Iowa is now the 6th state to pass a comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado and California. Much like Utah’s statute, Iowa’s new law takes a business-friendly approach.

The law goes into effect on January 1, 2025, and applies to entities that (a) control or process personal data on 100,000 Iowan consumers or (b) derive 50% of revenue from selling the data of more than 25,000 consumers. Unlike other state comprehensive privacy statutes, the Iowa law does not have a private right of action and does not require data protection assessments, advertising opt-outs, or data minimization practices. It is enforceable by the Iowa Attorney General.

Takeaway: For companies already required to comply with more robust state privacy laws, such as those in California and Colorado, the Iowa law doesn’t add significant additional obligations.