RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 17, 2026

Iowa ICDPA AI Compliance 2026: The State Law With No Profiling Opt-Out

Iowa's Consumer Data Protection Act is one of the most business-friendly state privacy laws on the books — it skips the profiling opt-out, the data protection assessment requirement, and the right to correct that nearly every other comprehensive state law includes. AI companies compliant elsewhere still need to check ICDPA on its own terms.

100,000 Consumers
Or 25,000 consumers + 50% revenue from data sales
No Profiling Opt-Out
Only targeted advertising and sale opt-outs required
90-Day Cure, No Sunset
The fix-it window never expires under the statute

Does ICDPA Apply to Your AI Product?

ICDPA applies to a business that conducts business in Iowa or produces products or services targeted at Iowa residents, and that during a calendar year controls or processes the personal data of at least 100,000 consumers, or controls or processes the data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data.

That 100,000-consumer floor is on the higher end of the range used across state privacy laws, which keeps smaller AI products out of scope more often than laws like Delaware's or Rhode Island's. But the 25,000-consumer alternate trigger still catches data-monetization business models well below the primary threshold, so a smaller AI company that sells or licenses user data should check that path separately.

What Iowa Consumers Get — and What They Don't

Targeted advertising opt-out

Consumers can opt out of personal data being used for targeted advertising, including AI-driven ad personalization.

Sale of data opt-out

Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers.

No profiling opt-out

ICDPA does not give consumers a right to opt out of profiling used for decisions with legal or similarly significant effects — a right present in Virginia, Colorado, Connecticut, and most peer states.

No right to correct

Iowa consumers can request access, deletion, and a data portability copy, but ICDPA does not include a general right to correct inaccurate personal data the way most other state laws do.

A Cure Period That Never Expires

Several newer state privacy laws gave businesses a temporary right-to-cure window that expired on a fixed sunset date, pushing enforcement toward direct penalties once the window closed. ICDPA takes the opposite approach: businesses get 90 days to cure a violation after notice from the Attorney General, and that right does not sunset under the statute. For AI companies weighing compliance risk across states, Iowa remains one of the lower-risk enforcement environments even years after the law's effective date — but a standing cure period is not the same as no obligation, and it applies only to violations the business actually fixes within the window.

ICDPA Compliance Checklist for AI Companies

1. Scope Determination
  • Check Iowa consumer counts against the 100,000 threshold separately from any national or other-state count
  • Check the 25,000-consumer / 50%-revenue-from-data-sales alternate trigger for data-monetizing products
  • Re-run the threshold check annually as user growth can push a previously out-of-scope product into scope
2. Consumer Rights Infrastructure
  • Build opt-out flows for targeted advertising and data sale — profiling opt-out is not required but is good practice for multi-state compliance
  • Support access, deletion, and portability requests within statutory timelines
  • Do not assume a right-to-correct workflow satisfies ICDPA by itself if you operate in states that require one
3. Multi-State Consistency
  • Decide whether to build one universal rights flow across all states or a lighter Iowa-specific flow
  • Document which states require profiling opt-outs and assessments so Iowa doesn't become the accidental floor for your whole product
  • Flag Iowa-specific gaps for legal review before treating any other state's compliance program as a template
4. Enforcement Readiness
  • Retain records supporting your scope and threshold determinations
  • Use the standing cure period to fix issues quickly if the Iowa AG raises a concern
  • Monitor Iowa AG enforcement activity, since a business-friendly statute does not guarantee low enforcement priority indefinitely

See where your AI product is exposed

RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.

Scan Your Product for Free →

Frequently Asked Questions

If we're compliant with Virginia's VCDPA, are we automatically compliant with ICDPA?

In most respects, yes — a VCDPA-compliant program that includes profiling opt-outs and assessments will exceed what ICDPA requires. The risk runs the other direction: a company that builds only to Iowa's lighter standard and assumes it covers other states will be missing the profiling opt-out, assessment, and correction rights that Virginia, Colorado, and most other states require.

Why does Iowa's law skip the profiling opt-out and assessment requirements?

State privacy laws are drafted independently by each legislature, and Iowa's version was widely noted by privacy attorneys as one of the more business-friendly models when it passed, deliberately omitting several consumer-protective provisions that had become standard in the Virginia-style template other states were copying.

Should we build separate compliance flows for Iowa versus other states?

Most multi-state AI companies build one universal rights flow calibrated to the strictest applicable state rather than maintaining Iowa-specific exceptions, since maintaining parallel compliance paths adds engineering and legal overhead for limited benefit. Iowa is worth understanding specifically so you know which rights are legally required there versus offered as a matter of product consistency.

Related Guides