On May 1, 2023, Gov. Holcomb signed into law Indiana’s first consumer data privacy statute. Indiana now joins California, Colorado, Connecticut, Iowa, Virginia and Utah in adopting consumer data privacy protections. Fortunately, Senate Enrolled Act 5 will not take effect until January 1, 2026, so Indiana businesses have some time to make the necessary adjustments.
Who is impacted by this statute?
The statute broadly applies to persons that conduct business in Indiana or produce products or services targeted to residents of Indiana, and:
- Control or process personal data of at least 100,000 Indiana consumers; or
- Control or process personal data of at least 25,000 Indiana consumers and derive more than 50 percent of their gross revenue from the sale of personal data. Like similar statutes, it does not apply to the state or state agencies, institutions already covered by the Gramm-Leach-Bliley Act or HIPAA, higher education, public utilities or nonprofits.
What data is covered by this statute?
The statute recognizes two classes of data:
- “Personal data,” which is “information that is linked or reasonably linkable to an identified or identifiable individual;” and
- “Sensitive personal data,” which is racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a child and precise geolocation data.
How are consumers impacted?
Consumers under the statute gain the following rights:
- To know whether a company is processing the consumer’s personal data and to access that data;
- To correct inaccuracies in the consumer’s personal data;
- To delete personal data;
- To obtain a copy or summary of the consumer’s personal data in a usable format; and
- To opt out of the processing of the consumer’s personal data for targeted advertising, sale, or profiling for decisions affecting financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services and access to necessities, such as food and water.
How are data controllers impacted?
Data controllers, in turn, will have the following obligations:
- To minimize data collection to what is “adequate, relevant, and reasonably necessary;”
- To only process personal data consistent with the disclosed purpose for the processing;
- To establish, implement and maintain reasonable administrative, technical and physical data security practices;
- To not discriminate against any consumer exercising their rights under the statute;
- To disclose the sale of the consumer’s data;
- To ensure that data processors ensure the confidentiality of the data they receive from data controllers; and
- To not process any sensitive personal data without first obtaining the consumer’s express consent.
That last part may represent the most significant change to current practices, so those covered by the statute will want to ensure they are prepared to obtain the consumer opt-in for sensitive personal data.
Finally, unlike California’s statute, Indiana’s version has no private right of action. Instead, all enforcement powers reside exclusively with the Attorney General. Those enforcement powers, however, have some teeth: each violation can result in a civil fine of up to $7,500 per violation.