This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| less than a minute read

Iowa Passes Comprehensive State Privacy Law

Iowa is now the 6th state to pass a comprehensive privacy law, joining Connecticut, Utah, Virginia, Colorado and California. Much like Utah’s statute, Iowa’s new law takes a business-friendly approach.

The law goes into effect on January 1, 2025, and applies to entities that (a) control or process personal data on 100,000 Iowan consumers or (b) derive 50% of revenue from selling the data of more than 25,000 consumers. Unlike other state comprehensive privacy statutes, the Iowa law does not have a private right of action and does not require data protection assessments, advertising opt-outs, or data minimization practices. It is enforceable by the Iowa Attorney General.

Takeaway: For companies already required to comply with more robust state privacy laws, such as those in California and Colorado, the Iowa law doesn’t add significant additional obligations.

While the Iowa law provides many of the same protections as the other comprehensive state privacy laws, the rights and obligations are less prescriptive concerning business compliance.


corporate, privacy cybersecurity, regulatory