What is ICDPA?
The Iowa Consumer Data Privacy Act (ICDPA) is the sixth consumer data privacy law to be passed in the United States. It is similar to the data privacy laws already passed, such as California’s CCPA, or Colorado, it was signed on the 28th of March by the State Governor and it is set to become effective as of January 1st, 2025.
In addition to the obligations set out for controllers in the text of the law itself, it ties into the Code of Iowa, specifically the chapter related to data breaches of personal information, Chapter 715C.
What is Personal Information and what are other key
Under the ICDPA, ‘personal information’ is defined the same way as with other laws, as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” which does not include “de-identified or aggregate data or publicly available information.” When it comes to ‘sensitive data’ the law offers several categories of personal data that qualifies as sensitive data, namely
- “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law;
- genetic or biometric data that is processed for the purpose of uniquely identifying a natural person;
- the personal data collected from a known child;
- precise geolocation data.”
‘Biometric data’ is understood to mean “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual” but excludes “a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.” As regards ‘precise geolocation data’ this is defined by the ICDPA as “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty feet” but which does not include “the content of communications, or any data generated by or connected to utility metering infrastructure systems or equipment for use by a utility.”
Since it does not see ‘de-identified data’ as personal data, it defines this as “data that cannot reasonably be linked to an identified or identifiable natural person.” Along the same lines, the ICDPA also mentions ‘pseudonymous data’ as one type of data that is not covered by the law, which it understands to mean “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.”
Same as with other laws in the US, the data subject is here called a ‘consumer’ and defined as “a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context” and a ‘child’ is “any natural person younger than thirteen years of age.”
The law includes both a data controller and a data processor defining ‘controller’ as “a person that, alone or jointly with others, determines the purpose and means of processing personal data,” and ‘processor’ as “a person that processes personal data on behalf of a controller.” The activity conducted by these, ‘processing,’ is defined as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
A relevant definition that seems to differ across the states already having a data privacy law passed is that of ‘sale of personal data’ which in the case of Iowa’s law is defined as “the exchange of personal data for monetary consideration by the controller to a third party.” Some states take into account monetary consideration while others, like Connecticut, include other valuable consideration. However, same as Connecticut’s law, it excludes from the concept of sale, several categories of data:
- “the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer or a parent of a child.
- the disclosure or transfer of personal data to an affiliate of the controller.
- the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience.
- the disclosure or transfer of personal data when a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties.
- the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.”
Who has to comply with ICDPA?
The ICDPA covers entities located in Iowa or entities that offer services to that are targeted to residents of Iowa and which, during the previous calendar year, have met one of the following:
- have controlled or processed the personal data of at least 100,000 consumers; or
- have controlled and processed the personal data of at least 25,000 consumers and have derived more than 50% of their gross revenue from the sale of personal data.
It is noteworthy here that unlike California or Utah, where there is a $25 million annual threshold for businesses that places them under the law, Iowa does not reference a revenue threshold, meaning that any business, or any size, that meets the above criteria must comply with the ICDPA.
Who is excluded from ICDPA compliance?
The ICDPA excludes “personal data by a person in the course of a purely personal or household activity” as well as personal data already covered under existing federal laws such as HIPAA (Health Insurance Portability and Accountability Act), COPPA (Children’s Online Privacy Protection Act), FERPA (Family Educational Rights and Privacy Act), the Driver’s Privacy Protection Act, or Farm Credit Act, research data about human subjects that is covered by federal law or other standards, health records, or data processed for employment purposes.
Entities excluded by the ICDPA include “the state or any political subdivision of the state; financial institutions, affiliates of financial institutions, [...] nonprofit organizations; or institutions of higher education,” or financial institutions or affiliates of these, as well as any entities subject to the Gramm-Leach-Bliley Act.
How can I keep my organization ICDPA compliant?
Same as with the other consumer privacy laws across the US, the ICDPA lists a series of obligations for controllers in order to be in compliance.
- You are required to ensure the security of the personal data and in order to do so you must “adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data” which will have to be “appropriate to the volume and nature of the personal data at issue.”
- When processing sensitive personal data you must ensure proper consent from the consumers and as such are not allowed to do this “for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.”
- You are expected to show the principle of integrity when processing personal data which means that you cannot perform the processing “in violation of state and federal laws that prohibit unlawful discrimination against a consumer.”
- As a data controller, you cannot discriminate “against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.”
