Iowa Consumer Data Privacy Act

What is ICDPA?


The ICDPA applies to businesses targeting Iowa residents that meet at least one of the following criteria:

  • They control or process the personal data of at least 100,000 Iowa consumers, or

  • They control or process the personal data of at least 25,000 Iowa consumers and derive over 50% of their gross revenue from the sale of personal data.

Some entities are exempt by default from the ICDPA. These include non-profits and entities covered by industry-specific laws.

The law grants consumers several rights:

  • Know about the processing
  • Access their data
  • Get a copy of their data
  • Deletion of data
  • Correction of inaccurate data
  • Opt-out of the sale of data or targeted advertising

Businesses must honor these rights and provide consumers with means of submitting requests to exercise these rights. Aside from that, businesses also must:

  • Process only the necessary data
  • Process the data only for purposes stated in the privacy notice
  • Provide consumers with a privacy notice
  • Implement adequate data security measures
  • Allow consumers to opt out, and others.

MergeBase and ICDPA


Although the ICDPA does not apply to MergeBase, we already meet higher data protection and security standards than those in this law. Therefore, if the law applied to us, we can comply immediately.


How Can MergeBase Help You Comply with the ICDPA?


The ICDPA requires you to safeguard your consumers’ data but doesn’t tell you how; you must determine it yourself. That’s why we always recommend considering all circumstances thoroughly and applying what is best for your processing practices and your consumers’ personal information.

We can support your security efforts with our services, which include:

  • Reduced attack surface, focusing on open-source components helps minimize potential attack points for unauthorized access to personal data.

  • Improved accountability with our vulnerability reports and logs that serve as documentation of ongoing security efforts, potentially supporting accountability under the UCPA. In case the Attorney General investigates your processing, you’ll be able to prove compliance.

  • Vulnerability management by identifying and prioritizing vulnerabilities within open-source components used in applications that process personal data. Addressing these vulnerabilities helps mitigate risks of unauthorized access, disclosure, or alteration, aligning with the UCPA’s security requirements.

  • Ongoing vulnerability scanning that helps companies stay ahead of potential threats and address them promptly, demonstrating efforts towards robust data security measures.