The new state consumer privacy law for Indiana, Senate Enrolled Act No. 5 (“Indiana Data Privacy Law”), was signed into law by Governor Eric Holcomb of Indiana on May 1, 2023, and it will go into effect on January 1, 2026.
Indiana’s consumer privacy laws now stand alongside those of California, Utah, Colorado, Connecticut, Virginia, and Iowa (collectively called “US State Data Privacy Laws“).
The standards of the Indiana Data Privacy Law are similar to those of the other US State data privacy laws; thus, controllers should be able to modify their current data privacy compliance program to comply with the Indiana Data Privacy Law.
In this article, we have covered the main points of the Indiana Data Privacy Law.
Indiana Data Privacy Law: Which businesses does the law apply to?
Comparable to state data privacy laws in the United States, the Indiana Data Privacy Law mandates transparency and disclosure from “controllers” (individuals or organizations that decide the reasons and methods used to process personal data) and “processors” (individuals or organizations that handle personal data on behalf of a controller) who either:
- Conduct business in Indiana;
- Create goods or services that are intended for Indiana residents;
- In any calendar year, control or process the personal data of at least 100,000 Indiana residents;
- Control or process personal data of at least 25,000 Indiana residents and earn more than half of its gross revenue from the sale of personal data.
Who is exempted from Indiana Data Privacy Law?
It is to be noted that under the Indiana Data Privacy Law, no revenue threshold applies to organizations subject to privacy requirements.
Furthermore, government agencies, nonprofit organizations, HIPAA-covered organizations and associates, public and private higher education institutions, and organizations and data governed by the Gramm-Leach-Bliley Act are exempt from the Indiana Data Privacy Law.
Additionally, several categories of data are exempt from the Indiana Data Privacy Law.
These categories include information about employment, consumer credit reporting, scientific research data, consumer health records, and data governed by the Federal Farm Credit Act or the Family Educational Rights and Privacy Act.
What obligation does this law impose on controllers?
Subject to the Indiana Data Privacy Law is “personal data.”
“Information that is linked or reasonably linkable to an identified or identifiable individual” is the definition of personal data; however, it is essential to note that this definition does not include publicly available information or de-identified or aggregate data.
Indiana Data Privacy Law puts the following obligations on the controllers:
- Collecting only the personal data that is required, relevant, and reasonably required for the stated purposes of the data’s processing.
- Adopt and implement appropriate physical, technical, and administrative data security measures.
- To process customers’ sensitive data only after obtaining the customer’s consent. Genetic or biometric data, data on known children, precise geolocation data, and personal information disclosing racial or ethnic origin, religious beliefs, and health status are all considered forms of sensitive data.
- When processing consumer data, act impartially and don’t discriminate against customers who use the rights provided by law.
- Give consumers access to a clear privacy policy that outlines their rights, how to exercise those rights (including filing an appeal), what categories of personal data are processed, why personal data is processed, what types of data are shared with third parties, and who those third parties are.
- Provide a procedure that allows customers to challenge a decision that denies their requests to exercise their rights.
- Evaluate the data protection impact of processing personal information for targeted advertising, data sales, profiling, sensitive data, and any other processing activities that include personal information and put consumers at greater risk of harm.
- When possessing de-identified data, make a public commitment to preserving the data as de-identified, take reasonable steps to guarantee that the data cannot be linked to a specific person, and compel any data recipients to abide by the Indiana Data Privacy Law.
Additional requirements are imposed on processors under the Indiana Data Privacy Law.
Processors must work with the controller to fulfill its responsibilities under the act, such as those requests for consumer rights, data processing security, and breach notification,
According to the Indiana Data Privacy Law, a contract outlining relevant consumer privacy standards between the controller and processor must also regulate all processing.
Some other key highlights of the Indiana Data Privacy Law
Sensitive Personal Information
This law defines SPI as any personal information that fits into one of the following categories.
- Origins of race or ethnicity
- Religious beliefs
- Data on health
- Sexual orientation
- Nationality status
- Biometric and genetic data
- Data on children
- Geolocation
Data controllers must get additional consent from consumers to process sensitive personal information.
Consumer Rights
The following privacy protections are provided to customers under Indiana law.
- Right to access
- Right to correction
- Right to deletion
- Right to obtain a copy of data
- Right to opt out of targeted advertising, behavioral profiling, and sale of personal data.
Following Indiana’s privacy law, data controllers must reply to customers’ requests for consumer rights within 45 days.
Depending on the intricacy and volume of customer requests, this may be extended by an extra 45 days if “reasonably necessary”; however, customers must be informed of these extensions within the first 45 days.
