# Iowa Privacy Law (ICDPA) Compliance Guide for Small Businesses > Iowa ICDPA took effect January 1, 2025. It applies to businesses processing data of 100,000+ Iowa consumers annually with no revenue threshold. _Published 2026-04-07 by Nikolas_ # Iowa Privacy Law (ICDPA): What Small Businesses Need to Know The Iowa Consumer Data Protection Act (ICDPA) took effect **January 1, 2025**, and applies to any business processing the personal data of **100,000 or more Iowa consumers** in a calendar year — with **no annual revenue threshold**. A secondary trigger captures businesses processing data of 25,000 or more Iowa consumers and deriving 50% or more of revenue from data sales. The Iowa Attorney General is the sole enforcement authority. ICDPA is one of the most business-friendly state privacy laws in the country: it grants fewer consumer rights than most other state laws (no right to correction), has the longest cure period (90 days), and includes broad processor exemptions. It is structurally based on the Virginia model but trimmed for business friendliness. --- ## Does ICDPA Apply to My Business? ICDPA applies to any person that conducts business in Iowa or produces products or services targeted to Iowa residents AND meets one of two thresholds: - Controls or processes personal data of **100,000 or more Iowa consumers** during a calendar year, OR - Controls or processes personal data of **25,000 or more Iowa consumers** AND derives more than **50%** of gross revenue from the sale of personal data. The threshold logic is **OR**, with no revenue floor under either path. | Threshold | Iowa ICDPA | CCPA/CPRA | Virginia VCDPA | |-----------|------------|-----------|----------------| | Revenue | None | $25M+ | None | | Consumer count | 100,000 | 100,000 | 100,000 | | Data sale alternative | 25K + 50% | 50% revenue share | 25K + 50% | | Threshold logic | OR | OR | OR | Iowa accounts for roughly 1.0% of the US population. A national e-commerce store with approximately 10 million annual unique US visitors would, on a population basis, reach 100,000 Iowa consumers. The threshold is high relative to Iowa's small population, meaning fewer mid-size businesses are in scope under ICDPA than under laws like Connecticut or Delaware. --- ## What Does ICDPA Require? ICDPA grants Iowa consumers a narrower set of rights than most other state privacy laws. Notably, **there is no right to correction** under ICDPA, and the right to deletion is more limited than under Virginia or Texas. **Consumer rights you must honor.** Access personal data, delete personal data the consumer provided to the business, obtain a copy in a portable format, and opt out of the sale of personal data and targeted advertising. Response deadline is 90 days (longer than the 45 days under most other state laws), with one possible 45-day extension. **Disclosures you must publish.** Privacy notice covering categories of personal data processed, purposes of processing, third-party sharing categories, and instructions for exercising rights. **Operational practices.** Iowa requires reasonable security practices and opt-in consent for sensitive data processing. ICDPA does **not** require data protection assessments, does not require honoring universal opt-out signals, and does not require an appeals process. These omissions make Iowa one of the lowest-burden state privacy laws in the country. --- ## How ICDPA Affects Small Businesses For businesses in scope, ICDPA is one of the easiest state privacy laws to comply with. The omission of correction rights, data protection assessments, GPC handling, and appeals processes substantially reduces the operational burden compared to Virginia, Colorado, or Connecticut. The 90-day response window gives businesses more time to handle requests. For Shopify merchants and direct-to-consumer brands, the practical takeaway is: if you are already complying with Virginia VCDPA or Texas TDPSA, complying with ICDPA is largely a matter of confirming Iowa-specific privacy notice references and verifying your existing rights workflow can handle the (relatively few) Iowa consumer requests you receive. The gap is small. The high consumer threshold and small Iowa population mean fewer national e-commerce businesses are in scope under ICDPA than under laws covering more populous states. Iowa is more likely to apply to large national platforms than to mid-size DTC brands. --- ## Key Differences from Other State Privacy Laws ICDPA is the most business-friendly comprehensive state privacy law currently in effect, alongside Utah UCPA. Several distinctive features make this clear: **No right to correction.** Iowa is the only state privacy law that does not grant consumers the right to correct inaccurate personal data the business holds. Every other state privacy law includes this right. **Limited deletion right.** ICDPA's deletion right is narrower than most state laws — it covers only personal data that the consumer themselves provided to the business, not data inferred or obtained from third parties. **90-day response window.