Preparing to Comply with Iowa’s Consumer Data Protection Law

The Iowa Consumer Data Protection Act (ICDPA) takes effect January 1, 2025. The state’s first industry-agnostic privacy bill would affect any company collecting, processing, and storing the data of Iowa residents. While it is similar to other state privacy laws, it most closely resembles provisions of the Utah Consumer Data Privacy Act.

Two of the most important provisions require organizations to:

  • Implement reasonable data security practices to protect the confidentiality, integrity, and accessibility of consumer data; and
  • Provide consumers with a clear privacy notice that includes categories of data processed, the purpose of the processing, how consumers may exercise their rights, categories of third parties with whom data is shared, and how data is shared with third parties.

Consumers may request:

  • access to their data being processed by the organization,
  • that organizations delete their personal data collected by the organization,
  • a copy of their personal data in a readily usable format the consumer may take to another organization, and
  • to opt-out of the sale of their personal data to other entities.

The organization must provide the consumer with the means to exercise each of these rights.

Which Organizations Will Be Subject to the New Law?

Whether or not an organization is domiciled in Iowa, any organization that collects personal information of Iowa residents in a calendar year and satisfies either of the following criteria is subject to the ICDPA:

  1. Controls or processes personal data of 100,000 or more consumers
  2. Derives over 50% of its gross revenue from the sale of personal data while also processing or controlling the personal data of 25,000 or more consumers.

How to Prepare for Compliance by Securing Personal Data

The privacy by design approach will be the most effective way to secure personal data in compliance with the Iowa law. For systems currently in use that weren’t designed with customer privacy in mind, choosing an ad hoc approach that is effective and doesn’t negatively impact operations can be daunting. Organizations that took a secure approach to system development, however, might be closer to compliance than they expect. If your organization already performs regular HIPAA security assessments, for example, you’re already doing most of what the new law requires.

Security measures to consider when wanting to comply with the ICDPA:

  • Implement or update a public-facing privacy notice to include consumer rights, categories of personal data processed, the purpose for personal data collection, and the categories of third parties with whom personal data is shared.
  • Implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Provide a request portal that customers may use to exercise their rights of personal data access, deletion of their personal data, portability of their personal data, and to opt out of the sale of their personal data.
  • Provide details of how consumers may appeal the organization’s decision regarding the resolution of their personal data request if the customer does not agree with the outcome.
  • Document all consumer requests, the reason for the request, your organization’s validation of the requestor’s identity, and the outcome of the request in an aggregated repository. (Note: storing such information would become data covered by this law. It is advised to de-identify the personal data in each request after the request has been completed)

Definitions of Key Terms

Some key words could have a material impact on the interpretation of certain areas of the regulation. These key words and their definitions, summarized from the ICDPA, are:

  • Consumer: A natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.
  • Controller: A person that, alone or jointly with others, determines the purpose and means of processing personal data.
  • Personal Data: Any information that is linked or reasonably linkable to an identified or identifiable natural person.
  • Process or Processing: Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
  • Third Party: A natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.

Weaver professionals have experience assisting organizations in implementing data security practices and industry accepted security frameworks. We are here to help with any needs related to the new law. For more information about the ICDPA and how it may apply to your business, contact us.  

Authored by Hunter Sundbeck, CISA, CDPSE, A+, CySA+.

© 2023