- You have to show transparency by displaying a privacy notice that contains the following information:
- the categories of personal data you process;
- the purpose for processing personal data;
- the way consumers may exercise their rights, including they can appeal your decision with regard to their data subject access request;
- the categories of personal data that you share with third parties, if any.
- the categories of third parties, if any, with whom you share personal data.
- If you sell personal data to third parties or engage in targeted advertising, you are required to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.”
- With regards data subjects’ rights you are required to provide data subjects with “secure and reliable means” for them to exercise their rights and this means have to consider the ways in which consumers normally interact with you, the need for secure and reliable communication of such requests, and your ability to authenticate the identity of the consumer making the request. You cannot require a consumer to create a new account in order to exercise consumer rights but you are allowed to require a consumer to use an existing account.
- As a data controller you are required to have a contract between yourself and the data processor. This contract “shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.
Iowa’s law also lists processors’ duties, namely, as a data processor, you are required to “assist a controller in duties required under this chapter, taking into account the nature of processing and the information available to you by appropriate technical and organizational measures, insofar as is reasonably practicable, in order to fulfill the controller’s obligation to respond to data subject access requests, or to “meet the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a security breach” that you have suffered.
Although the ICDPA does not list data breach notifications as a mandatory requirement, the Code of Iowa, in Chapter 715C, states that “any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security requiring notification to more than five hundred residents of this state [...] shall give written notice of the breach of security to the director of the consumer protection division of the office of the attorney general within five business days after giving notice of the breach of security to any consumer.” This would entail that entities that fall under the “more than five hundred residents of this state” part of the Code will need to follow through.
What data access rights does ICDPA grant?
The ICDPA grants consumers six data access rights:
- Right to access
- Right to delete
- Right to data portability
- Right to opt out of the sale of personal data
- Right to opt out of processing of sensitive data
- Right to opt out of processing for purposes of targeted advertisement
There is no Right to Correct personal data under Iowa’s law.
How to address data subject access requests under ICDPA?
Under the ICDPA, you are required to take the following steps when addressing a data subject access request:
- once a data subject access request has been submitted, you are required to respond to it “without undue delay, but in all cases within ninety days of receipt of a request.” You can however extend this period “once by forty-five additional days when reasonably necessary upon considering the complexity and number of the consumer’s
- requests by informing the consumer of any such extension within the initial ninety-day response period, together with the reason for the extension.”
- If you decide to decline the request, you have an obligation to inform the consumer of your decision to decline and of the way in which they can appeal your decision.
- When providing consumers with their data in response to a request for access, you have to do so “free of charge, up to twice annually per consumer,” which differs from other laws that state this has to be done once every year. However, same as with other laws in the US, such as Connecticut, you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request” if the requests are “manifestly unfounded, excessive, repetitive, technically unfeasible” or if you “reasonably believe that the primary purpose of the request is not to exercise a consumer right” but it is your responsibility to demonstrate that the request was manifestly unfounded, excessive or repetitive.
- If you are unable to authenticate a request, you are not required to comply with it, and can ask the consumer to provide additional information in order for you to be able to authenticate their request.
- Same as with Connecticut, for requests that you have denied, you have to establish a process for consumers to appeal your decision within a reasonable period of time after receiving your decision. The appeal process has to be “conspicuously available and similar to the process for submitting requests to initiate action,” and you are required, no later than 60 days after receiving an appeal, to “inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.” If the appeal is denied, you have to provide the consumer “with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.”
Enforcement and penalties
Similar to other US privacy laws, the Attorney General of Iowa shall have exclusive authority to enforce the ICDPA. If they have “reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of this chapter, the attorney general is empowered to issue a civil investigative demand.”
Prior to initiating any action, the Attorney General will give controllers or processors a cure period of 90 days. During this time, if the controller/processor “cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further such violations shall occur, no action shall be initiated against the controller or processor.” After this period, if the violation is not cured, action may be initiated against the controller/processor, with civil penalties up to $7,500 per violation.
Last but not least, there is no private right of action under the ICDPA.
Data Subject Rights - GDPR vs. ICDPA
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- The Right to Access
- The Right to Delete
- The Right to Data Portability
- The Right to Opt Out of the Sale of Personal Data
- The Right to Opt Out of Processing of Sensitive Data
- The Right to Opt Out of Processing for Purposes of Targeted Advertisement
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.