Iowa Enacts Comprehensive Consumer Privacy Legislation

Iowa has become the sixth state in the United States to implement comprehensive consumer privacy legislation, joining California, Virginia, Colorado, Nevada, and Maine. The new law, called the Iowa Consumer Privacy Act (ICPA), was signed by Governor Kim Reynolds on March 23, 2023, and will take effect on January 1, 2024.

The ICPA applies to businesses that collect personal information from Iowa residents, regardless of whether the business is physically located in the state. The law gives Iowa residents the right to know what personal information is being collected about them, the right to request that their information be deleted, and the right to opt-out of the sale of their personal information.

Under the ICPA, businesses are required to provide clear and conspicuous notices about their data collection and processing practices, as well as their privacy policies. They must also implement reasonable security measures to protect personal information and obtain affirmative consent before collecting or processing sensitive personal information, such as health information or biometric data.

The Iowa Attorney General’s Office will be responsible for enforcing the ICPA, and violations may result in fines of up to $7,500 per violation. The law also includes a private right of action for Iowa residents to sue businesses for certain violations of the law.

The enactment of the ICPA demonstrates Iowa’s commitment to protecting consumer privacy and bringing the state’s privacy laws in line with other states that have already implemented similar legislation. As more states take steps to strengthen consumer privacy protections, it is likely that we will see increased pressure for a federal privacy law in the United States.