What Is the Iowa Consumer Data Protection Act?
ICDPA applies to controllers processing data of 100,000+ Iowa consumers or 25,000+ while selling data. Consumer rights are limited to access, delete, port, and opt-out of sale and targeted ads. There is no right to correct and no profiling opt-out, making ICDPA more business-friendly than peer laws. Enforcement is exclusive to the AG with a 90-day cure period.
At a glance
- Full name
- Iowa Consumer Data Protection Act
- Short code
- ICDPA
- Effective date
- January 1, 2025
- Response deadline
- 90 days
- Cure period
- 90 days
- Private right of action
- No
- Enforcement
- Iowa Attorney General. Consumer Protection Division
- Maximum penalty
- Up to $7,500 per violation under the Iowa Consumer Fraud Act
- Statutory citation
- Iowa Code § 715D.1 et seq.
Who ICDPA applies to
A business is covered if it meets the applicability thresholds set out in Iowa Code § 715D.1 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Iowa or targets Iowa residents, AND
- Controls or processes personal data of 100,000+ Iowa consumers in a calendar year, OR
- Controls or processes personal data of 25,000+ Iowa consumers AND derives over 50% of gross revenue from the sale of personal data
Consumer rights under ICDPA
Delete, access, port, opt-out of sale and targeted ads
No right to correct (unusual gap)
No profiling opt-out
90-day response window (longer than peers)
Notable features (vs. CCPA)
ICDPA is among the most business-friendly comprehensive state privacy laws. It omits the right to correct (unlike CCPA, VCDPA, CPA, CTDPA), has no data protection assessment requirement, no universal opt-out mechanism mandate, and has the longest cure period of any US state law (90 days). It also does not grant a distinct opt-out right against profiling, only targeted advertising and sale.
Enforcement & penalties
Enforcing agency: Iowa Attorney General. Consumer Protection Division
Maximum penalty: Up to $7,500 per violation under the Iowa Consumer Fraud Act
Cure period: ICDPA carries a permanent 90-day cure period with no sunset, the longest among US state privacy laws.
Private right of action: ICDPA has no private right of action. Enforcement is exclusive to the Iowa Attorney General. Consumer Protection Division.
Where to file a complaint: Iowa Attorney General. Consumer Protection Division
How to exercise your ICDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 500+ known brokers and applies ICDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Iowa resident (e.g., ZIP code, email associated with your record).
- 3
Under ICDPA, businesses have 90 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Iowa Attorney General. Consumer Protection Division at https://www.iowaattorneygeneral.gov/for-consumers/file-a-consumer-complaint.
Use your rights
ICDPA-compliant deletion emails, $7 one-time
OfflistMe drafts ICDPA-compliant deletion emails for $500+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $7 →FAQ
Why is Iowa's ICDPA weaker than other state laws?+
Drafted with significant industry input, ICDPA omits correction rights and profiling opt-out, extends the response window to 90 days, and applies a long cure period. It still provides the core deletion right, which is what most data-broker opt-out work relies on, but consumers have fewer remedies for denied requests.
Official sources & citations
Compare with sibling state laws
ICDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date, useful when tracking how this law influenced or was influenced by neighboring legislation: