Laws & Regulations
/
State Privacy Laws: Iowa

State Privacy Laws: Iowa

Iowa Consumer Data Protection Act (ICDPA)

Overview

Iowa was the sixth state to pass a comprehensive state privacy law. The Iowa Consumer Data Protection Act outlines consumer rights, obligations of businesses, privacy notice requirements, and other related provisions.

Key Dates

  • Signed into law: March 29, 2023
  • Effective date: January 1, 2025

Thresholds

The ICDPA applies to any individual that conducts business in Iowa or produces products or services that are targeted at Iowa consumers, and which during a calendar year either:

  • controls or processes personal data of at least 100,000 Iowa consumers or
  • controls or processes personal data of at least 25,000 Iowa consumers and derives over fifty percent (50%) of gross revenue from the "sale" of personal data.

Consumer Rights

  • The right to confirm processing about about whether their data is being processed.
  • The right to access personal data held by a business.
  • The right to data portability, enabling consumers to transfer their personal data to another service provider.
  • The right to deletion of their data from company records, helping them control their digital footprint.
  • The right to opt out of the sale of personal data, empowering consumers to restrict businesses from selling or using their data for targeted advertising.

Sensitive Data

  • Racial or ethnic origin, religious beliefs, health diagnoses
  • Citizenship or immigration status
  • Genetic and biometric data uniquely identifying an individual
  • Children’s data and precise geolocation data

Penalties

Up to $7,500 per violation.

Configure Your Consent Banner for ICDPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. ICDPA in Iowa). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like ICDPA in Iowa).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Implied
  • Blocking Mode: Strict
  • Google Consent Mode V2: Basic
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Enabled
  • Enable Do Not Sell Consent: Enabled
  • Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.

Topics

Product
Consent ManagementPrivacy RequestsData MappingIntegrationsSign InSign Up
Solutions
SoftwareE-CommerceFinancial ServicesGovernmentHealthcare
Resources
PricingHelp DocsBlogRoadmapContact UsBook MeetingAffiliate Program
Your Privacy Choices
Support CommitmentLeadershipMerch
Social
Concord Logo Blue Logo White Text
© 2024 Concord Technologies Inc | All Rights Reserved | Website Privacy Policy | Disclaimer | SaaS Agreement | Data Protection Agreement | Affiliates Agreement