** Iowa gives businesses 90 days to respond to consumer rights requests (vs the 45-day standard in most other states). This is the longest response window among current state privacy laws. **No data protection assessments.** ICDPA does not require businesses to conduct or document data protection assessments for high-risk processing. This is an unusual omission. **No appeals process.** ICDPA does not require an appeals workflow for denied rights requests. Most other state privacy laws do. **No universal opt-out signal mandate.** Like most non-California, non-Colorado states, Iowa does not require honoring GPC. Compared to **California CCPA/CPRA**, ICDPA is dramatically narrower — California grants more rights, more enforcement mechanisms, and broader sensitive data protections. Iowa is also much narrower than Virginia, Colorado, and Connecticut. --- ## How to Comply with ICDPA If ICDPA applies to your business, the following steps establish baseline compliance. 1. **Confirm scope.** Calculate annual Iowa consumer count from analytics, customer records, and email lists. If you reach 100,000, or 25,000 with significant data sale revenue, you are in scope. 2. **Update your privacy notice** to include Iowa-specific references. If you already have a multi-state privacy notice, additions are minimal — Iowa has fewer required disclosures than most states. 3. **Add opt-out mechanisms** for targeted advertising and sale of personal data. 4. **Build a consumer rights request workflow** with the 90-day response deadline tracked. Note that Iowa's window is longer than most states — you can use a unified 45-day workflow if you handle multiple states. 5. **Implement opt-in consent for sensitive data** before processing any sensitive personal data category. 6. **Document reasonable security practices** appropriate to the volume and nature of data you process. 7. **Skip data protection assessments and appeals processes** if Iowa is your only obligation. If you handle requests from multiple states, build the broader workflow once and apply it everywhere. --- ## ICDPA Enforcement and Penalties The Iowa Attorney General has exclusive enforcement authority for ICDPA. There is no private right of action — Iowa consumers cannot sue businesses directly. The AG may seek civil penalties of up to **$7,500 per violation**, plus reasonable expenses incurred in investigation. ICDPA includes a permanent **90-day cure period** before formal enforcement — the longest cure period of any state privacy law. The AG must provide written notice, and the business has 90 days to fix the issue and provide a written statement to the AG. If cured within 90 days, the AG may not bring an action for that violation. This cure period is significantly more protective than the discretionary regimes in California, Colorado, and Connecticut. The Iowa AG has been minimally active on ICDPA enforcement since the law took effect, consistent with the law's business-friendly design. --- ## Frequently Asked Questions ### When does Iowa's privacy law take effect? Iowa's Consumer Data Protection Act (ICDPA) took effect January 1, 2025. The Iowa Attorney General has been the sole enforcement authority since that date. ### Does Iowa ICDPA have a revenue threshold? No. ICDPA applies based on consumer data volume only: 100,000 or more Iowa consumers annually, or 25,000 or more consumers if 50% or more of revenue comes from selling personal data. There is no annual revenue minimum. ### Does Iowa grant consumers a right to correct their data? No. ICDPA is the only state privacy law that does not grant consumers a right to correct inaccurate personal data. Every other comprehensive state privacy law includes this right. ### Does ICDPA require data protection assessments? No. Unlike Virginia, Colorado, Connecticut, and most other state privacy laws, Iowa does not require businesses to conduct or document data protection assessments for high-risk processing activities. ### What are the penalties for ICDPA violations? The Iowa AG can seek civil penalties of up to $7,500 per violation, plus reasonable investigation costs. There is no private right of action. ICDPA includes a permanent 90-day cure period — the longest of any state privacy law — which provides significant protection against enforcement actions. ### Is ICDPA easier to comply with than other state privacy laws? Yes. ICDPA is one of the most business-friendly state privacy laws currently in effect. It omits the right to correction, does not require data protection assessments or appeals processes, does not mandate honoring universal opt-out signals, and provides a 90-day response window and 90-day cure period. Compliance is substantially less burdensome than under Virginia, Colorado, or Connecticut. --- **Check if ICDPA applies to your business →** [Take the free 5-minute quiz](https://app.getpurview.com/quiz) *This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.* ---