilities under the ICDPA. These include:
Assist Controllers
Processors must assist controllers in complying with their obligations, particularly when responding to consumer requests to access, correct, or delete personal data.
Follow Contractual Agreements
Processors must operate under a contract that clearly outlines:
- The purpose and duration of data processing.
- Instructions for handling the data.
- Confidentiality requirements.
- Obligations to delete or return personal data when the contract ends.
Subcontractor Oversight
Processors must ensure that any subcontractors they hire also comply with the same data protection requirements.
Consumer Rights under the ICDPA
The Iowa Consumer Data Protection Act grants consumers several rights to help them control how their data is used. These rights include:
- Right to Access: Consumers can request to know what personal data a business has collected about them.
- Right to Delete: Consumers can ask businesses to delete their personal data.
- Right to Correct: Consumers can request corrections to any inaccurate or outdated information.
- Right to Opt Out: Consumers can opt out of:
- The sale of their personal data
- Targeted advertising based on their personal data.
However, these rights come with certain limitations. Businesses are not required to comply with requests if the data is:
- Pseudonymous: Data that is separated from identifying information and cannot be easily linked to a specific individual.
- De-identified: Data that no longer contains identifying information.
Consumers must submit their requests in a secure and verifiable manner, and businesses must respond promptly.
Enforcement and Penalties
The Iowa Attorney General is responsible for enforcing the ICDPA. The law provides businesses with a fair opportunity to fix violations before facing penalties. Here’s how enforcement works:
90-Day Cure Period
If the Attorney General finds that a business has violated the ICDPA, they will issue a 90-day written notice identifying the problem. The business then has 90 days to:
- Fix the violation, AND
- Provide a written statement confirming that the issue has been resolved and will not happen again.
If the business complies, no further action is taken.
Penalties for Non-Compliance
If a business fails to fix the violation or continues to violate the law, the Attorney General can:
- File legal action against the business.
- Impose civil penalties of up to $7,500 per violation.
No Private Right of Action
Unlike some other privacy laws, the ICDPA does not allow consumers to sue businesses directly for violations. Enforcement is limited to the Attorney General.
Non-Monetary Costs of Non-Compliance
Non-monetary fines are often incurred in cases of:
- Legal Expenses: To litigate against investigations and lawsuits.
- Reputational Harm: Loss of consumer confidence and bad publicity can affect revenue and brand reputation.
- Operational Disruption: Non-compliance may necessitate abrupt changes in data handling practices, which can lead to delays and disruptions.
How can businesses prepare for ICDPA compliance?
To prepare for compliance:
- Conduct an audit of the personal data collected and processed.
- Update privacy notices to include required disclosures.
- Implement processes for handling consumer rights requests (access, deletion, opt-out).
- Ensure contracts with data processors align with ICDPA obligations.
- Review and enhance data security measures to protect sensitive data.
Conclusion
The Iowa Consumer Data Protection Act (ICDPA) is a significant step toward protecting consumer privacy in the state. Businesses that handle personal data must comply with key requirements like providing clear privacy notices, securing personal data, and respecting consumer rights.
If you’re looking for support to navigate ICDPA or other privacy laws, PrivacyPillar is here to help. Explore our range of privacy solutions to ensure compliance while protecting your customers’ trust.
FAQs
What is the Iowa Consumer Data Protection Act (ICDPA)?
ICDPA is a privacy law that gives Iowa residents more control over their personal data and sets rules for businesses on how to handle it.
Who is required to comply with ICDPA?
Businesses that collect the personal data of more than 100,000 consumers annually or derive more than 50% of their gross annual revenue from selling consumers’ personal data must comply.
What rights does ICDPA provide consumers?
Iowa consumers have the right to access, correct, delete, and opt-out of the sale of their personal data.
How does ICDPA handle pseudonymous and de-identified data?
The ICDPA does not require businesses to re-identify pseudonymous or de-identified data. It also exempts pseudonymous data from consumer rights when adequate safeguards are in place to prevent re-identification.
What happens if a business does not comply with ICDPA?
Non-compliance can have fines to the tune of up to $7,500 per infraction, applied by the Iowa Attorney General.
How can PrivacyPillar assist me with complying with ICDPA?
PrivacyPillar provides instruments such as Consent Management Platforms, DSAR automation and Cookie Compliance all designed for ease of compliance.