Data Privacy Briefing — January 1, 2025

Executive briefing: Iowa’s Consumer Data Protection Act (ICDPA) enters into force on January 1, 2025. Controllers doing business in Iowa or targeting its residents must now honor access, deletion, portability, and opt-out rights for targeted advertising and data sales. The law sets disclosure, security, and data minimization obligations comparable to other U.S. comprehensive privacy statutes, with enforcement by the Iowa Attorney General after a 90-day cure period.

Key statutory signals

Applicability thresholds. ICDPA covers entities that control or process personal data of at least 100,000 Iowans annually, or 25,000 residents if over 50% of gross revenue comes from data sales.
Consumer rights. Residents can request access, deletion, portability, and opt out of targeted advertising or sales, and controllers must respond within 90 days with one 45-day extension.
Data protection assessments. High-risk processing tied to targeted ads, sensitive data, or profiling requires documented assessments available to the Attorney General upon request.

Operational priorities

Update privacy notices. Reflect ICDPA rights, appeal mechanisms, and sensitive data opt-in requirements alongside existing multi-state disclosures.
Modernize intake workflows. Ensure DSAR portals can distinguish Iowa residency, support portability formats, and track cure timelines.
Review vendor contracts. Amend agreements to embed data processing instructions, confidentiality, and deletion obligations aligned with ICDPA definitions.

Enablement moves

Train customer support and marketing teams on opt-out triggers, appeal handling, and sensitive data consent capture.
Integrate ICDPA assessment checkpoints into product launch reviews, aligning with enterprise privacy impact assessment workflows.

Sources

Zeph Tech aligns multi-jurisdiction privacy programs by automating ICDPA rights fulfillment, updating notices, and embedding assessments across product delivery.