enactedUS-IAEffective January 1, 2025

Iowa Consumer Data Protection Act (ICDPA)

Complete compliance guide for companies with <200 employees. Everything you need to know about ICDPA requirements, deadlines, and penalties.

DSAR Deadline

90 calendar days

+ 45 days extension

Max Penalty

$7,500/violation

Up to $7,500 per violation under the Iowa Consumer Fraud Act. The AG must provide a 90-day cure period before enforcement — this cure period has no sunset date, making ICDPA one of the most business-friendly US state privacy laws alongside Utah's UCPA.

Threshold

100,000 consumers

Est. Cost

$3,000 – $10,000

3-8 weeks

Mid-Market Compliance Guide

Iowa's ICDPA is one of the most business-friendly US state privacy laws. It features the longest DSAR response deadline at 90 days (vs. 45 days in most states), a permanent 90-day cure period with no sunset, and does NOT include a right to correct. The threshold is 100,000+ consumers or 25,000+ consumers with 50%+ revenue from data sales. Total maximum response time with extension is 135 days.

Key Requirements

Provide a clear and accessible privacy notice
Obtain consent before processing sensitive data
Provide a method for consumers to opt out of sale and targeted advertising
Implement and maintain reasonable data security practices
Establish data processing agreements with processors

Enforced by: Iowa Attorney GeneralOfficial site

Consumer Rights

Right to Access personal data

Right to Delete personal data

Right to Data Portability

Right to Opt-Out of sale of personal data

Right to Opt-Out of targeted advertising

Business Obligations

1.Provide privacy notice disclosing data categories, purposes, and rights
2.Respond to consumer requests within 90 days
3.Implement reasonable security measures
4.Execute data processing agreements with processors

Exemptions

•HIPAA-covered entities and data
•GLBA-covered financial institutions
•Nonprofits
•Government entities
•Higher education institutions

Related Privacy Laws

VCDPA

US-VA

Virginia Consumer Data Protection Act

UCPA

US-UT

Utah Consumer Privacy Act

CCPA/CPRA

US-CA

California Consumer Privacy Act

Recommended Compliance Tools

No vendors have been reviewed for ICDPA coverage yet.

Browse all compliance tools

Get a mid-market compliance checklist for ICDPA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce ICDPA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under ICDPA.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/3/2026.

Read the official text of ICDPA