Press "Enter" to skip to content

Indiana Enacts Comprehensive Consumer Data Privacy Law

IndianaIndiana Gov. Eric Holcomb on May 1 signed into law Senate Bill 5, making Indiana the seventh state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, and Iowa. The law will take effect Jan. 1, 2026.

APPLICABILITY

The law applies to any person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year:

  1. controls or processes personal data of at least 100,000 consumers who are Indiana residents; or
  2. controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50% of gross revenue from the sale of personal data.
EXEMPTIONS

Importantly, the law exempts financial institutions and affiliates, or data subject to the Gramm-Leach-Bliley Act. Other exemptions include covered entities or business associates governed by the privacy, security, and breach notification rules issued pursuant to the Health Insurance Portability and Accountability Act, and the use of personal information to the extent the activity is regulated by and authorized under the Fair Credit Reporting Act.

CONSUMER RIGHTS

Consumers are provided the right to:

  1. confirm whether a controller is processing the consumer’s personal data and to access such personal data;
  2. correct inaccuracies in the consumer’s personal data that the consumer previously provided to a controller;
  3. delete personal data provided by or obtained about the consumer;
  4. obtain a copy of the consumer’s personal data, or a representative summary;
  5. opt out of the sale of personal data.
SENSITIVE DATA

A controller may not process “sensitive data” without a consumer’s consent.

“Sensitive data” includes:

  1. Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status;
  2. Genetic or biometric data;
  3. Personal data collected from a known child;
  4. Precise geolocation data.
CONTRACT REQUIREMENTS

A contract between a controller and a processor must include certain provisions to ensure that:

  1. each person processing personal data is subject to a duty of confidentiality;
  2. a processor will delete or return all personal data to the controller upon request;
  3. a processor will provide a controller with all information necessary to demonstrate the processor’s compliance;
  4. a processor will allow, and cooperate with, reasonable assessments by the controller;
  5. any subcontractor of the processor will meet the obligations of the processor pursuant to a written contract.
DATA PROTECTION IMPACT ASSESSMENTS

A controller must conduct and document a data protection impact assessment if the processing involves:

  1. targeted advertising;
  2. the sale of personal data;
  3. certain profiling;
  4. sensitive data;
  5. activities posing a heighted risk of harm to consumers.
ENFORCEMENT

The Attorney General has the exclusive authority to enforce the law. Prior to taking any action, the Attorney General must provide a controller or processor 30 days to cure the violation. In the absence of a cure, civil penalties not to exceed $7,500 may be sought for each violation.

PREEMPTION

The law preempts “all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the processing of personal data by controllers or processors.”

IMPRESSION

The Indiana law is very similar to the non-California data privacy laws recently enacted, so it should cause few additional compliance challenges.

Similar legislation will soon be eligible for the governors’ signatures in Tennessee and Montana.

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: pabrady63/stock.adobe.com

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.