Iowa Data Privacy Law: How to Respond to Consumer Requests

If your company has received a consumer data request from a Iowa resident, you need to understand what the law requires, how quickly you must respond, and what information must be redacted before you send the response. This guide covers the Iowa Consumer Data Protection Act (ICDPA) in practical terms — what it means for your business, not just what the statute says.

These requests are formally known as Data Subject Access Requests (DSARs) under European law, or consumer privacy requests under U.S. state law. Regardless of the terminology, the obligation is the same: locate the consumer's personal data, review it, redact third-party personal information, and respond within the statutory deadline.

For a comparison of all US state privacy laws, see our comprehensive comparison page. For state-specific guidance, see our guides for California, Virginia, Colorado.

Does this law apply to my business?

The Iowa Consumer Data Protection Act (ICDPA) (Iowa Code Ch. 715D) took effect on January 1, 2025.

Applicability thresholds: Conducts business in Iowa or produces products or services targeted to Iowa consumers, AND either: (a) controls or processes personal data of 100,000 or more Iowa consumers, OR (b) controls or processes data of 25,000 or more consumers and derives over 50% of gross revenue from the sale of personal data.

Exemptions: State and local government, nonprofits, HIPAA-covered entities, GLBA-covered entities, institutions of higher education.

Physical presence: No physical presence required.

What rights do consumers have?

Under the ICDPA, Iowa consumers have the following rights regarding their personal data:

• Right to confirm processing
• Right to access
• Right to delete
• Right to data portability
• Right to opt-out of targeted advertising
• Right to opt-out of the sale of personal data

Iowa does not include a right to correct data or a right to opt-out of profiling. No universal opt-out mechanism requirement. Sensitive data requires opt-in consent.

How long do I have to respond?

You have 90 calendar days from receipt of the request to provide a substantive response.

Extensions: No extension available — 90 days is the full period.

When the clock starts: Upon receipt.

Iowa's 90-day deadline is the longest among comprehensive state privacy laws, double the 45-day standard in most states.

What do I need to redact before responding?

When you compile documents for a consumer data request response, you will inevitably find personal information belonging to other people — colleagues, clients, family members, business contacts. This third-party data must be redacted before you send the response to the requesting consumer.

What to redact (third-party personal data)

• Names — full names of other individuals mentioned in emails, documents, chat transcripts, and records
• Email addresses — personal and work email addresses of third parties
• Phone numbers — mobile, landline, and work numbers of other people
• Physical addresses — home and work addresses of third parties
• Government identifiers — Social Security numbers, driver's license numbers, passport numbers belonging to others
• Financial information — bank account numbers, credit card numbers, salary figures of other individuals

What requires judgment

Some categories of information require case-by-case assessment:

• Salary figures and compensation data — if a document mentions another employee's salary in the context of the requester's own compensation review, you may need to redact the third party's figure while keeping the requester's
• Job titles and roles — generally not personal data on their own, but combined with a department name in a small team, they may identify an individual
• Performance reviews and manager comments — the requester's own performance data stays in, but comments that reveal personal information about colleagues or managers should be redacted
• Medical or health information — any health-related data about third parties must be redacted regardless of context

What to keep (the requester's own data)

The entire point of a consumer data request is to give the individual access to their own data. Do not redact the requester's personal information. This includes their name, email, phone number, address, employment records, transaction history, and any other data that relates to them specifically.

This is what makes data request redaction different from standard document redaction. You are performing selective redaction: keeping one person's data while removing everyone else's. Automated tools that simply blank out all PII will over-redact and produce an unusable response.

What happens if I miss the deadline or get it wrong?

Penalties: Up to $7,500 per violation.

Enforcement: Iowa AG (exclusive). No private right of action.

Cure period: 90-day cure period (does not expire — permanent).

No notable enforcement actions. Iowa's long cure period and limited consumer rights make it one of the most business-friendly privacy laws.

How SafeRedact helps

SafeRedact automates the most time-consuming part of responding to consumer data requests: identifying and redacting third-party personal information across thousands of documents.

• AI-powered detection — a two-layer pipeline (deterministic regex + contextual AI) identifies names, emails, phone numbers, addresses, government IDs, financial data, and salary figures across 10+ document types including emails, PDFs, spreadsheets, and chat transcripts
• Selective redaction — in DSAR mode, the requester's own data is preserved while all third-party PII is flagged for redaction. Every detection is reviewed by a human before export.
• Zero data retention — documents are processed in the browser. No document content is stored on SafeRedact servers. Only job metadata (file names, detection counts, audit logs) is retained.
• Audit trail — every detection decision (accept, reject, manual add) is logged. A compliance report with reviewer sign-off is generated for your records.