Iowa Consumer Data Protection Act (Iowa CDPA)
Iowa's minimalist consumer privacy law effective January 1, 2025 — the most business-friendly in the US alongside Utah, with no right to correction, no profiling opt-out, no DPIA mandate, and the longest cure period (90 days, permanent).
Overview
The Iowa Consumer Data Protection Act (SF 262, 2023), codified at Iowa Code Sec. 715D.1 et seq., took effect on January 1, 2025. Iowa is widely regarded — alongside Utah's UCPA — as the most business-friendly comprehensive privacy law in the United States. The statute deliberately pares back the Virginia model to a compliance floor: no right to correction, no opt-out of profiling, no DPIA obligation, and no UOOM requirement.
Applicability thresholds track the Virginia ceiling rather than the Delaware floor: a controller must conduct business in Iowa and, in a calendar year, process personal data of 100,000 or more consumers, or 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data.
Exemptions follow the standard Virginia family: government entities, HIPAA, GLBA, non-profits, higher-education institutions, and data covered by FCRA, DPPA, FERPA, and COPPA. Employee and B2B data remain outside scope.
Consumer Rights
Iowa's rights bundle is the most restricted of any comprehensive US privacy law:
- Right to access personal data (available)
- Right to correct — NOT available under Iowa CDPA
- Right to delete (available)
- Right to data portability (available)
- Right to opt out of sale (available)
- Right to opt out of targeted advertising (available)
- Right to opt out of profiling — NOT available under Iowa CDPA
The absence of correction and profiling opt-out means Iowa residents have meaningfully fewer controls than neighbors in Colorado or Connecticut. Sensitive data requires opt-in consent under the standard Virginia-family definition.
Compliance Requirements
Controllers must publish a privacy notice and respond to DSRs within 90 days — matching the cure period and the longest in the country. There is no DPIA obligation (Iowa and Utah are the only comprehensive-law states without one) and no UOOM / GPC recognition requirement.
Processors execute data-processing contracts; controllers must offer a clear mechanism to exercise each available right.
Cure Period + Enforcement
The Iowa Attorney General has exclusive enforcement authority — no private right of action. Civil penalties reach up to $7,500 per violation, the Virginia-family baseline.
Iowa offers a 90-day right to cure — the longest in the United States, and notably permanent (no sunset clause). Combined with the 90-day DSR response window, Iowa gives controllers substantial procedural buffer.
How Inori Addresses This
Inori's v1.2 privacy.mdx lists Iowa in the applicable-states table and clarifies which rights are available. Our /api/dsar endpoint honors access, delete, portability, sale opt-out, and targeted-advertising opt-out for Iowa residents. We do not expose a correction-request path to Iowa users (since the statute does not grant it) and do not offer a profiling opt-out toggle for Iowa-only contexts.
GPC handling in middleware.ts is active platform-wide, so Iowa residents still benefit even though the state does not mandate it. Hard-purge at 90 days via cron satisfies the right-to-delete lifecycle. DPIA-style documentation is maintained voluntarily and does not trigger Iowa-specific deliverables.
Related Concepts
See how Inori handles iowa consumer data protection act (iowa cdpa)
Try our free COI checker first, or start a free trial of the full platform.