Guides ICDPA compliance for Iowa consumer data: applicability thresholds (100k consumers), rights (access, delete, opt-out), sensitive data opt-in, 90-day responses, AG enforcement. Effective 2025.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
The Iowa Consumer Data Protection Act (ICDPA), codified as Iowa Code Chapter 715D (SF 262), was signed into law on March 28, 2023, and became effective **January 1, 2025**. Iowa follows a business-friendly model with fewer consumer rights than most states (no right to correct or right to portability), a 90-day cure period (the longest among state privacy laws), and AG-only enforcement. The ICDP...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
The Iowa Consumer Data Protection Act (ICDPA), codified as Iowa Code Chapter 715D (SF 262), was signed into law on March 28, 2023, and became effective January 1, 2025. Iowa follows a business-friendly model with fewer consumer rights than most states (no right to correct or right to portability), a 90-day cure period (the longest among state privacy laws), and AG-only enforcement. The ICDPA is considered one of the least restrictive comprehensive state privacy laws.
The ICDPA applies to persons that conduct business in Iowa or produce products or services targeted to Iowa consumers AND during a calendar year:
Exemptions (§715D.3):
Liberty Commerce Inc. Assessment: Liberty Commerce Inc. processes personal data of approximately 52,000 Iowa consumers. It does not meet either threshold but maintains monitoring as part of its multi-state privacy compliance program.
Iowa provides fewer rights than most comprehensive state privacy laws:
Notable omissions:
Processing sensitive data requires opt-in consent before processing. Iowa follows the Virginia model requiring clear affirmative consent.
Iowa does NOT require data protection assessments (DPIAs). This is a notable omission compared to most comprehensive state privacy laws. However, organizations subject to multiple state laws should conduct DPIAs as required by other applicable jurisdictions.
Processing must be governed by a contract that includes:
| Feature | Iowa ICDPA | Virginia VCDPA | Connecticut CTDPA | Colorado CPA |
|---|---|---|---|---|
| Effective | Jan 1, 2025 | Jan 1, 2023 | Jul 1, 2023 | Jul 1, 2023 |
| Consumer threshold | 100,000 | 100,000 | 100,000 | 100,000 |
| Right to correct | No | Yes | Yes | Yes |
| Right to portability | No | Yes | Yes | Yes |
| Opt-out of profiling | No | Yes | Yes | Yes |
| DPIA required | No | Yes | Yes | Yes |
| Universal opt-out | No | No | Yes | Yes |
| Response window | 90 days | 45 days | 45 days | 45 days |
| Cure period | 90 days | 30 days | 60 days | 60 days |
| Enforcement | AG only | AG only | AG only | AG only |
| Milestone | Date | Action |
|---|---|---|
| Law enacted | March 28, 2023 | SF 262 signed by Governor |
| Compliance planning | April 2023 - June 2024 | Gap analysis, privacy notice updates |
| Technical implementation | July - November 2024 | Consumer rights portal, opt-out mechanisms |
| Staff training | November - December 2024 | Privacy team and customer service training |
| Effective date | January 1, 2025 | Full compliance required |