Processing Agreements required between Controllers and Service Providers
The Indiana Data Privacy Law, like a few other US State data privacy laws, mandates that controllers and data processors sign agreements that govern processors handling data.
Under the Indiana Data Privacy Law, contracts must clearly state how personal data will be processed, its nature, purpose, subject type, duration, and the rights and obligations of the parties involved.
A duty of confidentiality must also be included in the contracts, and processors’ subcontractors must be required to sign them.
Additionally, upon the controller’s request, processors are required by the Indiana Data Privacy Law to either delete or return personal data.
Attorney General Investigations and Enforcement
The Indiana Data Privacy Law does not include a private right of action, similar to most US State Data Privacy Laws.
The Indiana Office of the Attorney General can demand investigations and enforcement measures.
Alleged Indiana Data Privacy Law violations are subject to a 30-day cure period.
If, after this cure period, a controller or processor still breaks the law, they risk an injunction and civil penalties of up to $7,500 per violation.
What does this mean for your business?
The latest comprehensive state privacy law will take effect in 2026, giving businesses ample time to prepare.
By then, companies will also have put in place compliance procedures for other state laws that go into force this year, such as Virginia’s CDPA, which is a lot like Indiana’s state privacy law.
Conclusion
Businesses should pay attention to the Indiana Data Privacy Law even though it doesn’t differ substantially from other US State Data Privacy Laws regarding content.
According to Indiana’s data breach notification regulations, the Attorney General of Indiana has historically been one of the most proactive state regulators in launching inquiries and investigations into companies’ data breach reporting processes.
Therefore, companies shouldn’t be shocked if the Indiana Attorney General uses a similarly challenging enforcement strategy under the Indiana Data Privacy Law.
When new laws and regulations are developed, the Data Privacy team at PrivacyPillar will keep you informed and help you prepare your business to comply with any existing data privacy regulations or upcoming ones.
FAQs
1. What is the Indiana Data Privacy Law?
The Indiana Data Privacy Law, also known as Senate Enrolled Act No. 5, is a state consumer privacy law signed into effect on May 1, 2023, and it will be enforceable starting January 1, 2026. It mandates transparency and disclosure for businesses that process personal data in Indiana.
2. What businesses does the Indiana Data Privacy Law apply to?
The law applies to businesses that conduct operations in Indiana, create goods or services for Indiana residents, control or process personal data of at least 100,000 Indiana residents, or control/process data of 25,000 residents with over half of gross revenue from personal data sales.
3. What obligations does the Indiana Data Privacy Law impose on data controllers?
Controllers must collect only necessary personal data, implement data security measures, obtain consent for sensitive data processing, act impartially with consumer data, provide clear privacy policies, allow consumers to challenge decisions, and evaluate the impact of processing on consumer privacy.
4. What is considered “personal data” under the Indiana Data Privacy Law?
Personal data is defined as information linked or reasonably linkable to an identified or identifiable individual, excluding publicly available or de-identified data. It includes genetic or biometric data, data on known children, geolocation, and information disclosing race, religion, or health status.
5. What categories of data are exempt from the Indiana Data Privacy Law?
Exempt categories include employment information, consumer credit reporting, scientific research data, consumer health records, and data governed by the Federal Farm Credit Act or the Family Educational Rights and Privacy Act.
6. What is Sensitive Personal Information (SPI) under the Indiana Data Privacy Law?
SPI includes data on race or ethnicity, religious beliefs, health, sexual orientation, nationality, biometric and genetic data, data on children, and geolocation. Controllers must obtain additional consent to process SPI.
7. What are the consumer rights under the Indiana Data Privacy Law?
Consumer rights include access, correction, deletion, obtaining a copy of data, and the right to opt out of targeted advertising, behavioral profiling, and the sale of personal data. Controllers must respond to customer requests within 45 days, with a possible extension.
8. What agreements are required between controllers and service providers under the Indiana Data Privacy Law?
Processing agreements must be signed, clearly stating how personal data will be processed, its nature, purpose, subject type, duration, and the rights and obligations of the parties involved. A duty of confidentiality must be included, and processors’ subcontractors must comply.
9. What enforcement measures exist under the Indiana Data Privacy Law?
The Indiana Office of the Attorney General can conduct investigations and enforcement. Violators face a 30-day cure period, and if non-compliant after, they risk injunctions and civil penalties of up to $7,500 per violation.
10. When does the Indiana Data Privacy Law take effect, and how can businesses prepare?
The law becomes enforceable on January 1, 2026, providing businesses with ample time to prepare. Companies should establish compliance procedures for other state laws and be aware of the proactive enforcement strategy of the Indiana Attorney General.
