These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
Iowa Consumer Data Privacy Act
Comprehensive compliance checklist for Iowa's data privacy regulations
Key Provisions
715D.3(1) & (2) - Consumer Rights & Response Period
a) Do you have a documented process to confirm whether you are processing a consumer's personal data and to provide access to it upon an authenticated request?
b) Do you have a process to delete personal data provided by the consumer upon an authenticated request?
c) Can you provide a copy of a consumer's personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance, where processing is carried out by automated means?
d) Do you provide consumers with a clear and conspicuous mechanism to opt out of the sale of personal data?
e) Do you respond to consumer requests without undue delay, and in all cases within ninety (90) days of receipt, with a possible extension of forty-five (45) additional days when reasonably necessary, provided the consumer is informed of the extension and reason within the initial 90-day period?
f) If a consumer request is declined, do you inform the consumer without undue delay of the justification for declining and provide instructions for appealing the decision?
g) Is information provided in response to an authenticated consumer request free of charge, up to twice annually per consumer?
h) Can your organization demonstrate that any request for which a fee is charged or an action is declined is manifestly unfounded, excessive, repetitive, or technically unfeasible, or that the primary purpose is not to exercise a consumer right?
i) If you are unable to authenticate a request using commercially reasonable efforts, do you request additional information reasonably necessary to authenticate the consumer and their request?
715D.3(3) - Appeal Process
Have you established a conspicuously available process for a consumer to appeal your refusal to take action on a request, providing a written response within sixty (60) days of receipt of the appeal, and, if the appeal is denied, providing an online mechanism to contact the Attorney General to submit a complaint?
715D.4(1) - Data Security Practices
Does your organization adopt and implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue, to protect its confidentiality, integrity, and accessibility?
715D.4(2) - Sensitive Data Processing
Do you obtain clear notice and an opportunity to opt out from consumers before processing their sensitive data for non-exempt purposes, or process sensitive data concerning a known child in accordance with the Children's Online Privacy Protection Act (COPPA)?
715D.4(3) - Non-Discrimination
Does your organization refrain from discriminating against a consumer for exercising their rights, unless it's related to a consumer's voluntary participation in a bona fide loyalty/rewards program, or the consumer has opted out of personal data processing necessary for the product/service?
715D.4(4) - Prohibition of Waiver of Rights
Do your contracts or agreements avoid including any provisions that purport to waive or limit consumer rights pursuant to section 715D.3?
715D.4(5) - Privacy Notice Content
Do you provide a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data processed?
- The purpose for processing personal data?
- How consumers may exercise their rights (including how to appeal a decision)?
- The categories of personal data shared with third parties (if any)?
- The categories of third parties (if any) with whom personal data is shared?
715D.4(6) - Sale/Targeted Advertising Disclosure
If your organization sells a consumer's personal data to third parties or engages in targeted advertising, do you clearly and conspicuously disclose this activity, as well as the manner in which a consumer may exercise the right to opt out?
715D.4(7) - Means to Submit Requests
Have you established, and described in your privacy notice, secure and reliable means for consumers to submit requests to exercise their rights, considering consumer interaction, security, and authentication, without requiring a consumer to create a new account (though existing accounts may be required)?
715D.5(1) - Processor Assistance Duties
As a processor, do you assist the controller in fulfilling their obligations regarding consumer rights requests (715D.3) and meeting their obligations in relation to personal data security and security breach notification (715C.2), taking into account the nature of processing and available information?
715D.5(2) - Processor Contractual Requirements
Do your contracts with processors/controllers clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data, the duration of processing, and the rights and duties of both parties? Does the contract also require the processor to:
- Ensure a duty of confidentiality for all persons processing data?
- Delete or return all personal data at the controller's direction at the end of services, unless required by law to retain?
- Make all necessary information available to the controller upon reasonable request to demonstrate compliance?
- Engage any subcontractor or agent pursuant to a written contract that requires them to meet the processor's duties?
715D.6(1), (2) - Re-identification/Association Exemption
a) Does your organization refrain from re-identifying de-identified data or pseudonymous data, or maintaining data in identifiable form, or collecting new data or technology solely to associate an authenticated consumer request with personal data?
b) Can your organization demonstrate that it is not reasonably capable of associating an authenticated consumer request with personal data, AND you do not use the personal data to recognize or respond to the specific consumer, AND you do not sell or voluntarily disclose the personal data to any third party?
715D.6(3) - Pseudonymous Data Exemption for Consumer Rights
Do you ensure that consumer rights are not applied to pseudonymous data only when information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to prevent attribution to an identified or identifiable natural person?
715D.6(4) - Oversight for Pseudonymous/De-identified Data Disclosure
When disclosing pseudonymous data or de-identified data, do you exercise reasonable oversight to monitor compliance with any contractual commitments to which the data is subject and take appropriate steps to address any breaches of those commitments?
715D.7(9) - Trade Secrets Protection
Does your organization ensure that compliance with this chapter, including fulfilling consumer requests, does not require the disclosure of trade secrets?
715D.8(2) & (3) - Attorney General Enforcement & Penalties
Is your organization prepared to:
- Receive a ninety (90) day written notice from the Attorney General identifying alleged violations?
- Cure the noticed violation within that 90-day period?
- Provide an express written statement that the alleged violations have been cured and will not recur, to avoid further action?
715D.8(4) - No Private Right of Action
Does your organization understand that this chapter does not provide the basis for, or is subject to, a private right of action for violations?
