DSAR Requirements in Iowa (ICDPA)

Consumer Rights That Trigger DSARs

Iowa consumers can submit requests to:

Access all personal data you hold about them
Delete personal data you collected
Port their data in a portable, machine-readable format
Opt out of the sale of personal data
Opt out of targeted advertising

Note: Iowa does not grant a right to correction or a right to opt out of profiling — making it one of the narrower state privacy laws for DSAR purposes. Iowa also does not require a formal appeal process.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.

Response Deadline

90 days from receipt — the longest deadline among state privacy laws. No extension is available beyond the 90-day period.

Identity Verification

Required before fulfilling any request. The ICDPA does not prescribe a specific verification method.

Penalties

$7,500 per violation
Permanent 90-day cure period (no sunset provision — the longest and most generous cure period among all states)
No private right of action — only the Attorney General can enforce

Enforced by the Iowa Attorney General.

DSAR-Specific Exemptions

You may decline or limit a request when the data is needed to:

Comply with a legal obligation
Detect security incidents or protect against fraud
Complete a transaction the consumer requested
Insurance-related processing

Sensitive data requires opt-in consent before processing.

Who This Applies To

Businesses that process personal data of 100K+ Iowa consumers or 25K+ consumers with 50%+ revenue from data sales.

For the full Iowa privacy law guide, see boringgovernance.com.

Related Guides

How to Respond to a DSAR — response process
DSAR Response Deadlines — all deadlines
DSAR Identity Verification — verification methods
DSAR Exemptions — when you can refuse