Iowa IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Iowa enacted the Iowa Consumer Data Protection Act (ICDPA, effective January 1, 2025) and operates the Personal Information Security Breach Protection Act at Iowa Code § 715C, creating a layered controller-and-disposal regime over the state’s growing data-center and ag-tech sectors. Use the Enterprise Compliance Reference below as the Iowa executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent enforcement context.
Iowa Enterprise Compliance Reference
| Compliance Topic | What Iowa Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to affected Iowa residents in the most expeditious manner possible; AG notice within 5 business days of consumer notice for breaches affecting 500+ Iowa residents under Iowa Code § 715C.2. | Iowa Attorney General | Up to $40,000 per violation via Iowa CPA | Certified media shredding with serialized Certificate of Destruction. |
| 2. Iowa Consumer Data Protection Act | Controller obligations including reasonable safeguards, data-minimization, sensitive-data consent (biometric enumerated) under Iowa Code § 715D, effective Jan 1, 2025. | Iowa AG | Up to $7,500 per violation | Certified data destruction with biometric-data attestation. |
| 3. Records Disposal | No standalone state disposal statute; federal HIPAA Privacy Rule (45 CFR § 164.530) and FTC Disposal Rule (16 CFR Part 682) provide the operative outcome standards. | HHS OCR, FTC | HIPAA up to $2.067M per identical violation per year (2025) | Certified data wiping aligned to NIST Clear / Purge. |
| 4. Data Destruction Standard | No state-specific destruction-method standard; NIST SP 800-88 Rev. 2 is the federal civilian baseline. | N/A (federal baseline) | N/A | Hard drive shredding for high-sensitivity media. |
| 5. Hazardous & Universal Waste | RCRA-delegated state program under 567 IAC 100-141; universal-waste rules at 567 IAC 132; CRT rules at 40 C.F.R. § 261.39. | Iowa DNR | Up to $10,000/day under Iowa Code § 455B.307 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, FTC Disposal Rule, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Iowa Compliance Reality
Iowa’s privacy compliance regime spans (1) the Iowa Personal Information Security Breach Protection Act (Iowa Code § 715C, with one of the country’s shortest AG-notice windows at 5 business days for breaches affecting 500+ Iowa residents), (2) the Iowa Consumer Data Protection Act (Iowa Code § 715D) effective January 1, 2025 with controller obligations including sensitive-data consent (biometric enumerated), (3) the Iowa Consumer Protection Act (Iowa Code § 714.16) UDAP carryover up to $40,000 per violation, (4) the Iowa DNR hazardous-waste rules at 567 IAC 100-141, and (5) the federal sector overlays of HIPAA, GLBA, and the FTC Disposal and Safeguards Rules. Iowa does not operate a state-funded electronics EPR program and does not impose a statewide e-waste landfill ban; commercial generators route through RCRA-delegated channels. The personal-information definition under § 715C.1(11) enumerates unique biometric data (DNA profile, fingerprint, iris scan, retina scan), so breaches of biometric records trigger Iowa breach-notice obligations. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.
Iowa and Federal Compliance Interaction
Iowa’s hyperscale data-center expansion (Meta, Microsoft, Google) means federal customer agreements and the HIPAA, GLBA, FTC Safeguards, FACTA, FAR 52.204-21, and DFARS 252.204-7012 baselines reach a large fraction of in-state enterprises, with ICDPA sitting on top. A regulated enterprise must satisfy the stricter of (1) Iowa statutes including § 715C (breach notice, biometric enumerated), § 715D (CDPA effective 2025), and § 714.16 (UDAP carryover), (2) federal sector rules including the HIPAA Security Rule, the FTC Disposal Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. Because Iowa lacks a standalone records-disposal statute, the federal disposal anchor is the operative state-facing baseline.
Iowa Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Iowa, whether Iowa law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Iowa Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | Iowa exceeds | Iowa Code Ch. 507F (NAIC Insurance Data Security adoption) imposes a written information security program with annual board certification. |
| FACTA Disposal Rule (16 CFR § 682.3) | Iowa exceeds | Iowa Code § 715C.2 imposes 5-business-day AG notification window and specific disposal-method duty. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | Iowa is not EPA-authorized for RCRA Subtitle C; EPA Region 7 administers federal RCRA directly in Iowa. |
NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Iowa must satisfy CMMC 2.0 in addition to Iowa state law.
Iowa Data Security, Privacy, and Disposal Obligations
Iowa Code § 715C.2 — Breach Notification (5-Business-Day AG Window)
Iowa Code § 715C.2 requires any person that owns or licenses computerized data containing personal information about a consumer who is a resident of Iowa, upon discovery of a breach, to give notice to affected Iowa consumers in the most expeditious manner possible and without unreasonable delay. When a breach affects 500 or more Iowa residents, notice to the Iowa Attorney General Consumer Protection Division is required within 5 business days of giving notice to consumers. The personal-information definition under § 715C.1(11) enumerates SSN, driver’s license or state ID, account number plus security code, and unique biometric data (DNA profile, fingerprint, iris scan, retina scan, etc.).
Iowa Consumer Data Protection Act (Effective Jan 1, 2025)
The Iowa Consumer Data Protection Act at Iowa Code § 715D took effect January 1, 2025. Modeled on the Virginia VCDPA framework, the Iowa CDPA imposes controller obligations including (i) reasonable administrative, technical, and physical safeguards, (ii) data-minimization, (iii) purpose-limitation, (iv) consumer rights (access, deletion, portability), (v) opt-out rights for sale of personal data, and (vi) sensitive-data restrictions for biometric data, health-condition data, precise geolocation, racial/ethnic origin, etc. Civil penalties are up to $7,500 per violation enforced by the Iowa Attorney General with a 90-day cure period (and an indefinite right-to-cure for non-data-breach violations).
Iowa Code § 714.16 — Iowa Consumer Protection Act
The Iowa Consumer Protection Act at Iowa Code § 714.16 provides the UDAP carryover, with civil penalties up to $40,000 per violation. Breaches of § 715C breach-notice duties and Iowa CDPA controller duties are enforceable via § 714.16.
Federal Records-Disposal Anchor
Iowa does not maintain a standalone records-disposal statute. The operative state-facing baseline for IT asset retirement is the federal anchor: HIPAA Privacy Rule (45 CFR § 164.530), HIPAA Security Rule (45 CFR § 164.310(d)(2)(i)), FTC Disposal Rule (16 CFR Part 682, requiring “reasonable measures” with method enumeration), and the FTC Safeguards Rule (16 CFR Part 314). Pre-disposal NIST SP 800-88 Rev. 2 alignment satisfies the federal anchor.
Iowa Public-Sector IT Disposal Posture
Iowa state agencies retire IT assets under Iowa Office of the Chief Information Officer (OCIO) policy. The operative controls include Iowa OCIO Enterprise Security Office policies; Iowa Department of Administrative Services surplus; State of Iowa records retention schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Iowa Office of the Chief Information Officer (OCIO) policy guidance.
Iowa Insurance Data Security Act (NAIC Insurance Data Security Adoption)
Iowa has adopted the NAIC Insurance Data Security Model Law at Iowa Code Ch. 507F (effective January 1, 2022). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.
Data Destruction and Media Sanitization Expectations
Iowa relies on the federal disposal anchor combined with the Iowa CDPA reasonable-safeguard duty. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Iowa state agencies follow Iowa Office of the Chief Information Officer (OCIO) information-security standards.
Hard Drive Shredding
Iowa-resident personal information on fixed media must reach the NIST 800-88 Rev. 2 Destroy outcome through physical shredding because Iowa Code § 715C.2’s breach trigger reaches any unencrypted media in enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information subject to § 715C and Iowa CDPA controller duties.
Iowa E-Waste, Hazardous Waste, and Environmental Compliance
Iowa does not operate a state-funded manufacturer-takeback or EPR program for electronics, and does not impose a statewide landfill ban on covered electronic devices. Enterprise IT asset retirement in Iowa routes through the federal RCRA-delegated state hazardous-waste program administered by the Iowa Department of Natural Resources (DNR) Land Quality Bureau under 567 IAC 100-141. Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium.
Enterprise / commercial equipment covered by the Iowa e-waste program: NO. Iowa has no state e-waste EPR program; enterprise IT asset retirement routes through federal RCRA Subtitle C administered by EPA Region 7 plus Iowa Admin. Code Ch. 567-100 solid-waste rules. Iowa does not administer an authorized RCRA program; federal RCRA Subtitle C applies directly through the relevant EPA Region.
Universal-waste rules at 567 IAC 132 cover batteries, lamps, mercury-containing equipment, mercury thermostats, and pesticides. CRT rules at 40 C.F.R. § 261.39 apply. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under Iowa Code § 455B.307 run up to $10,000 per day per violation. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework.
Mobile Devices and Biometric Sensors
Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint) which is enumerated under Iowa Code § 715C.1(11).
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Iowa enforcement is concentrated at the Iowa Attorney General Consumer Protection Division (breach-notice carryover under Iowa CPA § 714.16, up to $40,000 per violation; Iowa CDPA enforcement at up to $7,500 per violation), Iowa DNR (hazardous-waste violations under Iowa Code § 455B.307, up to $10,000/day), and federal regulators with concurrent jurisdiction. Iowa was a participant in the AG v. T-Mobile multistate $350M+ settlement (January 2025). The audit-reconstruction-of-events standard is operative.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| Iowa Code § 715C.2 (breach notice) | Enforceable via § 714.16 up to $40,000 per violation | NO (AG-only) | Iowa AG |
| Iowa Code § 715D (CDPA, effective 2025) | Up to $7,500 per violation | NO (AG-only under Iowa CDPA effective Jan 1, 2025) | Iowa AG |
| Iowa Code § 714.16 (Iowa CPA) | Up to $40,000 per violation | NO (Insurance Division enforcement) | Iowa AG |
| Iowa Code § 455B.307 (hazardous waste) | Up to $10,000 per day per violation | NO (DNR / EPA Region 7 enforcement) | Iowa DNR |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Iowa Attorney General and the Iowa environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Iowa Division of Banking examines banks and credit unions for GLBA-aligned information-security-program controls. The Iowa Insurance Division examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Iowa Department of Health and Human Services examines healthcare entities for HIPAA Security Rule compliance. The Iowa Board of Regents oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Iowa Utilities Board examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Iowa Attorney General Consumer Protection Division investigations rely on the documentary record an enterprise can produce, and a Retired Electronic Asset without serialized chain-of-custody and destruction evidence is treated as a presumptive Iowa Code § 715C violation.
