ICDPA

Iowa Consumer Data Protection Act

Flag of US
Iowa, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2025
Enacted
March 29, 2023
Enforcing Authority
Iowa Attorney General
Consent Model
Opt-out
Fulfillment Time
90 days
Applies To
Persons in Iowa or targeting Iowa consumers: 100,000+ consumers OR 25,000+ consumers and 50%+ revenue from selling PI

Overview

The ICDPA is notable for two unique features among US state privacy laws: a 90-day cure period (the longest) and requiring only notice-and-opt-out for sensitive data rather than opt-in consent. It also has narrower consumer rights than most other states.

What This Means for Your Website

  • Sensitive data requires only notice and opt-out — NOT opt-in consent (unique among US states)
  • A 90-day cure period applies before enforcement action (permanent)
  • No right to correct data or opt out of profiling or targeted advertising
  • Consumer requests must be fulfilled within 90 days

Key Requirements

The Iowa AG enforces the ICDPA with penalties up to $7,500 per violation. The 90-day cure period is permanent. The notice-and-opt-out model for sensitive data makes Iowa one of the most business-friendly state privacy laws alongside Utah.

How ConsentStack Handles This

ConsentStack detects Iowa visitors and applies the appropriate consent model, implementing notice-and-opt-out for sensitive data categories per Iowa's unique requirements.

Penalties

Up to $7,500 per violation.

Maximum Fine
USD7,500 per violation

Key Requirements

  • Clear privacy disclosures
  • Notice and opt-out for sensitive data — NOT opt-in
  • Consumer rights: access, delete, portability, opt out of sale
  • 90-day response window for consumer requests
  • Reasonable data security practices

Notable Provisions

  • 90-day cure period — longest among US states
  • Sensitive data requires only notice and opt-out (not opt-in) — unique
  • No right to correct data, opt out of profiling, or opt out of targeted advertising

US State Specifics

Cure Period
90 days
Private Right of Action
No
Global Opt-out Required
No
Sensitive Data Opt-in
No
Children Provisions
Under 13 data is sensitive — subject to notice and opt-out only.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

How does Iowa handle sensitive data?

Uniquely among US states, Iowa requires only notice and opt-out for sensitive data — not opt-in consent. This is significantly more business-friendly than other states.

What is Iowa's cure period?

90 days — the longest among US state privacy laws, and permanent (does not sunset).

Can Iowans opt out of targeted advertising?

No. The ICDPA does not grant the right to opt out of targeted advertising or profiling.

Stay compliant with ICDPA

ConsentStack helps you implement Opt-out consent for Iowa, United States automatically.

Get started free