715D.9(1) - State Preemption
Is your organization aware that this chapter supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or local agency regarding the processing of personal data by controllers or processors?
Compliance Recommendations
Consumer Rights & Response Period
✓ If Yes:
- Implement a clear and secure procedure for handling consumer data access requests, including robust authentication means.
- Develop and document a secure and verifiable data deletion procedure that ensures permanent removal of consumer data when requested.
- Invest in systems or tools that facilitate data portability for automatically processed personal data.
- Implement an accessible opt-out mechanism and ensure it's clearly communicated in your privacy notice.
- Establish a robust system for tracking and managing consumer requests to ensure timely responses and proper notification of any extensions.
- Ensure all decline notifications include a clear, specific justification and outline the steps for the consumer to appeal.
- Adjust your policy to provide two free responses per consumer per year.
- Maintain detailed records and justifications for denying requests or charging fees, as your organization bears the burden of proof.
- Develop a protocol for requesting additional, specific information when initial authentication efforts are insufficient.
✗ If No:
Implement all of the above measures immediately to ensure compliance with consumer rights and response period requirements.
Appeal Process
✓ If Yes:
Implement a clear, accessible, and timely appeal process that includes all mandated elements, especially the Attorney General contact information for final denials.
✗ If No:
Establish an appeal process immediately with proper documentation, training, and consumer notifications.
Data Security Practices
✓ If Yes:
Regularly review and update your data security policies and practices, ensuring they are documented, implemented, and align with recognized security standards.
✗ If No:
Adopt and strengthen your security program immediately to protect personal data confidentiality, integrity, and accessibility.
Sensitive Data Processing
✓ If Yes:
Implement mechanisms for clear opt-out for sensitive data and ensure strict COPPA compliance for children's data, which is defined as sensitive data.
✗ If No:
Build or update consent management tools immediately and align with COPPA requirements.
Non-Discrimination
✓ If Yes:
Conduct an internal review of all customer-facing policies and programs to ensure no discriminatory practices based on the exercise of consumer rights.
✗ If No:
Revise practices immediately to prevent penalties for rights exercise and adjust to ensure fairness and voluntariness.
Prohibition of Waiver of Rights
✓ If Yes:
Review all contracts, terms of service, and user agreements to remove any clauses that attempt to waive or limit consumer data rights, as such provisions are void and unenforceable.
✗ If No:
Immediately review and revise all contracts to remove unlawful waiver clauses.
Privacy Notice Content
✓ If Yes:
Audit your privacy notice to ensure it comprehensively covers all required elements and is easily discoverable by consumers.
✗ If No:
Update privacy policy immediately to add missing categories, contact details, or appeal rights.
Sale/Targeted Advertising Disclosure
✓ If Yes:
Implement prominent disclosures for data sales and targeted advertising activities, along with accessible and clear opt-out mechanisms.
✗ If No:
Create and publish clear disclosures immediately with accessible opt-out mechanisms.
Means to Submit Requests
✓ If Yes:
Implement robust and user-friendly request submission channels that ensure security, proper authentication, and ease of use for consumers.
✗ If No:
Establish secure request submission channels immediately and update privacy notice accordingly.
Processor Assistance Duties
✓ If Yes:
Document internal procedures for assisting controllers with consumer requests and security breach notifications, and ensure these are aligned with contractual agreements.
✗ If No:
Establish procedures immediately to assist controllers in fulfilling their obligations.
Processor Contractual Requirements
✓ If Yes:
Review and update all controller-processor contracts to ensure they meet all specified requirements, especially regarding data handling, security, and subcontractor agreements.
✗ If No:
Draft or execute compliant contracts immediately with all required elements.
Re-identification/Association Exemption
✓ If Yes:
Ensure internal policies prevent re-identification efforts that would negate data anonymization or pseudonymous practices. Document the technical and operational reasons why requests cannot be associated with specific data, if applicable.
✗ If No:
Implement policies immediately to prevent re-identification and document exemption qualifications.
Pseudonymous Data Exemption
✓ If Yes:
Strengthen the separation and protection of additional information required to link pseudonymous data to an individual to fully benefit from this exemption.
✗ If No:
Implement appropriate technical and organizational measures immediately to separate and protect identifying information.
Oversight for Data Disclosure
✓ If Yes:
Implement a robust monitoring and enforcement process for contractual commitments related to shared pseudonymous and de-identified data to ensure ongoing compliance by recipients.
✗ If No:
Establish oversight mechanisms immediately to monitor third-party compliance with data commitments.
Trade Secrets Protection
✓ If Yes:
Develop a policy that allows for the protection of trade secrets while still fulfilling consumer requests and other obligations, possibly through redaction or other secure means.
✗ If No:
Create policies immediately to balance trade secret protection with compliance obligations.
Attorney General Enforcement
✓ If Yes:
Establish internal procedures for promptly responding to, investigating, and curing any notified violations from the Attorney General, and for submitting the required written statement.
✗ If No:
Create response procedures immediately to handle Attorney General notices and cure violations within required timeframes.
No Private Right of Action
✓ If Yes:
Familiarize relevant legal and compliance teams with the enforcement mechanisms, noting the absence of a private right of action.
✗ If No:
Educate management and legal teams immediately on enforcement mechanisms and limitations.
State Preemption
✓ If Yes:
Review and update any local data protection policies to ensure they are consistent with and do not contradict this state law, which takes precedence.
✗ If No:
Review state preemption provisions immediately and align all policies accordingly.
Checklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.