What Employers Need to Know About Iowa’s 2025 Consumer Privacy Law

Like Nebraska’s data privacy law, Iowa’s Consumer Data Privacy Act (IACDPA) took effect on January 1, 2025. This legislation, signed into law by Governor Kim Reynolds on March 28, 2023, imposes new obligations on businesses operating in Iowa or targeting Iowa residents. Although Iowa’s consumer data privacy law is very similar to other state-level privacy laws in most ways, there are a few key differences. Below are some of the primary key points and differences.

An overview of the IACDPA

The law covers personal data collected from Iowa residents. The IACDPA applies to any individual or entity that:

• Conducts business in Iowa or produces products or services targeted at Iowa residents; and
• During a calendar year, either:
  • Controls or processes personal data of at least 100,000 Iowa residents; or
  • Controls or processes personal data of at least 25,000 Iowa residents and derives over 50% of its gross revenue from the sale of personal data.

Business obligations

Covered entities must:

• Respond to consumer requests within 90 days of receipt (extendable by an additional 45 days if necessary);
• Inform consumers if their request is declined and provide instructions on how to appeal the decision;
• Establish a process for consumers to appeal refusals to take action on their requests;
• Inform consumers of any action or inaction in response to an appeal within 60 days, and if denied, provide an online mechanism to submit a complaint to the Iowa Attorney General.

Privacy notice obligations

Businesses must provide a “reasonably accessible, clear and meaningful” privacy notice that includes:

• Categories of personal data processed;
• Express purposes for collecting and processing personal data;
• Categories of personal data shared with third parties;
• Categories of third parties with whom personal data is shared;
• Instructions on how consumers can exercise their rights under the IACDPA, including the appeals process.

Consumer rights

Under the IACDPA, consumers have the right to:

• Confirm whether their personal data is processed;
• Access their personal data;
• Request the deletion of their personal data;
• Obtain a copy of their personal data;
• Migrate personal data;
• Opt-out of the processing of their personal data for the sale of personal data and targeted advertising;
• Opt-out of sensitive data processing.
  
  

How IACDPA differs from NEDPA

Iowa’s data privacy law draws inspiration from similar laws like the Nebraska Consumer Data Privacy Act (NEDPA) but has a few key differences. Unlike the NEDPA, Iowa’s data privacy law tends to be slightly less restrictive towards businesses. Both states designate the respective Office of Attorney General as the exclusive point of contact for business violations, but Iowa’s law is more lenient towards businesses on response times. The NEDPA provides businesses with an initial 45-day period to respond to consumer requests, with an extended 45-day period if necessary. Iowa’s IACDPA allows a 90-day response period with an additional extended response period if necessary.

Additionally, Iowa’s law does not explicitly require businesses to undergo data protection assessments for high-risk activities. Iowa’s law also does not require an opt-in choice for sharing sensitive data. Instead, under Iowa’s 2025 consumer privacy law, businesses must allow consumers to opt out of processing personal data. To learn more details about IACDPA, you can read the full text of the law here.

Staying vigilant in a flood of data privacy laws

With a surge of data privacy laws implemented over the past couple of years that look similar on a high level, it can be easy to tune out the details. Although these laws appear similar on the surface, it is important for businesses and hiring professionals to note important differences in how they apply to your business. As demonstrated by some key differences in the two data privacy laws we cover this month, compliance is all about the details. Employers and HR professionals should meet with their legal counsel regularly to ensure hiring practices, business policies, and consumer data are handled properly within and when dealing with customers in states where data privacy laws apply.

This article is for informational purposes only and does not constitute legal advice. Hiring professionals, HR professionals, and administrators should consult their legal counsel to ensure all actions comply with the law.