Iowa Consumer Data Protection Act: Iowa Privacy Law

Business Threshold

Conducts business in Iowa OR produces products/services targeted to Iowa residents

VCDPA: Conducts business in VA or targets VA residents<br>CCPA: Does business in California

Extraterritorial reach for out-of-state businesses

Consumer Data Volume - Baseline

Controls/processes personal data of 100,000+ Iowa consumers

VCDPA: 100,000+ consumers<br>CDPA: 100,000+ consumers

Consistent state privacy law threshold

Data Sales Volume

Derives 50%+ revenue from selling personal data AND controls/processes 25,000+ Iowa consumers

VCDPA: 50%+ from sales, 25,000+ consumers<br>CCPA: Similar dual threshold

Lower consumer threshold for data sellers

Revenue Threshold

No revenue threshold requirement

VCDPA: $25M eliminated 2023<br>CCPA: $25M active

Small businesses in scope if meet volume thresholds

Effective Date

January 1, 2025

VCDPA: January 1, 2023<br>Utah: December 31, 2023

Among later-adopting states

Exemptions - GLBA Entities

Financial institutions subject to Gramm-Leach-Bliley Act

VCDPA: GLBA exemption<br>CCPA: GLBA exemption

Standard financial sector carveout

Exemptions - HIPAA Entities

Covered entities and business associates under HIPAA

VCDPA: HIPAA exemption<br>CCPA: HIPAA exemption

Healthcare provider exemption

Exemptions - Employment Data

Employee and job applicant data, B2B contact information

VCDPA: Employment data exempt<br>CCPA: Limited exemption

Broad HR data exclusion

Exemptions - Nonprofit Organizations

Nonprofit organizations exempt

VCDPA: Nonprofit exemption<br>GDPR: No nonprofit exemption

Nonprofit sector exclusion

Exemptions - Higher Education

Higher education institutions exempt

VCDPA: Higher ed exempt<br>CCPA: University exemption

Educational institution carveout

Government Entity Coverage

State government agencies exempt

VCDPA: Government exempt<br>CCPA: Government exempt

Standard government exclusion

Household Definition

Not defined (focuses on individual consumers)

VCDPA: Individual focus<br>CCPA: Household definitions

Individual-based consumer counting

Deidentified Data Exemption

Deidentified data exempt if meets technical standards

VCDPA: Deidentified exempt<br>GDPR: Anonymized exempt

Technical deidentification required

Publicly Available Information

Lawfully obtained public information exempt

VCDPA: Public information exempt<br>CCPA: Public records exception

Public data exclusion

Child-Directed Services

Additional requirements for services directed to children

COPPA: Child-directed service regulations<br>VCDPA: Known child provisions

Enhanced child protection

Agricultural Data

No specific agricultural data exemption

VCDPA: No agriculture exemption<br>Many ag-data laws: Sector-specific

Agriculture subject to general privacy law

Cure Period

90-day right to cure violations (through 2026)

VCDPA: 30-day cure (through 2025)<br>CDPA: 60-day cure

Longest cure period among state laws

Personal Data

Information linked or reasonably linkable to identified or identifiable individual

Lawful purpose, purpose limitation, data minimization

Privacy notice, consumer rights, security

Sensitive Data - Racial/Ethnic Origin

Data revealing racial or ethnic origin

Opt-in consent required

Explicit consent, purpose-specific processing

Sensitive Data - Religious Beliefs

Data revealing religious beliefs

Opt-in consent required

Explicit consent, limited disclosure

Sensitive Data - Mental/Physical Health

Mental or physical health diagnosis, treatment, condition

Opt-in consent required

Health data protections, security safeguards

Sensitive Data - Sexual Orientation

Data revealing sexual orientation

Opt-in consent required

Explicit consent, confidentiality protections

Sensitive Data - Citizenship/Immigration

Citizenship or immigration status

Opt-in consent required

Government disclosure restrictions

Sensitive Data - Genetic/Biometric

Genetic or biometric data for unique identification

Opt-in consent required

Technical safeguards, encryption

Sensitive Data - Precise Geolocation

Geolocation data accurate within 1,750 feet

Opt-in consent required

Location service disclosures, granular controls

Sensitive Data - Child Data

Personal data of child under 13

Opt-in parental consent required

COPPA-aligned verification

Consumer

Iowa resident acting in individual or household capacity

Consumer rights apply

Business-context exclusion

Child

Individual under 13 years of age

Enhanced protections, parental consent

Age verification mechanisms

Known Child

Actual knowledge that personal data is of child

Heightened privacy protections

Actual knowledge standard

Deidentified Data

Data that cannot reasonably identify, relate to, describe, or be linked to individual

