What Is the Iowa Consumer Data Protection Act?
ICDPA applies to controllers processing data of 100,000+ Iowa consumers or 25,000+ while selling data. Consumer rights are limited to access, delete, port, and opt-out of sale and targeted ads. There is no right to correct and no profiling opt-out — making ICDPA more business-friendly than peer laws. Enforcement is exclusive to the AG with a 90-day cure period.
At a glance
- Full name
- Iowa Consumer Data Protection Act
- Short code
- ICDPA
- Effective date
- January 1, 2025
- Response deadline
- 90 days
- Cure period
- 90 days
- Private right of action
- No
- Enforcement
- Iowa Attorney General — Consumer Protection Division
- Maximum penalty
- Up to $7,500 per violation under the Iowa Consumer Fraud Act
- Statutory citation
- Iowa Code § 715D.1 et seq.
Who ICDPA applies to
A business is covered if it meets the applicability thresholds set out in Iowa Code § 715D.1 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Iowa or targets Iowa residents, AND
- Controls or processes personal data of 100,000+ Iowa consumers in a calendar year, OR
- Controls or processes personal data of 25,000+ Iowa consumers AND derives over 50% of gross revenue from the sale of personal data
Consumer rights under ICDPA
Delete, access, port, opt-out of sale and targeted ads
No right to correct (unusual gap)
No profiling opt-out
90-day response window (longer than peers)
Notable features (vs. CCPA)
ICDPA is among the most business-friendly comprehensive state privacy laws. It omits the right to correct (unlike CCPA, VCDPA, CPA, CTDPA), has no data protection assessment requirement, no universal opt-out mechanism mandate, and has the longest cure period of any US state law (90 days). It also does not grant a distinct opt-out right against profiling — only targeted advertising and sale.
Enforcement & penalties
Enforcing agency: Iowa Attorney General — Consumer Protection Division
Maximum penalty: Up to $7,500 per violation under the Iowa Consumer Fraud Act
Cure period: ICDPA carries a permanent 90-day cure period with no sunset — the longest among US state privacy laws.
Private right of action: ICDPA has no private right of action. Enforcement is exclusive to the Iowa Attorney General — Consumer Protection Division.
Where to file a complaint: Iowa Attorney General — Consumer Protection Division
How to exercise your ICDPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies ICDPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Iowa resident (e.g., ZIP code, email associated with your record).
- 3
Under ICDPA, businesses have 90 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Iowa Attorney General — Consumer Protection Division at https://www.iowaattorneygeneral.gov/for-consumers/file-a-consumer-complaint.
Use your rights
ICDPA-compliant deletion emails, $5 one-time
OfflistMe drafts ICDPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Why is Iowa's ICDPA weaker than other state laws?+
Drafted with significant industry input, ICDPA omits correction rights and profiling opt-out, extends the response window to 90 days, and applies a long cure period. It still provides the core deletion right — which is what most data-broker opt-out work relies on — but consumers have fewer remedies for denied requests.
Official sources & citations
Compare with sibling state laws
ICDPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: