Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Comprehensive information requirements  for notifications
  • Data owners are responsible for the reporting and notifications
  • Noncompliance constitutes deceptive act.  Penalties up to $45,000 plus additional, injunction, civil action, etc.
  • Other state or federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?


Iowa breach and notification laws may apply if you:

  • Owns or licenses computerized data that includes a consumer’s PII that is used in the course of the person’s business, vocation, occupation, or volunteer activities
  • Maintains or otherwise possesses PII on behalf of another person

 There are exemptions.

What is PII?


PII relevant to a breach in Iowa include a person's name plus one of the following:

  • Social Security Number
  • Driver license or unique identification number issued by a government agency
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. 
  • Unique electronic identifier or routing code with security or access code, etc.
  • Unique biometric data



A few applicable statutes include, but are not limited to:

Iowa Code / Title XVI Criminal Law and Procedure / Subtitle 1 Crime Control and Criminal Acts / 715C Personal Information Security Breach Protection /

  • 715C.1 and 715C.2 Security breach notification requirements remedies.
  • (Enforcement: 715C.2(8)(a), 714.16, and 537.6113)



Penalties for violation are addressed over three separate statutes. A violation constitutes an unlawful practice, which can result in Attorney General action including injunction, restoration of moneys, civil penalty up to $45,000 and/or $5,000 per day for intentional violation, civil action including class action, and more.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • Whether the data was computerized
  • If the data was encrypted, redacted or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable
  • If the data included any key or cipher
  • The reasonable likelihood of financial harm


The notification may be delayed if law enforcement indicates in a written notification that it may impede an investigation. Otherwise, notification is required in the most expeditious manner possible and without unreasonable delay.


Requires detailed information and potential provision of services

The notification may be sent by mail or sent electronically (if it is the person’s customary method of communication with the consumer or consistent with US Code Section 7001 of Title 15).

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or the persons to be notified exceeds 350,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR