Iowa ICDPA

Who is excluded from ICDPA compliance? 

The ICDPA excludes “personal data by a person in the course of a purely personal or household activity” as well as personal data already covered under existing federal laws such as HIPAA (Health Insurance Portability and Accountability Act), COPPA (Children’s Online Privacy Protection Act), FERPA (Family Educational Rights and Privacy Act), the Driver’s Privacy Protection Act, or Farm Credit Act, research data about human subjects that is covered by federal law or other standards, health records, or data processed for employment purposes.

Entities excluded by the ICDPA include “the state or any political subdivision of the state; financial institutions, affiliates of financial institutions, [...] nonprofit organizations; or institutions of higher education,” or financial institutions or affiliates of these, as well as  any entities subject to the Gramm-Leach-Bliley Act.

How can I keep my organization ICDPA compliant? 

Same as with the other consumer privacy laws across the US, the ICDPA lists a series of obligations for controllers in order to be in compliance. 

• You are required to ensure the security of the personal data and in order to do so you must “adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data” which will have to be “appropriate to the volume and nature of the personal data at issue.”
• When processing sensitive personal data you must ensure proper consent from the consumers and as such are not allowed to do this “for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.”
• You are expected to show the principle of integrity when processing personal data which means that you cannot perform the processing “in violation of state and federal laws that prohibit unlawful discrimination against a consumer.” 
• As a data controller, you cannot discriminate “against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer.”
• You have to show transparency by displaying a privacy notice that contains the following information: 
• the categories of personal data you process;
• the purpose for processing personal data;
• the way consumers may exercise their rights, including they can appeal your decision with regard to their data subject access request;
• the categories of personal data that you share with third parties, if any.
• the categories of third parties, if any, with whom you share personal data.
• If you sell personal data to third parties or engage in targeted advertising, you are required to “clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.” 
• With regards data subjects’ rights you are required to provide data subjects with “secure and reliable means” for them to exercise their rights and this means have to consider the ways in which consumers normally interact with you, the need for secure and reliable communication of such requests, and your ability to authenticate the identity of the consumer making the request. You cannot require a consumer to create a new account in order to exercise consumer rights but you are allowed to require a consumer to use an existing account.
• As a data controller you are required to have a contract between yourself and the data processor. This contract “shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.

Iowa’s law also lists processors’ duties, namely, as a data processor, you are required to “assist a controller in duties required under this chapter, taking into account the nature of processing and the information available to you by appropriate technical and organizational measures, insofar as is reasonably practicable, in order to fulfill the controller’s obligation to respond to data subject access requests, or to “meet the controller’s obligations in relation to the  security of processing the personal data and in relation to the notification of a security breach” that you have suffered. 

Although the ICDPA does not list data breach notifications as a mandatory requirement, the Code of Iowa, in Chapter 715C, states that “any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security requiring notification to more than five hundred residents of this state [...] shall give written notice of the breach of security to the director of the consumer protection division of the office of the attorney general within five business days after giving notice of the breach of security to any consumer.” This would entail that entities that fall under the “more than five hundred residents of this state” part of the Code will need to follow through. 

What data access rights does ICDPA grant?

The ICDPA grants consumers six data access rights: 

• Right to access

• Right to delete

• Right to data portability

• Right to opt out of the sale of personal data

• Right to opt out of processing of sensitive data

• Right to opt out of processing for purposes of targeted advertisement

There is no Right to Correct personal data under Iowa’s law.

How to address data subject access requests under ICDPA?

Under the ICDPA, you are required to take the following steps when addressing a data subject access request: 

• once a data subject access request has been submitted, you are required to respond to it “without undue delay, but in all cases within ninety days of receipt of a request.” You can however extend this period “once by forty-five additional days when reasonably necessary upon considering the complexity and number of the consumer’s

• requests by informing the consumer of any such extension within the initial ninety-day response period, together with the reason for the extension.”

• If you decide to decline the request, you have an obligation to inform the consumer of your decision to decline and of the way in which they can appeal your decision. 
• When providing consumers with their data in response to a request for access, you have to do so “free of charge, up to twice annually per consumer,” which differs from other laws that state this has to be done once every year. However, same as with other laws in the US, such as Connecticut, you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request” if the requests are “manifestly unfounded, excessive, repetitive, technically unfeasible” or if you “reasonably believe that the primary purpose of the request is not to exercise a consumer right” but it is your responsibility to demonstrate that the request was manifestly unfounded, excessive or repetitive.
• If you are unable to authenticate a request, you are not required to comply with it, and can ask the consumer to provide additional information in order for you to be able to authenticate their request. 
• Same as with Connecticut, for requests that you have denied, you have to establish a process for consumers to appeal your decision within a reasonable period of time after receiving your decision. The appeal process has to be “conspicuously available and similar to the process for submitting requests to initiate action,” and you are required, no later than 60 days after receiving an appeal, to “inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.” If the appeal is denied, you have to provide the consumer “with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.”

Enforcement and penalties

Similar to other US privacy laws, the Attorney General of Iowa shall have exclusive authority to enforce the ICDPA. If they have “reasonable cause to believe that any person has  engaged in, is engaging in, or is about to engage in any violation of this chapter, the attorney general is empowered to issue a civil investigative demand.”

Prior to initiating any action, the Attorney General will give controllers or processors a cure period of 90 days. During this time, if the controller/processor “cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further such  violations shall occur, no action shall be initiated against the controller or processor.” After this period, if the violation is not cured, action may be initiated against the controller/processor, with civil penalties up to $7,500 per violation.

Last but not least, there is no private right of action under the ICDPA.

Data Subject Rights - GDPR vs. ICDPA

FAQs about the Iowa Consumer Data Privacy Act

ICDPA Resources

Iowa May Soon Adopt Its Own Data Privacy Law