Not subject to Iowa law

Technical/administrative safeguards

Pseudonymous Data

Data requiring additional information kept separately for re-identification

Subject to Iowa law protections

Separation controls, access restrictions

Sale of Personal Data

Exchange of personal data for monetary or other valuable consideration

Opt-out right, privacy notice disclosure

Sales tracking, opt-out mechanisms

Targeted Advertising

Displaying ads selected based on personal data from consumer's activities over time/across sites

Opt-out right, privacy notice disclosure

Cross-context tracking disclosure

Profiling

Automated processing to evaluate, analyze, predict personal aspects

Opt-out for legal/significant effects

Algorithmic transparency, impact assessment

Controller

Determines purposes and means of processing personal data

Consumer rights, data protection assessments, privacy notice, contracts

Direct AG enforcement, civil penalties

Processor

Processes personal data on behalf of and under instructions of controller

Controller instruction compliance, assistance with requests, security

Liability through controller relationship

Controller - Lawful Purpose

Process personal data only with lawful, specified, explicit purposes

Purpose documentation, legitimate basis

Purpose limitation enforcement

Controller - Data Minimization

Collect personal data adequate, relevant, limited to disclosed purposes

Collection necessity review

Ongoing data collection audit

Controller - Consumer Rights

Honor consumer rights requests within statutory timeframes

Request verification, fulfillment procedures

45-day response deadline (90-day extension)

