What the ICDPA does for you

Under the Iowa Consumer Data Protection Act (ICDPA), you have the right to know what personal data businesses hold about you, to access and delete that data, and to opt out of the sale of your personal data. You can also request a portable copy of your data. These rights apply to Iowa residents whose data is handled by businesses that meet certain size thresholds, and businesses cannot penalize you for exercising them.

Your rights under the ICDPA

Right to Know

You have the right to confirm whether a business is processing your personal data and to access that data. You can submit a request to the business and they must respond within 90 days.

Exceptions: Does not apply to de-identified or aggregate data; Does not apply to publicly available information; May not apply where the business cannot reasonably associate the request with your personal data; Does not apply to pseudonymous data where identifying information is kept separately with appropriate safeguards.

Source: Iowa Code § 715D.3(1)(a)

Right to Delete

You have the right to request that a business delete personal data you have provided to them. The business must respond within 90 days.

Exceptions: Only applies to personal data provided by the consumer; Does not apply where compliance would violate an evidentiary privilege; Does not apply to data required to be retained by law; Does not apply to pseudonymous data where identifying information is kept separately with appropriate safeguards; Does not apply where the business cannot reasonably associate the request with your personal data.

Source: Iowa Code § 715D.3(1)(b)

Right to Opt Out of Sales

You have the right to opt out of the sale of your personal data to third parties for money. Businesses that sell your data must clearly disclose this and explain how you can opt out.

Exceptions: Does not apply to disclosures to processors acting on the business's behalf; Does not apply to transfers to affiliates; Does not apply to data the consumer intentionally made public; Does not apply to transfers as part of a merger or acquisition.

Source: Iowa Code § 715D.3(1)(d)

Right to Data Portability

You have the right to obtain a copy of your personal data that you previously provided to a business in a portable, usable format, so you can easily transfer it to another business. This applies where the data is processed by automated means.

Exceptions: Does not apply to personal data defined as 'personal information' under Iowa Code § 715C.1 that is subject to security breach protection; Only applies where processing is carried out by automated means.

Source: Iowa Code § 715D.3(1)(c)

Right to Non-Discrimination

Businesses cannot deny you goods or services, charge you different prices, or provide a lower quality of service just because you exercised your privacy rights. Your rights cannot be waived by contract.

Exceptions: A business may offer different prices or services if you opt out, if the offer is related to your voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; A business is not required to provide a product or service that requires personal data it doesn't collect.

Source: Iowa Code § 715D.4(3)

Right to Limit Sensitive Data

Businesses cannot process your sensitive personal data — such as your race, health information, sexual orientation, biometric data, precise location, or children's data — without first giving you clear notice and an opportunity to opt out. For children's data, COPPA rules apply.

Exceptions: Does not apply to data used to avoid discrimination under anti-discrimination law; Children's data processed in accordance with COPPA is handled under those rules rather than requiring opt-out.

Source: Iowa Code § 715D.4(2)

How to exercise your rights

1. See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
2. Submit a ICDPA deletion or opt-out request. Covered businesses have 90 days to respond (Iowa Code § 715D.3(2)), with up to 45 additional days if they invoke the extension provision.
3. Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →

Authorized agents

The ICDPA does not mention authorized agents (Iowa Code Ann. § 715D.1 et seq.). This means data brokers are not required to honor privacy requests submitted by someone other than you personally. Optery can help you submit requests directly — we prepare everything for you; you hit send.

Enforcement and penalties

The ICDPA is enforced by Iowa Attorney General. The Iowa Attorney General has exclusive authority to enforce this law. Before taking action, the AG must give a business 90 days' written notice to fix any violation. If the business cures the problem and commits in writing to not violate again, no action is taken. If violations continue, the AG can seek a court injunction and civil penalties of up to $7,500 per violation. Fines collected go into the consumer education and litigation fund. There is no private right of action — individual consumers cannot sue under this law.

Who does the ICDPA apply to?

This law applies to businesses that conduct business in Iowa or target products/services to Iowa residents AND either (a) control or process personal data of at least 100,000 consumers per year, or (b) control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from selling personal data. State agencies, nonprofits, financial institutions covered by Gramm-Leach-Bliley, HIPAA-covered entities, and institutions of higher education are exempt.

Frequently asked questions

Does Iowa's privacy law give me the right to correct inaccurate information a business has about me?

No. Unlike some other state privacy laws, the Iowa Consumer Data Protection Act (ICDPA) does not include a right to correct inaccurate personal data. You can request access to your data and you can request deletion of data you provided, but there is no correction right under the Iowa law (Iowa Code § 715D.3).

How long does a business have to respond to my privacy request?

A business must respond to your request within 90 days of receiving it (Iowa Code § 715D.3(2)(a)). They can extend this deadline by an additional 45 days if necessary due to complexity, but they must notify you of the extension within the initial 90-day period and explain the reason.

Can I sue a business directly if it violates my privacy rights under Iowa law?

No. The Iowa Consumer Data Protection Act does not give individuals a private right of action — meaning you cannot personally sue a business for violating the law (Iowa Code § 715D.8(4)). Only the Iowa Attorney General can bring enforcement actions, and if a denied appeal leads to a complaint, you can contact the Attorney General through an online mechanism the business must provide.

What businesses are covered by Iowa's privacy law?

The ICDPA covers businesses that operate in Iowa or target Iowa residents and either process personal data of at least 100,000 consumers per year, or process data of at least 25,000 consumers and earn more than 50% of their revenue from selling personal data (Iowa Code § 715D.2(1)). Nonprofits, state agencies, financial institutions covered by Gramm-Leach-Bliley, HIPAA-covered health entities, and colleges and universities are exempt.

What counts as 'sensitive data' that requires my permission before a business can use it?

Sensitive data under Iowa law includes your racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data used to identify you, precise geolocation data, and personal data collected from children under 13 (Iowa Code § 715D.1(26)). Businesses must give you clear notice and a chance to opt out before processing this type of data.

Official resources

• Full statute text (SF 262)
• Iowa Attorney General’s office
• Primary enforcement agency