How All Green Recycling Operationalizes Iowa Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Iowa’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through DNR-compliant channels, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.
Secure Data Destruction
All Green Recycling’s secure data destruction service line aligns to NIST SP 800-88 Rev. 2, satisfies the federal HIPAA Privacy Rule and FTC Disposal Rule disposal anchors that govern in the absence of an Iowa-specific disposal statute, and produces attestation documentation appropriate for the Iowa CDPA sensitive-data biometric category.
Certified Electronics Recycling
Certified electronics recycling routes retired electronic assets through DNR-authorized channels that satisfy 567 IAC 100-141 hazardous-waste characterization and universal-waste rules. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Iowa.
What is Iowa’s breach-notification deadline?
Notice to affected Iowa residents in the most expeditious manner possible and without unreasonable delay under Iowa Code § 715C.2. Notice to the Iowa Attorney General is due within 5 business days of consumer notice when the breach affects 500 or more Iowa residents (one of the shortest AG-notice windows in the U.S.).
Does Iowa’s personal-information definition include biometric data?
Yes. Iowa Code § 715C.1(11) enumerates unique biometric data (DNA profile, fingerprint, iris scan, retina scan) as personal information. A breach of biometric records triggers Iowa breach-notice obligations. Iowa CDPA also treats biometric as sensitive data.
When did the Iowa Consumer Data Protection Act take effect?
January 1, 2025. The Iowa CDPA at Iowa Code § 715D imposes controller obligations including data-minimization, opt-out rights for sale of personal data, and sensitive-data restrictions (biometric data enumerated). Civil penalties up to $7,500 per violation enforced by the Iowa Attorney General.
Does Iowa have a standalone records-disposal statute?
No. Iowa relies on the federal anchor: HIPAA Privacy Rule (45 CFR § 164.530), FTC Disposal Rule (16 CFR Part 682), and FTC Safeguards Rule (16 CFR Part 314). The audit-defensible posture is alignment to NIST SP 800-88 Rev. 2 through certified data destruction.
Does Iowa have a state-funded electronics-recycling program or landfill ban?
No. Iowa does not operate a state-funded manufacturer-takeback or EPR program for electronics and does not impose a statewide landfill ban on covered electronic devices. Enterprise IT asset retirement routes through RCRA-delegated DNR channels and certified electronics recycling.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. 567 IAC 100-141 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by 567 IAC 132. Civil penalties under Iowa Code § 455B.307 run up to $10,000 per day per violation.
Which media-sanitization standard does Iowa accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Iowa Office of the Chief Information Officer (OCIO) information-security standards reference NIST 800-88.
What is the maximum penalty for an Iowa privacy violation?
Breach-notification violations under § 715C are enforceable via the Iowa Consumer Protection Act (Iowa Code § 714.16) at up to $40,000 per violation. Iowa CDPA violations carry civil penalties up to $7,500 per violation. The Iowa Attorney General is the enforcement authority.
What is All Green Recycling’s certification posture for Iowa enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or DNR examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device (with biometric-data attestation where applicable), Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, DNR records, and contracted-service safeguard terms.
How does the federal HIPAA / GLBA baseline interact with Iowa law?
A regulated enterprise must satisfy the stricter of (1) Iowa statutes including § 715C, § 715D (CDPA), and § 714.16, (2) federal sector rules such as the HIPAA Security Rule and the FTC Safeguards Rule, and (3) customer or prime-contract clauses. The federal disposal anchor is the operative state-facing baseline.
When does the loss of unencrypted hardware trigger Iowa’s breach-notification duty?
Yes. Iowa Code § 715C.1 covers unauthorized acquisition of personal information which extends to physical loss of unencrypted media.
Can encryption or NIST 800-88 sanitization defer Iowa’s breach-notification obligation?
Yes. § 715C.1 excludes encrypted data; NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
Iowa Compliance as Risk Management
Iowa IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was sanitized to the federal disposal anchor before custody transfer, that breach notice surfaced in the most expeditious manner possible after discovery (with 5-business-day AG notice when 500+ residents were affected), that biometric data was handled under both the § 715C.1(11) breach-notice enumeration and the Iowa CDPA sensitive-data regime, that downstream processing routed through DNR-authorized channels, and that hazardous fractions were handled under the universal-waste rules. Iowa CPA per-violation civil penalties (up to $40,000), CDPA $7,500 per-violation penalties, DNR daily penalties (up to $10,000), HIPAA federal overlay, FTC Disposal and Safeguards Rules, and audit-driven counterparty review converge on the same set of records.
Iowa compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need an Iowa-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.