Iowa Consumer Data Protection Act (ICDPA)
A practical compliance guide for website owners. Learn what Iowa's privacy law requires and how to implement it on your site.
Who Must Comply
Controls/processes personal data of 100K+ Iowa consumers, OR controls/processes data of 25K+ consumers and derives 50%+ of gross revenue from selling personal data
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Not required |
| Honor GPC browser signals | Recommended |
| Universal opt-out mechanism | Not required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The ICDPA requires the following links or notices to be visible on your website:
- 1Privacy Policy
Enforcement & Penalties
Key Things to Know
Iowa's privacy law is one of the most business-friendly, alongside Utah. It features a permanent 90-day cure period (the longest of any state) and limited consumer rights compared to states like California or Colorado.
Key features: Iowa does not grant consumers the right to correct personal data or opt out of profiling. The 90-day cure period has no sunset date, giving businesses significant time to address violations before facing penalties.
Higher revenue threshold: Like California, Iowa requires 50% revenue from data sales (combined with 25K+ consumers), which is a higher bar than many states' 25% threshold.
How to Configure LegalBanner for ICDPA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Iowa's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a ICDPA-compliant privacy policy.
Set up ICDPA compliance in 5 minutes
LegalBanner handles Iowa privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
When did the Iowa ICDPA take effect?
The ICDPA took effect January 1, 2025. It is one of the newest state privacy laws.
Does Iowa require a cookie consent banner?
No. Iowa does not require opt-in cookie consent. You must provide opt-out mechanisms for targeted advertising and sale of personal data.
Does Iowa require honoring GPC signals?
No. Iowa does not require businesses to honor GPC or any universal opt-out mechanism.
What makes Iowa different from other state privacy laws?
Iowa has the longest cure period (90 days, permanent), does not provide a right to data correction, does not require GPC support, and has a higher 50% revenue threshold for data sellers.
What are the penalties for ICDPA violations?
Up to $7,500 per violation, enforced by the Iowa Attorney General. The 90-day cure period is permanent and does not sunset.