How Iowa's Consumer Data Privacy Act impacts video data and privacy
Iowa's Consumer Data Privacy Act (ICDPA) marks a significant step in strengthening consumer data privacy rights within the state. The regulations are modeled after similar legislation like California's CCPA and Virginia's CDPA, and grant individuals greater control over their personal information held by businesses.
The ICDPA applies to businesses that process the personal data of at least 100,000 Iowa consumers, or those that process the data of 25,000 consumers and also derives more than 50% of its gross revenue from the sale of personal data.
The law does exempt a number of entities from its scope, including Covered Entities under HIPAA, nonprofit organizations, and higher education institutions. Certain types of data are also exempt, such as health records protected by federal standards, employment-related data for internal use, and data already safeguarded by specific federal laws like COPPA (Children's Online Privacy Protection Act).
Non-compliance with the ICDPA can result in severe financial penalties, damage to the organization's reputation, and potential legal issues.
The official legal text of the ICDPA is available as Senate File 262.
Consumer rights under ICDPA
The ICDPA grants Iowa residents significant control over their personal data, empowering them to dictate how businesses collect, use, and share it.
They have the right to:
Access their data and request corrections for any inaccuracies.
Request deletion of their data, subject to legal obligations, public interest exceptions, or internal business uses.
Receive their data in a portable format for transfer to another entity, without incurring any charges.
The ICDPA also gives residents control over how businesses handle their personal data through clear opt-out rights. Organizations must provide consumers with transparent information about these options and make exercising them easy.
How ICDPA differs from other U.S. privacy laws
While the ICDPA aligns with laws such as the California Consumer Privacy Act (CCPA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA), there are a number of differences that businesses must address.
The ICDPA places a strong emphasis on data minimization, requiring businesses to collect only what is necessary, which aligns with CPA but goes beyond VCDPA's more flexible standards. It also explicitly requires multiple opt-out methods, like online forms or phone lines, providing clearer guidance than CCPA on the accessibility of opt-out options. Unlike the CCPA, ICDPA excludes a private right of action, centralizing enforcement through the Iowa Attorney General and reducing litigation exposure.
Healthcare
ICDPA complements existing regulations like HIPAA but extends protections to personal data outside the scope of PHI, requiring healthcare organizations to adopt broader data protection strategies. For example, a healthcare provider must safeguard data in patient portals and billing systems, extending protections to non-HIPAA-regulated personal information.
Education
Schools must balance compliance with Family Educational Rights and Privacy Act (FERPA) while addressing ICDPA's requirements for data, like employee records or parent contact details, which is not covered by FERPA. Schools must assess vendor-operated systems, such as digital learning platforms, to ensure compliance with ICDPA's requirements for parental and student data.
Retail and E-Commerce
Retailers must implement transparent consumer data practices, ensuring easy opt-out mechanisms for loyalty program data or marketing information, a recurring focus across state laws. Iowa retailers should review loyalty program practices, ensuring minimal data collection and transparent opt-out options integrated into websites and customer service channels.
Public Safety and Transport
Agencies and businesses handling non-federally regulated data, such as GPS or subscription details, must adapt existing privacy measures to meet ICDPA standards. Ridesharing companies should review how location data is processed and stored, providing consumers with straightforward ways to request deletion.
Business obligations under ICDPA
The ICDPA places key responsibilities on Iowa businesses handling resident personal data:
Limit the collection, use, and retention of personal data to disclosed purposes.
Ensure encryption, multi-factor authentication, secure data disposal, and regular software updates.
Conduct and document regular risk assessments to evaluate data vulnerabilities and threats.
Provide clear privacy notices detailing data categories, purposes, and third-party sharing practices.
Offer user-friendly opt-out options for data sharing or sales.
Practical steps for compliance:
Evaluate data practices: Conduct a comprehensive audit to identify data activities subject to ICDPA.
Address ICDPA-specific gaps: Focus on developing multiple opt-out mechanisms and implementing strict data minimization protocols.
Sector-specific training: Train employees to recognize and address privacy concerns unique to their industry.
Test and iterate: Deploy systems updates and routinely test processes for compliance, refining as needed.
Video and visual data under the ICDPA
The ICDPA extends to personal data captured through video and visual systems, making compliance critical for organizations managing video security tools or CCTV systems.
Under ICDPA, businesses that collect, store, and process visual data - such as surveillance footage, facial recognition logs, or license plate captures - must ensure it is handled responsibly. This includes minimizing retention to only what is necessary for operational or legal purposes, securing footage with encryption and access controls, and providing clear policies on how visual data is used and shared. Transparency is a must, and privacy notices should disclose video data collection practices and allow individuals to request access or deletion of identifiable information, where applicable.
Iowa's Consumer Data Privacy Act presents an opportunity for businesses in Iowa to enhance data protection practices and build trust with consumers. Organizations that take a proactive approach to implementation can navigate this new regulatory landscape effectively and position themselves as advocates of consumer privacy.
Pimloc’s Secure Redact helps organizations navigate the ICDPA and ensure timely compliance by optimizing their video security practices to meet these regulatory expectations.