Controller - Privacy Notice

Provide reasonably accessible, clear privacy notice

Transparency requirements, plain language

Continuous notice availability

Controller - Security

Implement reasonable administrative, technical, physical safeguards

Risk-appropriate security program

Data sensitivity-based security

Controller - Data Protection Assessment

Conduct assessment for high-risk processing

Targeted advertising, sales, profiling, sensitive data

Risk-benefit documentation

Controller - Nondiscrimination

Cannot discriminate against consumers exercising rights

Service parity, no penalties for rights exercise

Limited exceptions for service differences

Controller - Consent Management

Obtain and document required consent

Consent records, withdrawal mechanisms

Consent validity maintenance

Processor - Instructions

Process only pursuant to controller's documented instructions

Instruction adherence, scope limitations

Unauthorized processing prohibition

Processor - Confidentiality

Ensure authorized personnel confidentiality commitments

Access controls, confidentiality agreements

Personnel security obligations

Processor - Security Measures

Implement appropriate technical/organizational security

Security appropriate to risk

Incident notification obligations

Processor - Subprocessor Authorization

Obtain controller's prior authorization for subprocessors

Subprocessor notification, objection rights

Flow-down contractual obligations

Processor - Consumer Request Assistance

Assist controller in responding to consumer rights requests

Technical assistance, data access

Cooperation requirements

Processor - DPA Assistance

Assist controller with data protection assessments

Information provision, risk assessment support

Assessment cooperation

Processor - Data Deletion/Return

Delete or return personal data at controller direction or contract end

Deletion procedures, data disposition

Post-termination obligations

Processor - Audit Cooperation

Allow and contribute to controller audits and inspections

Reasonable audit access, information provision

Audit accommodation

Right to Confirm

Confirm whether controller is processing consumer's personal data

Yes/no response, data access if processing

Verification before disclosure

Right to Access

Access personal data being processed

Provide data in portable, readily usable format

Format standards, delivery mechanisms

Right to Correction

Correct inaccuracies in personal data

Correction procedures, accuracy verification

Data accuracy standards

Right to Deletion

Delete personal data provided by/obtained about consumer

Deletion across all systems, reasonable timeframe

Retention exception documentation

Right to Data Portability

Obtain copy of personal data in portable, readily usable format

Machine-readable formats to extent technically feasible

CSV, JSON, XML format options

Right to Opt Out - Targeted Advertising

Opt out of personal data processing for targeted advertising

Cease targeted advertising, honor preference

Cross-device opt-out synchronization

Right to Opt Out - Sales

Opt out of sale of personal data

Cease sales, notify downstream recipients

Contractual sales cessation obligations

Right to Opt Out - Profiling

Opt out of profiling in furtherance of decisions with legal/significant effects

Cease automated decision-making, provide alternatives

Human review mechanisms

Request Verification

Reasonably verify consumer identity before fulfilling request

Identity verification procedures

Balance security with accessibility

Response Timeframe

Respond within 45 days of verified request receipt

Timely response, deadline tracking

Workflow automation, deadline alerts

Extension Notification

May extend response by 45 additional days with consumer notice

Extension justification, notice requirements

Complex request handling

Free Request

Cannot charge fee for requests up to twice per 12-month period

Free first two requests, reasonable fees thereafter

Request frequency tracking

Request Denial

May deny requests under specific statutory circumstances

Denial explanation, legal basis documentation

Appeal process notification

Appeal Rights

Provide appeal process for denied or unfulfilled requests

Appeal procedures, 45-day appeal response

Secondary review process

AG Notification

Inform consumer of right to contact Iowa AG if appeal denied

AG contact information provision

Regulatory escalation notice

Authorized Agent

Accept requests through consumer-authorized agents

Agent verification, authorization confirmation

Power of attorney review

Targeted Advertising Opt-Out

Clear and conspicuous method for opt-out

Dedicated opt-out link, preference center

Persistent opt-out maintenance

Sales Opt-Out

Clear and conspicuous opt-out mechanism

Integration with data sharing systems

Third-party notification

Profiling Opt-Out

Opt-out for profiling producing legal/significant effects

Algorithmic processing controls

Alternative decision methods

Universal Opt-Out Signal

Recognize universal opt-out preference signals

GPC detection, browser signal processing

Signal compliance by July 1, 2025

Opt-Out Link Placement

Place link on website homepage or mobile app launch screen

Prominent, accessible placement

Visibility testing, accessibility

Opt-Out Description

Describe opt-out rights in privacy notice

Plain language explanation

Consumer comprehension

Processing Cessation

Stop processing for opted-out purposes

Real-time or near-real-time cessation

System synchronization

Downstream Notification

Notify third parties receiving data of consumer opt-outs

Contractual notification obligations

Vendor opt-out propagation

Preference Persistence

Maintain opt-out indefinitely or until consumer withdraws

Durable preference storage

Cross-device preference application

Authentication

Authenticate consumers for account-based opt-outs

