+

Download UCPA checklist

Consentmo is dedicated to protecting and respecting your privacy. We will only use your personal information to respond to inquiries, provide requested materials, or share updates and services that we believe may interest you.

You can manage your privacy preferences or opt-out at any time. For more details on how to unsubscribe, our privacy practices, and our commitment to safeguarding your privacy, please refer to the Consentmo Privacy Policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
DPDPA Title Text

What is IACDPA?

The IACDPA (Iowa Consumer Data Protection Act) is a state-level data privacy law designed to protect the personal data of Iowa residents. It grants consumers certain rights over their personal data and imposes obligations on businesses that collect, process, or share such data. The IACDPA was signed into law on March 28, 2023, and will go into effect on January 1, 2025.

Where does the IACDPA apply?

The IACDPA applies to businesses that:
- Operate in Iowa or produce products or services targeted to Iowa residents, and
During a calendar year, either:
- Control or process personal data of 100,000 or more Iowa consumers, or
- Derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Iowa consumers.

Delaware state.
graphic of a white magnifying glass against a blue background

What are some possible reasons for a penalty?

Here are some possible reasons for penalties:
- Failure to Comply with Consumer Rights: Not responding to consumer requests within the required timeframe (typically 45 days, with a possible 45-day extension).
- Unlawful Sale of Personal Data: Selling personal data without providing consumers with a clear and conspicuous opt-out mechanism. Selling personal data of consumers who have opted out of such sales.
- Non-Compliance with Data Security Requirements: Failing to implement and maintain reasonable data security practices to protect personal data from unauthorized access, disclosure, or breaches.
- Lack of Transparency: Failing to provide a clear and accessible privacy notice.
- Processing Sensitive Data Without Consent.

Who is liable for a penalty under IACDPA?

Under the Iowa Consumer Data Protection Act (IACDPA), liability for penalties typically falls on data controllers. This includes businesses that operate in Iowa or target Iowa residents and meet the thresholds for applicability (e.g., controlling or processing data of 100,000+ Iowa consumers or deriving over 50% of revenue from selling data of 25,000+ consumers). Data processors (third parties that process data on behalf of controllers) may also face liability if they violate the terms of their contractual agreements with controllers or fail to assist controllers in meeting their obligations under the law.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What are the penalties for
Non-Compliance?

- Civil Penalties (Fines): Businesses may face civil penalties for violations of the IACDPA. The exact amount is not explicitly stated in the law but is determined by the Iowa Attorney General based on the nature and severity of the violation.
- Injunctions: The Attorney General can seek court-ordered injunctions to stop businesses from continuing non-compliant practices, such as unlawfully processing or selling personal data.
- Cure Period and Continued Enforcement: Businesses are given a 90-day cure period to address violations after receiving notice from the Attorney General. If the violation is not resolved within this period, the Attorney General may proceed with enforcement actions, including fines or injunctions.
- Reputational Damage.

Get the UCPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

How do I obtain consent from individuals under the IACDPA?

Under the Iowa Consumer Data Protection Act (IACDPA), obtaining valid consent from individuals for processing sensitive personal data requires that consent be freely given, specific, informed, and unambiguous. Businesses must clearly explain the categories of sensitive data being collected and the specific purposes for processing it, using plain language in a prominent and easy-to-understand notice. Consent must be obtained through an affirmative act, such as checking a box or clicking an "I agree" button, and cannot rely on pre-ticked boxes or passive acceptance.

Individuals must also be informed of their right to withdraw consent at any time, with an easy and accessible mechanism provided for doing so. Businesses should document consent details, including the date, method, and purpose, and avoid coercive practices that condition services on unnecessary data processing. If the purpose for processing changes, new consent must be obtained.

How is the IACDPA enforced?

The Iowa Consumer Data Protection Act (IACDPA) is enforced exclusively by the Iowa Attorney General. Here’s how enforcement works:
- Notice and Cure Period: If the Attorney General believes a violation has occurred, they must provide the business with a 90-day written notice and an opportunity to cure the violation. If the business corrects the issue within this period, no further action is taken.
- Penalties for Non-Compliance: If the violation is not resolved within the cure period, the Attorney General may pursue enforcement actions, including civil penalties (fines) and court-ordered injunctions to stop non-compliant practices. The exact amount of fines is not specified in the law but is determined based on the nature and severity of the violation.
- No Private Right of Action: Unlike some other state privacy laws, the IACDPA does not allow individuals to sue businesses for violations. Only the Attorney General can enforce the law.
- Investigative Authority: The Attorney General has the authority to investigate potential violations, request documentation, and take legal action to ensure compliance with the IACDPA.

How do I make my business compliant with the IACDPA?

Start by confirming if the law applies to you based on data processing thresholds. Update your privacy policy to clearly explain what data you collect, how it’s used, and how consumers can exercise their rights, such as accessing, deleting, or opting out of data sales. Implement processes to handle these requests within the required timeframes. Obtain explicit consent before collecting sensitive data and ensure robust data security measures are in place. Limit data collection to what’s necessary and establish contracts with third-party processors to ensure compliance. Train employees on IACDPA requirements and regularly audit your practices. By taking these steps, you can avoid penalties and build consumer trust.

Shopify merchants can streamline compliance by leveraging tools like Consentmo, which offers automated solutions for managing cookie consent, generating privacy notices, and processing data subject requests.

Join the masses in relying on Consentmo for top-notch privacy protection

View demoStart for FREE
Is your site compliant?
Subscribe to get our monthly newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get Started
FeaturesPricing
Regulations
GDPR (EU)CCPA (California)PIPEDA (Canada)LGPD (Brazil)APPI (Japan)PDPA (Thailand)POPIA (South Africa)APA (Australia)NZPA (New Zealand)
Resources
BlogeBooksKnowledge baseCookie ScannerAdaptive Mobile Experience
Comparison
Consentmo vs.
Shopify Consentmo vs. PandectesConsentmo vs.
Avada
Company
About us
FAQs
Contact
Legal
Privacy PolicySupport Policy
UET consent mode microsoft logo
Shopify app storeShopify app store
Facebook social iconTwitter social iconLinkedIn social iconInstagram social iconYouTube social iconTikTok social icon
© 2025 Consentmo. All Rights Reserved.

The information on the Consentmo website, platform, or services, as well as any part thereof, does not constitute actual legal or regulatory advice, opinion, or recommendation. Consentmo is committed to providing tools to aid in compliance but is not a law firm. For legal advice, users should consult with a qualified attorney.
Subscribe to get our monthly newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get Started
FeaturesPricingBlack Friday Offer⚡
Regulations
GDPR (EU)CCPA (California)LGPD (Brazil)PIPEDA (Canada)APPI (Japan)PDPA (Thailand)POPIA (South Africa)APA (Australia)NZPA (New Zealand)
Resources
BlogeBooksKnowledge baseCookie ScannerAdaptive Mobile Experience
Comparison
Consentmo vs. Shopify Consentmo vs. PandectesConsentmo vs. Avada
Company
About us
FAQs
Contact
Legal
Privacy PolicySupport Policy
Shopify app storeShopify app storeShopify partners
Shopify app storeShopify app store
Facebook social iconTwitter social iconLinkedIn social iconInstagram social iconYouTube social iconTikTok social icon
© 2025 Consentmo. All Rights Reserved.

The information on the Consentmo website, platform, or services, as well as any part thereof, does not constitute actual legal or regulatory advice, opinion, or recommendation. Consentmo is committed to providing tools to aid in compliance but is not a law firm. For legal advice, users should consult with a qualified attorney.