Your Rights as an Iowa Resident

Under the Iowa Consumer Data Protection Act, residents have gained several important rights regarding their personal information, though these rights are somewhat narrower than those provided by privacy laws in other states.

• Right to know what data is collected: You can request confirmation of whether a business is processing your personal data and obtain access to that information, including details about how it’s being used[2][9]
• Right to delete personal information: You have the right to request deletion of personal data you provided to a business, and companies must respond within 90 days of your request[2][9]
• Right to opt out of data sales: Businesses must allow you to opt out of the sale of your personal data and the use of your information for targeted advertising[2][9]
• Right to data portability: You can obtain a portable copy of personal data you provided to a controller, unless it would compromise security protections[9]
• Right to opt out of sensitive data processing: Companies must provide notice and an opt-out option before processing sensitive personal information, though this uses an opt-out rather than opt-in approach[10][9]

While Iowa’s law offers several consumer rights, it does not grant the right to correct inaccurate personal data[11]. Additionally, there is no explicit mention of a right to appeal decisions related to privacy requests[11].

Business Requirements

• Coverage threshold: The law applies to businesses that process personal data of at least 100,000 Iowa residents per year, or 25,000 Iowa residents while deriving over 50% of gross revenue from data sales[12][13]
• Clear privacy notices: Companies must provide transparent information about their data collection and processing practices, including the purposes for which personal data is used[5]
• Consumer request procedures: Businesses must establish accessible methods for consumers to submit privacy requests and respond within 90 days without undue delay[9]
• Processor contracts: Controllers must establish written contracts with data processors that clearly outline processing instructions and obligations[10]
• Sensitive data protections: Before processing sensitive personal information, companies must provide notice and an opportunity for consumers to opt out[10][5]
• Data security measures: Organizations must implement appropriate technical and organizational measures to protect personal data, though specific security requirements are not extensively detailed in the law[5]

Practical Impact

• Enhanced control over personal information: Iowa residents can now request information about what data companies collect about them and have unwanted data deleted, providing practical tools to manage their digital footprint
• Protection from unwanted marketing: The right to opt out of targeted advertising and data sales gives consumers more control over how their information is used for commercial purposes
• Limited enforcement mechanisms: Since the law provides no private right of action, consumers cannot sue companies directly for violations and must rely on the Iowa Attorney General for enforcement[2][14]
• Business-friendly approach: The law’s longer cure period and absence of strict requirements like risk assessments may result in less aggressive enforcement compared to other states
• Gaps in protection: The opt-out rather than opt-in approach for sensitive data processing may limit the practical privacy benefits for consumers[10][8]

Comparison Context

• More limited than leading privacy states: Compared to California’s CCPA or Colorado’s privacy act, Iowa’s law provides fewer consumer rights and places lighter burdens on businesses[3][4]
• Similar to business-friendly models: Iowa’s approach closely mirrors Utah’s Consumer Privacy Act, which is considered one of the most business-friendly comprehensive privacy laws[7][4]
• Missing key protections: Unlike Virginia and Colorado, Iowa residents cannot opt out of profiling decisions[10][8]
• Enforcement limitations: While some states allow private lawsuits for privacy violations, Iowa only permits enforcement by the state Attorney General, potentially limiting accountability[2][14]
• Longer business accommodation period: Iowa’s 90-day cure period is the longest among state privacy laws, giving businesses more time to address violations before facing penalties[10][8]

Action Steps for Residents

• Review privacy policies: Start reading privacy notices from companies you interact with to understand how they collect and use your personal data
• Exercise your opt-out rights: Contact businesses to opt out of data sales and targeted advertising, especially for services you use frequently
• Request data access: Use your right to access personal information to understand what data companies have collected about you
• Monitor your digital footprint: Regularly review and delete unnecessary accounts and services to minimize data collection
• Stay informed about enforcement: Follow updates from the Iowa Attorney General’s office regarding privacy law enforcement and guidance for consumers
• Contact legislators: Engage with your state representatives if you believe Iowa’s privacy protections should be strengthened to match other states

Official Resources and Contact Information

Iowa Legislature

The Iowa General Assembly created this privacy law and continues to consider privacy-related legislation. Citizens can contact their representatives to advocate for stronger privacy protections or provide input on proposed changes.

Find Your Legislators: Use the Iowa Legislature’s online tool to identify your state senator and representative by entering your address at www.legis.iowa.gov.

Contact Methods:

• Iowa Senate Switchboard: (515) 281-3371[15][16]
• Iowa House Switchboard: (515) 281-3221[15][16]
• Email Pattern: firstname.lastname@legis.iowa.gov[15]
• Mailing Address: Iowa Legislature, State Capitol, 1007 E Grand Ave., Des Moines, IA 50319[17]

Iowa Attorney General

The Attorney General has exclusive authority to enforce Iowa’s privacy law and handles consumer protection matters, including privacy violations and data breach notifications.

Consumer Protection Division:

• Phone: (515) 281-5926[18]
• Email: consumer@ag.iowa.gov[18]
• Address: 1305 E. Walnut Street, Des Moines, Iowa 50319-0106[18]

Data Breach Notifications: Iowa law requires companies to notify the Attorney General within five business days after notifying affected individuals of security breaches involving 500 or more Iowa residents[18].

Legislative Services and Public Input

For questions about current privacy legislation, bill tracking, or to provide input on proposed laws:

• Legislative Information Office: (515) 281-5129[16]
• Legislative Services Agency: (515) 281-3566[16]
• Webmaster for legislative website feedback: (515) 281-6506[16]

Citizens can monitor privacy-related legislation and provide public comment during the legislative process by following bills through the Iowa Legislature website and attending committee hearings when privacy measures are under consideration.

Sources and Citations

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.