Login-based preference management

Authenticated session handling

Anonymous Opt-Out

Accept opt-outs without account creation requirement

Cookie/device identifier-based opt-outs

Non-authenticated opt-out mechanisms

Effectiveness Verification

Verify opt-out mechanisms function properly

Testing protocols, compliance verification

Quarterly opt-out testing

Mobile App Parity

Equivalent opt-out in mobile applications

In-app settings, OS-level controls

Platform-specific implementation

No Discrimination

Cannot deny goods/services or charge different prices for opt-outs

Price/service parity

Differential service documentation

Opt-Out Metrics

Track opt-out rates and processing cessation effectiveness

Opt-out analytics, cessation verification

Compliance monitoring dashboards

Targeted Advertising

Processing personal data for targeted advertising

Consumer benefit vs. risk, safeguard adequacy

Benefits documentation, risk mitigation

Sale of Personal Data

Sale of personal data to third parties

Public benefit, consumer expectations, risks

Sales justification, recipient oversight

Profiling - Legal Effects

Profiling reasonably foreseeable to produce legal effects

Decision accuracy, discrimination risks

Algorithm documentation, validation

Profiling - Significant Effects

Profiling reasonably foreseeable to produce similarly significant effects

Impact assessment, consumer harm

Significant effect criteria, safeguards

Sensitive Data Processing

Processing any sensitive data category

Enhanced protection necessity, risk management

Consent documentation, security controls

Assessment Timing

Conducted before or as soon as practicable after processing begins

Pre-implementation risk identification

Prospective assessment completion

Controller Benefits

Identify benefits to controller

Business value, efficiency, revenue

Quantified benefit documentation

Consumer Benefits

Identify benefits to consumers

Service value, personalization, utility

Consumer benefit articulation

Public Benefits

Identify benefits to public or public interest

Societal value, public good

Public interest documentation

Consumer Risks

Identify risks to consumer rights

Privacy harms, discrimination, security

Specific risk scenarios

Safeguards

Evaluate safeguards mitigating identified risks

Technical/organizational controls

Safeguard-to-risk mapping

Balancing Analysis

Weigh benefits against risks

Proportionality assessment

Balancing rationale

Ongoing Review

Review and update DPAs when processing changes materially

Change management integration

Update triggers, review schedule

AG Production

Make DPA available to Attorney General upon request

AG-ready documentation

Completeness, clarity, accessibility

Multiple Activities

May conduct single DPA covering similar processing activities

Consolidation efficiency

Activity coverage documentation

Processor Assistance

Processors assist controllers with DPA development

Information provision, technical details

Cooperation obligations

Processing Description

Detailed processing activity description

Technical processes, data flows, systems

Operational specificity

Data Categories

Personal data categories being processed

Granular data element identification

Data inventory integration

Legal Basis

Legal basis for processing activity

Consent, legitimate interest, legal obligation

Basis justification

Benefits to Controller

Business benefits from processing

Revenue, efficiency, competitive advantage

Economic benefit quantification

Benefits to Consumers

Consumer benefits from processing

Service delivery, personalization, utility

Concrete consumer value

Benefits to Public

Public interest or public benefits

Societal value, public good contribution

Public benefit articulation

Risk Identification

Specific privacy risks to consumers

Discrimination, security, surveillance, autonomy

Detailed risk scenarios

Risk Likelihood

Probability assessment for identified risks

Likelihood scoring, evidence basis

Probability determination

Risk Impact

Severity assessment for potential harms

Impact categorization, magnitude

Harm severity analysis

Safeguards

Technical and organizational protective measures

Security controls, process safeguards, oversight

Control descriptions, effectiveness

Residual Risk

Remaining risk after safeguards applied

Post-mitigation risk level

Risk acceptability assessment

Proportionality

Whether benefits outweigh residual risks

Balancing analysis, proportionality assessment

Processing justification

Decision Rationale

Why processing proceeds despite risks

Business necessity, alternatives considered

Executive decision documentation

Responsible Parties

Individuals/teams accountable for DPA

Role assignments, accountability structure

Ownership clarity

Review Schedule

Planned DPA review frequency and triggers

Scheduled reviews, change-triggered reviews

Review calendar maintenance

Update Process

How DPA is updated when processing changes

Change management procedures

Version control, change documentation

Personal Data Categories

Categories of personal data processed

Granular categorization beyond vague descriptors

Material category additions

Processing Purposes

Purposes for processing personal data

Specific, explicit purpose statements

Purpose expansion updates

Data Sharing Disclosure

Categories of personal data shared with third parties

Recipient category identification

New recipient category additions

Third-Party Categories

Categories of third parties receiving data

Sector/function-based categorization

Recipient landscape changes

Sale Disclosure

Whether personal data is sold

Binary disclosure, sales description

Sales practice changes

Targeted Advertising Disclosure

Whether data is processed for targeted advertising

Binary disclosure, practice description

Advertising practice changes

