Iowa's ICDPA is the most business-friendly comprehensive state privacy law — no opt-in requirement for sensitive data, no data protection assessment requirement, and no opt-out from profiling.
Last reviewed 2026-06-19 · Risk rating rationale: Permissive framework limits compliance burden, but the 100,000-consumer threshold still catches most national businesses.
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Iowa sites we scan fail at least three.
Run a free scan →No credit card · Email required so we can send you the full results.
The statutes most likely to apply to a commercial website serving Iowa residents. Click a citation to read the official text where available.
Applies to: Entities that conduct business in Iowa AND control or process data of 100,000+ Iowa consumers (or 25,000+ with 50%+ revenue from data sale).
What your website must do
Citation: Iowa Code § 715D.1 et seq. · Official source ↗
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
ICDPA provides access, deletion, portability, and sale opt-out rights, but does NOT include opt-out from targeted ads OR opt-out from profiling. Among the most permissive state privacy laws.
Practical requirements for your website
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
No cookie banner mandate. GPC not required.
Practical requirements for your website
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
Federal ADA Title III applies.
Practical requirements for your website
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
Federal FTC Act applies.
Practical requirements for your website
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
Federal CAN-SPAM applies.
Practical requirements for your website
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
ICDPA does NOT include profiling opt-out.
Practical requirements for your website
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Run a free scan →No credit card · Email required so we can send you the full results.
We're building a state-by-state compliance overview for the entire United States. Here's what's published today:
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-19. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Iowa.