Preparing for Iowa’s New Consumer Data Protection Act: Are You Ready for Compliance?

Iowa is taking a significant step forward in protecting consumer privacy by introducing the Iowa Consumer Data Protection Act also known as ICDPA. This new law places Iowa alongside states like California, Colorado, and Virginia in establishing statewide consumer data privacy regulations. At Zirous, we’re committed to helping businesses navigate this changing landscape and ensuring they are prepared to comply when the ICDPA takes effect on January 1, 2025.

What Does the Iowa Consumer Data Protection Act Mean for Businesses?

The ICDPA empowers consumers by granting them more control over their personal data, requiring businesses to adjust their data handling practices accordingly. Companies affected by the law must inform consumers about data collection and usage, provide mechanisms to opt out, and implement safeguards to protect the data they retain. Noncompliance can result in significant penalties.

Understanding the Key Requirements

• Who Must Comply? The law applies to businesses that control or process the personal data of 100,000 or more Iowa residents, or businesses that process the data of 25,000 residents and generate over 50% of their revenue from data sales.
• Exemptions: Certain entities, including financial institutions, organizations covered by HIPAA, nonprofits, and institutions of higher education, are exempt from the ICDPA’s requirements.

Consumer Rights Under the ICDPA

The ICDPA grants Iowans key rights related to their personal data, including:

• Access to Data: Consumers can request confirmation of whether their data is being processed and access that information.
• Data Deletion: Consumers can request that their personal data be deleted, specifically data collected from them directly.
• Data Portability: Consumers can request a copy of their data in a usable format.
• Opt-Out Rights: Consumers can opt out of the sale of their personal data.

However, the ICDPA does not explicitly provide certain rights seen in other state laws, such as the ability to correct personal data or opt out of targeted advertising.

Compliance and Penalties

Enforcement of the ICDPA will be overseen by the Iowa Attorney General. The law includes a 90-day period for businesses to address any violations, allowing them to avoid penalties if they correct issues within that timeframe. If violations are not corrected, businesses can face fines of $7,500 per infraction. While consumers cannot bring lawsuits directly, they can report violations to the Attorney General’s office for enforcement.

How Zirous Can Support Your Compliance Efforts

With the ICDPA set to take effect in January 2025, now is the time to assess your data practices and ensure compliance.

We understand that data privacy laws can be complex, but we’re here to simplify the process. Whether you need a full audit of your current practices, assistance in managing consumer data requests, or strategies to integrate compliance seamlessly into your operations, Zirous has you covered.

Don’t wait until the last minute—let’s work together to ensure your business is fully prepared for the ICDPA.

Zirous has been a trusted provider of technology and IT solutions for over 35 years. We specialize in helping businesses enhance their operations through data security, and regulatory compliance. Our expertise in navigating data privacy laws makes us the ideal partner to guide you through the complexities of the evolving regulatory landscape.