Profiling Disclosure

Whether profiling occurs

Profiling activities description

New profiling activities

Consumer Rights Description

Rights available to Iowa consumers

All five core rights listed

Rights framework changes

Rights Exercise Instructions

How consumers exercise rights

Request submission methods, contact information

Process modification updates

Appeal Process

How to appeal denied or unfulfilled requests

Appeal submission procedures

Appeals process changes

Sensitive Data Processing

Categories of sensitive data processed

Sensitive category listing

Sensitive category additions

Data Retention

Retention period or criteria for determining period

Category-specific retention or criteria

Retention policy changes

Notice Accessibility

Reasonably accessible to consumers

Plain language, prominent placement

Continuous accessibility

Effective Date

Privacy notice effective date

Clear date statement

Version history maintenance

Notice Format

Clear, meaningful, accessible format

Readability, comprehension testing

Format usability maintenance

Processing Instructions

Process only per controller's documented instructions

Instruction specificity, scope definition

Instruction adherence auditing

Confidentiality Commitments

Ensure authorized persons commit to confidentiality

Personnel agreements, access restrictions

Confidentiality verification

Data Security

Implement appropriate technical/organizational security

Risk-based security safeguards

Security assessment documentation

Subprocessor Authorization

Obtain prior specific or general authorization for subprocessors

Subprocessor approval process, notification

Subprocessor inventory management

Consumer Rights Assistance

Assist controller with consumer rights requests

Technical/organizational assistance

Cooperation procedures

DPA Assistance

Assist controller with data protection assessments

Information provision, technical support

Assessment cooperation documentation

Data Deletion/Return

Delete or return data at controller's choice after services end

Post-termination data disposition

Deletion certification, verification

Audit Rights

Make available information demonstrating compliance, allow audits

Audit procedures, information access

Audit schedule, findings remediation

Processing Limitations

Process personal data only as necessary for services

Necessity determination, scope adherence

Processing scope monitoring

Security Incident Notification

Notify controller of security incidents affecting personal data

Notification timeframe, incident details

Incident response integration

Data Location

Specify data processing and storage locations

Geographic disclosure, cross-border transfers

Location compliance verification

Term and Termination

Contract duration, termination provisions

Term definition, termination triggers

Contract lifecycle management

Liability Allocation

Responsibility for Iowa law violations

Indemnification provisions, liability caps

Risk allocation, insurance coverage

Third-Party Beneficiaries

Consumer rights as third-party beneficiaries

Direct consumer standing provisions

Consumer complaint handling

Contract Amendments

Process for contract modifications

Amendment procedures, approval requirements

Change management integration

Enforcement Authority

Exclusive enforcement by Iowa Attorney General

No private right of action (except processor contract violations)

Centralized AG enforcement

Civil Penalties

Violations constitute deceptive trade practices under Iowa Code § 714.16

Consumer fraud framework integration

Penalties under existing consumer protection law

Penalty Amount

Up to $7,500 per violation

Per-violation calculation

Multiply violations across consumer population

Violation Definition

Each Iowa privacy law provision violation is separate violation

Multiple violations per consumer possible

Exposure multiplication

Cure Period

90-day cure period after AG written notice (through December 31, 2026)

Longest cure period among state privacy laws

Extended compliance buffer

Cure Period Expiration

Cure right expires January 1, 2027

No cure period after 2026

Compliance urgency increases 2027+

Repeat Violation

No cure for subsequent identical violation within 24 months

One cure per violation type in two-year period

Repeat violation immediate penalties

Consumer Standing - Processors

Consumers may sue processors for contract provision violations

Direct processor liability

Processor exposure beyond controller liability

AG Investigatory Authority

AG may investigate suspected violations

Subpoenas, civil investigative demands

Documentation preparation importance

Injunctive Relief

AG may seek injunctions

Processing cessation, practice modification

Operational disruption risk

Settlement Authority

AG may settle through assurance of voluntary compliance

Negotiated settlements, compliance programs

Settlement vs. litigation strategy

Compliance Program Consideration

AG may consider controller's compliance program

Good faith compliance efforts valued

Compliance program investment justification

Pattern and Practice

AG may evaluate systematic violations

Comprehensive compliance assessment

Systematic compliance importance

Restitution

AG may seek consumer restitution

Financial remedies for harmed consumers

Consumer claims process

Public Interest

AG enforces in public interest

AG discretion on enforcement priorities

Alignment with AG enforcement focus

Sensitive Data Consent Failures

Processing sensitive data without required opt-in consent

Bundled consent, vague consent requests

$7,500 per affected consumer

Opt-Out Non-Compliance

Continuing processing after consumer opt-out

Delayed opt-out propagation, system sync failures

$7,500 per day of continued processing

Rights Request Deadline Violations

Failing to respond within 45 days (or 90 with extension)

