Back to all blog posts

Iowa Privacy Law

Iowa establishes a state privacy law

In March, a new privacy law was approved in Iowa, which makes them the sixth state to establish a general privacy law for residents. Here are the top three things to know about the Iowa law and what your business needs to do to comply.

1       The Iowa law shares commonalities with other state laws

The Iowa law contains many of the elements present in the state laws from California, Colorado, Connecticut, Utah, and Virginia, such as data subject rights, breach notification requirements, a privacy notice, and the definition of consent as an affirmative action.

The scope of the Iowa law is essentially the same as the Virginia Consumer Data Protection Act (VCDPA): businesses that process the personal data of 100,000 consumers of the state or that process the personal data of 25,000 consumers of the state and derive 50% of their revenue from the sale of personal data. It excluded HIPAA-covered entities, nonprofit organizations, institutions of higher education, and employee data the same way that VCDPA does.

The law will allow Iowa residents several data subject rights—namely the rights to know, delete, obtain a copy, and opt out of both sale and targeted advertising. These are common rights included in most other state laws. It also requires the business to publicly post an accessible privacy notice.

2       Requirements for Iowa are generally more business-friendly

Where businesses are concerned, the requirements established under the Iowa law are generally easier to meet than some of the other state laws.

With data subject requests, businesses are given 90 days to respond—as opposed to 45 in most of the other laws—and can extend this period by another 45 days. The rights to correct personal information and to opt out of automated decision-making have not been imposed here. The business is not required to forward data subject requests to service providers or third parties with whom the information has been shared. Furthermore, no specific type of mechanism to receive data subject requests is included in the law; businesses need only inform data subjects of their rights and how they can exercise them.

A few typical requirements from other state laws that are noticeably missing in the Iowa law. These include but are not limited to requirements for privacy impact assessments, employee training, consent for the use of data for a secondary purpose, and transparency around automated decision-making.

3       No new requirements placed on businesses

Little must be done to comply with Iowa that your business isn’t already doing for other laws. The only new requirement in the Iowa law concerns language to put in contracts between a processor and a controller. Specifically, the contract must require everyone processing personal data be subject to confidentiality, that the processor delete or return all the data when provision of services ends, and requiring the same obligations be placed on any sub-processors. However, most contracts of this type already contain these provisions as best practice or as part of compliance with non-US privacy laws.

Simply put, a business likely complies with the Iowa law if it complies with the laws of California and Virginia already in effect. Even if Iowa is the first law to which the business is subject, it has significantly less effort and money to spend to comply before January 1st, 2025. 

Please feel free to reach out to Privacy Ref with all your organizational privacy concerns, email us at or call us 1-888-470-1528. You may view our complete event calendar here, which includes our training and webinars.