Indiana is set to become the seventh state to pass a comprehensive consumer data protection law
The proposed law, SB 5, places new, but familiar, requirements on businesses and would go into effect in January 2026
Companies that process the personal data of Indiana residents will need to take action to comply
Indiana is set to become the seventh state with a comprehensive consumer data protection law. Senate Bill 5 (SB 5) is on track to become law after passing the third reading in the Indiana House of Representatives 98-0 on April 11. When signed into law, enforcement will begin Jan. 1, 2026, giving businesses a significant amount of time to come into compliance.
The Indiana consumer data protection act will apply to for-profit businesses that collect and process the personal data of Indiana residents, subject to certain applicability thresholds. The law places new responsibilities on businesses regarding notice and transparency related to the collection, use, and sharing of Indiana residents’ personal data.
The bill also provides significant new rights to Indiana individuals, allowing them greater access to information businesses have collected about them, the ability to control that information, and the right to opt out of certain uses of their information. Indiana’s earlier attempts at passing a consumer data protection bill failed after facing concerns that its basis on the more aggressive European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) made it overly difficult for businesses to comply with the proposed law’s standards. SB 5 takes a different approach, instead largely mirroring the arguably more business-friendly Virginia Consumer Data Protection Act (VCDPA).
There are are a few notable areas that will require businesses to update and adapt their existing data privacy compliance programs to ensure compliance with the new law.
The new law, once effective, will apply to companies that meet certain thresholds.
A business is subject to the law if it conducts business in Indiana or targets Indiana residents and, during a calendar year: 1. controls or processes the personal data of at least 100,000 Indiana consumers or 2. derives more than 50 percent of its gross revenue from selling personal data of at least 25,000 Indiana consumers.
The law contains a number of exceptions to applicability. Notably, the law is set to apply only to consumers, which is specifically defined such that it excludes Indiana individuals acting in a commercial or employment context. In other words, the law does not provide these rights to individuals regarding personal data collected and processed while they are acting as employees or job applicants, or where their personal data is used in a commercial or B2B context.
The law also excludes a number of entity and data types, including not-for-profits, colleges and universities, and government entities and their providers, as well as personal data used for research purposes or which is otherwise covered by laws like HIPAA and the Gramm–Leach–Bliley Act. Distinguishing itself from Virginia and other laws, the Indiana law also exempts public utilities and affiliated service companies from the legislation, and contains a provision that exempts from applicability licensed riverboat casino owners operating facial recognition programs approved by the Indiana gaming commission.
Indiana Consumer Rights
SB 5 grants Indiana consumers several new data protection rights. These new rights will include:
- Right to Know. Indiana consumers will be able to request confirmation of whether a business is processing their personal data, what data is processed, and how the processing is taking place. Businesses will be required to post a privacy notice detailing this information for consumers.
- Right to Access. Indiana consumers will be allowed to view their personal data upon request. SB 5 allows businesses to choose whether to send copies of raw data to consumers or to provide a representative summary of the data collection. Indiana consumers can submit requests to exercise these rights once a year.
- Right to Correct. In addition, if an Indiana consumer believes a company possesses inaccurate personal data, the consumer can request correction of this data.
- Right to Delete. Indiana consumers will be able to request deletion of personal data obtained by the business.
- Right to Opt Out. Indiana consumers will have the ability to opt-out of the processing of their data for targeting advertising, the sale of their data, or profiling.
Right to Opt Out
Perhaps the most notable new right provided by the law is the right to opt out, which gives Indiana consumers significantly more control over how their data is used and shared. Under the law, upon an Indiana consumer’s request, businesses will be required to stop processing the consumer’s data for the purposes of targeting advertising, selling their data, or profiling them based on their data. Businesses will have 45 days to respond to such requests. Similar to rights granted to individuals under other state and international laws, this right to opt out provides Indiana consumers much greater control over the use of their personal data and its transfer to third parties the consumer may or may not know exist or receive their information.
Data Privacy Impact Assessments
Under SB 5, Indiana businesses will soon be required to conduct data protection impact assessments (DPIAs) to assess the processing of data for targeted advertising purposes and profiling, and the sale of personal data. A DPIA is an internal assessment of data processing activities that helps assess risks to the privacy of personal data. Under the new law, businesses will need to complete DPIAs for certain processing activities on an annual basis to remain compliant. A DPIA helps to identify and weigh the benefits to the public, stakeholders, and the consumers against the risks associated with processing, and determine what safeguards can be employed by the controller to reduce these risks.
Although the DPIAs will be confidential and exempt from public inspection, the Indiana attorney general may request that a business disclose its DPIA if it is relevant to an investigation. Businesses will therefore need to ensure these recordkeeping documents are made a regular part of their data protection compliance program activities.
Unlike some consumer data protection laws, such as the California Privacy Rights Act (CPRA), SB 5 does not offer a private right of action for consumers. Additionally, no privacy board or other supervisory authority is created by the law. Instead, enforcement of the law falls exclusively to the Indiana attorney general. If a business is found to be in violation of the law, the attorney general can enforce fines of up to $7,500 per violation.
Although previous versions of the bill contained a provision that would have sunset the right to cure after two years, the current version takes a more business-friendly approach and contains a permanent right to cure any violations of the act. As a result, under the law, if a business is notified by the attorney general that they are violating the act, it will be provided 30 days to remedy the alleged violation before the attorney general initiates an official action. Such a cure period can be key for businesses to avoid fines and other actions.
Attorney General Materials
A late addition to SB 5 suggests – but stops short of requiring – the Indiana attorney general should provide on its website a list of resources, including sample privacy notices and disclosures, to assist controllers in complying with the law. Provision of these materials could help create a baseline for compliance requirements under the law and assist businesses in ensuring their own policies are compliant with Indiana standards.
For more information, please contact the Barnes & Thornburg attorney with whom you work, or Brian McGinnis at 317-231-6437 or firstname.lastname@example.org, or Madeline San Jose at 317-231-6416 or email@example.com.
© 2023 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is proprietary and the property of Barnes & Thornburg LLP. It may not be reproduced, in any form, without the express written consent of Barnes & Thornburg LLP.
This Barnes & Thornburg LLP publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.