Workflow backlogs, inadequate resources

$7,500 per late response

Privacy Notice Deficiencies

Omitting required disclosures

Missing sensitive data disclosure, inadequate rights description

$7,500 per missing element

DPA Omissions

Conducting high-risk processing without required DPA

No targeted advertising DPA, incomplete assessments

$7,500 per undocumented activity

Processor Contract Gaps

Using processors without mandatory contractual provisions

Missing audit rights, inadequate security terms

$7,500 per non-compliant contract

Universal Opt-Out Signal Failures

Ignoring GPC or similar signals (after July 1, 2025)

No signal detection, delayed implementation

$7,500 per consumer signal ignored

Data Minimization Violations

Collecting excessive personal data beyond purposes

Over-collection, indefinite retention

$7,500 per excessive element

Purpose Limitation Violations

Processing data beyond disclosed purposes

Undisclosed secondary uses, purpose creep

$7,500 per unauthorized use

Security Inadequacy

Failing to implement reasonable safeguards

Weak encryption, access control failures

$7,500 plus potential restitution

Discrimination

Discriminating against consumers exercising rights

Service denial, price increases

$7,500 per discriminatory act

Appeal Process Failures

Not providing required appeal mechanism

No appeal procedures, inadequate AG notification

$7,500 per denied request

Unauthorized Third-Party Sharing

Sharing data without adequate contracts or notice

Undisclosed sharing, missing processor agreements

$7,500 per sharing relationship

Children's Data Violations

Processing known child data without parental consent

Inadequate age verification, missing parental consent

$7,500 per child affected

Excessive Request Fees

Charging unreasonable fees for requests beyond free limit

Excessive fee amounts, inadequate justification

$7,500 per unreasonable fee charge

Effective Date

January 1, 2025

January 1, 2023

Iowa two years behind Virginia

Cure Period

90 days (through 2026)

30 days (through 2025)

Iowa provides triple cure time

Consumer Count Threshold

100,000+ consumers

100,000+ consumers

Identical threshold

Revenue Threshold

None

None (eliminated 2023)

Both eliminated revenue thresholds

Sensitive Data Categories

9 categories (racial origin, religion, health, sexual orientation, citizenship, genetic/biometric, precise geolocation, child data)

9 categories (same)

Identical sensitive data definitions

Opt-In Consent

Required for sensitive data processing

Required for sensitive data processing

Same consent architecture

DPA Requirements

Targeted advertising, sales, profiling, sensitive data

Targeted advertising, sales, profiling, sensitive data

Identical DPA triggers

Universal Opt-Out Signal

Must recognize by July 1, 2025

Must recognize (no delayed date)

Iowa provides six-month grace period

Appeal Rights

Required for denied/unfulfilled requests

Required for denied requests

Same appeals framework

Free Requests

Two free requests per 12 months

First request free per 12 months

Iowa allows two free requests

Processor Third-Party Beneficiary

Consumers may sue processors for contract violations

Consumers may sue processors

Same direct processor liability

Employment Data

Exempt

Exempt

Same HR data exclusion

Nonprofit Exemption

Nonprofits exempt

Nonprofits exempt

Same nonprofit exclusion

GLBA/HIPAA Exemptions

GLBA and HIPAA entities exempt

GLBA and HIPAA entities exempt

Standard sectoral exemptions

Enforcement Model

AG-only enforcement

AG enforcement + private right of action

California has distributed enforcement

Penalties

Up to $7,500 per violation

Up to $2,500 per violation ($7,500 intentional)

Iowa higher per-violation penalties

Data Breach Liability

No private right of action for breaches

Private right of action for data breaches

California allows consumer lawsuits

Cure Period

90 days (through 2026)

None (eliminated 2020)

