On the first of May, 2023, Governor Eric Holcomb affixed his signature to Senate Bill 5 also known as Indiana Consumer Data Protection Act (ICDPA), ushering Indiana into the fold as the seventh U.S. state to adopt a comprehensive privacy law.
Set to take effect on January 1, 2026, the legislation closely resembles existing privacy laws in other states, encompassing aspects such as privacy policies, conducting data protection impact assessments, ensuring security measures, implementing opt-out mechanisms, addressing consumer rights requests, and establishing contracts with processors. Consequently, while businesses must thoroughly examine their responsibilities under the new statute, those already in compliance with other state privacy regulations will likely find they have already undertaken most of the necessary steps to adhere to Indiana's law.
A Closer Look at the Indiana Consumer Data Protection Act
The ICDPA applies to any entity that engages in business within the state, or that provides products or services designed for residents of Indiana and meets either of the following conditions:
a. The entity exercises control over or processes the personal data of a minimum of 100,000 consumers; or
b. The entity exercises control over or processes the personal data of no fewer than 25,000 consumers and receives 50% or more of its total revenue from the sale of personal data.
2. Consumer Rights
The ICDPA confers the following rights upon Indiana residents:
a. Right of access: Consumers have the right to confirm if a controller is processing their personal data. Diverging from other similar state laws, the ICDPA permits covered entities to provide a "representative summary" of the data in response to a consumer request.
b. Right to correct: Consumers have the right to rectify data they have provided to the controller. However, in contrast to the laws in Colorado, Connecticut, and Virginia, this right is not applicable to all data.
c. Right to data portability: Personal data supplied to the consumer is required to be delivered in a format that is both portable and immediately usable.
d. Right to delete: Consumers are entitled to request controllers to erase their personal data. Contrasting with the right to correct, this right extends to both the personal data provided by the consumer and the data otherwise procured by the controller.
e. Right to opt-out of targeted advertising and sale of personal data: Consumers have the right to opt out of the processing of their personal data for purposes such as targeted advertising, sale of personal data, and profiling, which does not apply to pseudonymous data. The term "sale of personal data" refers to transactions that involve monetary payment and does not include exchanges for "other valuable consideration," a notion acknowledged by California law.
3. Controllers Obligations
a. Purpose limitations: Controllers are required to restrict personal data collection to what is deemed "adequate, relevant, and reasonably necessary" for the purpose of processing. Additionally, they are obligated to disclose these purposes and obtain consumer consent.
b. Data security: Controllers are tasked with implementing reasonable data security measures to safeguard personal data.
c. Consent requirements: A number of activities necessitate consumer consent, defined as "a clear affirmative act." Distinct from California, Colorado, and Connecticut, there is no stipulation for a method for consumers to rescind their consent. Controllers are mandated to secure consent prior to processing sensitive data, as outlined in the ICDPA.
d. Nondiscrimination: Controllers are prohibited from processing data in a manner that contravenes anti-discrimination laws or discriminates against a consumer for exercising their rights.
e. Transparency: Controllers must maintain a clear, accessible, and meaningful privacy notice. This should encompass information about the categories of data processed, the purpose of the processing, categories of personal data shared with third parties (if any), those third parties' categories, and an explanation of how consumers may exercise their rights.
f. Data processing contracts: Controllers are expected to provide processors with a binding data processing contract that includes certain obligatory terms. Processors are anticipated to assist the controller in fulfilling their duties under the law.
g. Assessments: Controllers are required to carry out data protection impact assessments for certain activities:
- Processing personal data for targeted advertising purposes.
- The sale of personal data.
- The processing of personal data for profiling purposes, if that profiling presents a reasonably foreseeable risk of, among others, unfair or deceptive treatment; financial, physical, or reputation damage; intrusion on a consumer's solitude or personal affairs; or other substantial injury.
- Processing of sensitive data.
- Processing activities that involve personal data and present a heightened risk of harm to consumers.
4. Enforcement of the Indiana Consumer Data Protection Act
The Indiana Attorney General holds sole authority to enforce this law, carrying with it a civil penalty capped at $7,500 per infraction, and further costs may be accrued from any investigation and case preparation process, including attorney fees.
Prior to initiating any enforcement action, the Attorney General is obligated to provide the controller a 30 day written notice identifying the specific violations. If the violation is cured within that time frame and the controller provides the Attorney General with an express written statement to that effect, the case may be dismissed. If the controller does not take steps to cure the violations within the specified time frame, the Attorney General is authorized to take corrective action.
Indiana's comprehensive privacy law signals yet another step in the march towards a nationwide data protection regime. As with any new regulation, understanding and adhering to these changes is paramount for businesses, especially those dealing with extensive consumer data.
Given the complexity of these changes, it's critical to partner with a company that understands and can effectively navigate this evolving landscape, such as The Blacklist Alliance. As a leader in regulatory compliance, The Blacklist Alliance can provide invaluable support and guidance to help safeguard your business. Our committed team works continuously, providing our clients with essential tools, including online compliance training, and informative articles like this one.