Iowa provides temporary cure opportunity

Consent Model

Opt-in for sensitive data, opt-out for targeted advertising/sales

Opt-out for sales/sharing, opt-in for minors under 16

Different consent architecture

Sensitive Data Definition

9 specific categories

11 categories (includes SSN, financial/health account info)

California broader sensitive data

Consumer Rights

Access, correction, deletion, portability, opt-out

Access, correction, deletion, portability, opt-out, limit use

California has additional "limit" right

DPA Requirement

Required for high-risk processing

Risk assessment for automated decision-making only

Iowa broader DPA requirement

Financial Incentives

No provision

May offer financial incentives with disclosure

California allows differential pricing

Household Definition

Individual consumer focus

Household-based definitions

California household complexity

Service Provider Definition

"Processor" framework

"Service provider" with specific obligations

Terminology differences, similar concepts

Employee Data

Broadly exempt

Exempt through January 1, 2023, then covered

California now covers employment data

Applicability Determination

Formal analysis whether Iowa law applies to organization

Legal, Finance, Analytics

Clear applicability determination with data

Iowa Consumer Counting

Methodology and results for counting Iowa consumers

Analytics, Marketing, IT

Documented consumer count with methodology

Data Inventory

Comprehensive catalog of personal data processing

IT, Product, Marketing, HR

Complete data flow documentation

Sensitive Data Mapping

Identification of all sensitive data category processing

IT, Legal, Product

Sensitive data inventory by category

Third-Party Inventory

Complete vendor list with processor/controller determinations

Procurement, Legal, IT

Vendor inventory with role classifications

Current Privacy Notice Review

Gap analysis of existing notice vs. Iowa requirements

Legal, Privacy, Communications

Iowa disclosure gap identification

Consumer Rights Infrastructure

Assessment of current rights request capabilities

Customer Service, IT, Legal

Rights fulfillment capability gaps

Consent Mechanism Assessment

Evaluation of existing consent against Iowa standards

Product, Legal, Marketing

Consent mechanism compliance gaps

DPA Requirement Identification

Determination of which activities require DPAs

Legal, Product, Data Science

DPA requirement inventory

Processor Contract Review

Assessment of vendor contracts vs. Iowa requirements

Procurement, Legal

Contract compliance gaps by vendor

Security Controls Review

Evaluation of existing security safeguards

Information Security, IT

Security adequacy assessment

Cure Period Strategy

Approach to Iowa's 90-day cure period

Legal, Privacy, Risk

Cure period utilization strategy

Budget Development

Comprehensive cost estimation for compliance

Finance, Privacy, IT

Approved budget allocation

Governance Structure

Privacy governance roles, responsibilities, accountability

Executive Leadership, Legal

RACI matrix, decision authority

Project Roadmap

Detailed implementation plan with milestones

Privacy, Project Management

Executive-approved implementation plan

Privacy Notice Update

Revise notice to include all Iowa-required disclosures

CMS updates, version control

Iowa-compliant notice published

Sensitive Data Consent

Implement granular opt-in consent for each sensitive category

Consent management platform, consent logging

Category-specific consent collection

Universal Opt-Out Preparation

Prepare for July 1, 2025 signal recognition requirement

GPC detection, signal processing infrastructure

Signal detection capability (deploy by July 2025)

Opt-Out Mechanisms

Implement targeted advertising, sales, profiling opt-outs

Opt-out links, preference centers, processing controls

Functional opt-out mechanisms

Consumer Rights Portal

Build or procure request intake and fulfillment system

Request forms, verification, workflow automation

Operational rights request portal

Identity Verification

Implement reasonable verification procedures

Multi-factor authentication, KBA

Verified identity proofing

45-Day Response Tracking

Implement deadline tracking and workflow management

Workflow automation, alerts, escalations

Automated deadline compliance

Appeals Process

Design and implement appeals mechanism

Appeal forms, secondary review workflow, AG notification

Functional appeals process

Data Portability System

Implement data export in portable formats

Data extraction, format conversion (CSV, JSON), secure delivery

Verified portability capability

Deletion System

Comprehensive deletion across all systems

Cross-system deletion, backup deletion, verification

End-to-end deletion capability

Request Fee Tracking

Track request frequency for fee applicability (3rd+ requests)

Per-consumer request counting, 12-month windows

Request frequency tracking system

Processor Agreement Updates

Revise vendor contracts with Iowa-required provisions

Contract templates, negotiation, execution

Iowa-compliant processor contracts

DPA Templates and Process

Develop assessment templates and completion workflows

Risk assessment methodology, documentation templates

Approved DPA process

Security Enhancements

Implement risk-appropriate security safeguards

Encryption, access controls, monitoring

Adequate security controls

Training Program

Educate personnel on Iowa requirements

Role-specific training modules, assessments

Trained workforce with completion records

High-Risk Activity Inventory

List all processing requiring DPAs

DPA requirement matrix

Complete activity coverage

Targeted Advertising DPA

Benefits, risks, safeguards for advertising

Completed DPA document

AG-ready documentation quality

Sales DPA

Benefits, risks, safeguards for data sales

Completed DPA document

Proportionality demonstrated

Profiling DPAs

Separate DPAs for each algorithmic decision system

Algorithm-specific DPA documents

Algorithmic transparency, bias assessment

Sensitive Data DPAs

DPAs for each sensitive category processed

Category-specific DPA documents

Enhanced protection documentation

Benefits Documentation

Controller, consumer, public benefits for each activity

Benefits analysis sections

Concrete benefit articulation

Risk Identification

Comprehensive privacy harm scenarios

Risk analysis sections

Specific, detailed harm scenarios

Likelihood/Impact Scoring

Risk probability and severity assessment

Risk matrices

Evidence-based risk scoring

Safeguard Mapping

Technical/organizational controls for each risk

Safeguard documentation

Control-to-risk mapping

Residual Risk Assessment

Post-safeguard remaining risk

Residual risk analysis

Acceptability determination

Proportionality Analysis

Benefits vs. residual risks weighing

Balancing documentation

Justified processing decisions

Cross-Functional Input

Legal, engineering, data science, security collaboration

Collaborative assessment

Technical accuracy, legal sufficiency

Executive Review

Senior leadership DPA review and approval

Executive sign-off

Leadership accountability

DPA Maintenance Plan

Review schedule, update triggers

Maintenance procedures

Ongoing DPA currency

AG Readiness

Documentation quality for potential AG production

AG-ready package

Completeness, clarity, defensibility

Privacy Notice Review

Quarterly or upon material changes

Privacy/Legal

Notice currency, disclosure completeness

Sensitive Consent Rate Monitoring

Weekly

Product/Analytics

Consent rates by category, withdrawal trends

Rights Request Metrics

Monthly

Privacy/Customer Service

Request volume, response times, deadline compliance

Opt-Out Rate Tracking

Monthly

Privacy/Marketing

Opt-out rates by category, processing cessation effectiveness

Universal Opt-Out Signal Monitoring

Weekly (post-July 2025)

IT/Privacy

Signal detection accuracy, preference application

DPA Reviews

Annually or upon processing changes

Privacy/Product

DPA currency, risk assessment accuracy

Processor Contract Reviews

Annually or upon renewal

Procurement/Legal

Contract compliance, vendor performance

Security Control Testing

Quarterly

Information Security

Control effectiveness, vulnerability remediation

Training Updates

Annually or upon regulatory changes

Privacy/HR

Completion rates, assessment scores

Compliance Audits

Semi-annually

Internal Audit/Privacy

Audit findings, remediation status

Vendor Risk Assessments

Annually

Procurement/Privacy/Security

Vendor compliance, risk ratings

Deletion Effectiveness Testing

Quarterly

IT/Privacy

Deletion completeness, timeline verification

Data Inventory Updates

Quarterly

IT/Privacy/Product

Data flow accuracy, processing completeness

Cure Period Tracking

Continuous (through 2026)

Legal/Privacy

Cure utilization, remediation status

Regulatory Monitoring

Continuous

Legal/Privacy

AG guidance, enforcement actions, amendments