Breaking Down the New Indiana State Privacy Law

James Grieco
James Grieco
May 8, 2023
min read
Breaking Down the New Indiana State Privacy Law

On May 1, Indiana passed the Indiana Consumer Data Protection Act, becoming just the 7th state in the U.S. to enact comprehensive data privacy regulation. With Iowa passing a similar data privacy law just a month earlier and Montana and Tennessee set to pass comprehensive laws in the coming weeks, the data privacy sphere in the United States is heating up. 

As is the case with Iowa’s privacy law, Indiana’s law–which is still pending a long-term acronym in the immediate aftermath of the bill passing–should not push companies too much when it comes to compliance. The vast majority of the regulation’s core is nearly identical to the existing state privacy laws, and Indiana has even implemented an extremely long grace period, with the law not taking effect until January 1, 2026. 

If an organization is in compliance with Virginia’s VCDPA, which went into effect on January 1, 2023, Indiana’s law should not be a major problem.

Indiana Data Privacy Law at a Glance

The Indiana data privacy law targets entities conducting business within the state or providing products or services to Indiana residents, with similar thresholds for which organizations need to comply. Organizations must either: 

  1. control or process personal data of at least 100,000 consumers or 
  2. control or process the data of 25,000 consumers while also making over 50% of gross revenue from the sale of personal data. 

A "consumer" is a resident of Indiana who engages in transactions for personal, family, or household purposes. Both the definition of consumer and the compliance threshold are similar to existing laws in Virginia, Colorado, and other states.

Indiana Data Privacy Law Exemptions

Indiana has gone the Virginia route when it comes to data privacy exemptions. California and Virginia were the first two states to pass comprehensive data privacy laws in the U.S., but the legislation had different approaches to various elements, including exemptions.

California, as the more progressive bill, opted to exempt only data that was subject to related data protection laws, while Virginia chose to exempt entire entities if they had data subject to those laws. In the years since the CCPA and VCDPA passed, nearly every state law has copied Virginia’s exemption model. 

Indiana is no different, with entities exempt if they are subject to:

  • Gramm-Leach-Bliley Act (GLBA) 
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH) 
  • Children’s Online Privacy Protection Act (COPPA)
  • Data covered by the Health Care Quality Improvement Act
  • Data covered by the Patient Safety and Quality Improvement Act
  • Data covered by the Fair Credit Reporting Act
  • Data covered by the Driver's Privacy Protection Act
  • Data covered by the Family Educational Rights and Privacy Act
  • Data covered by the Farm Credit Act

Consistent with other state-level regulations, government entities, third parties working with government entities, financial institutions, nonprofit organizations, higher education institutions, and public utilities are also exempt from the Indiana law.

Indiana Consumer Data Rights

The Indiana law outlines the set of consumer rights largely laid out by the EU’s GDPR back in 2016, including:

  • Right to access: Consumers can request access to their personal data being processed by a controller. A particular note for this law is that it allows covered entities to provide either a copy of the personal data or a "representative summary" of the data.
  • Right to correct: Consumers can request that inaccuracies in their personal data be corrected by the controller, depending on the nature of the data and the purposes of its processing.
  • Right to data portability: Consumers have the right to receive their personal data in a portable and readily usable format, enabling them to share it with other data controllers.
  • Right to delete: Consumers can request the deletion of personal data they provided to the controller and/or data obtained about the consumer by the controller.
  • Right to opt-out: Consumers can opt-out of the processing of their personal data for targeted advertising, profiling, and the sale of their personal data.
  • Right to opt-in: Adult consumers and parents on behalf of their children must provide explicit consent before a controller can process their sensitive data.

The biggest omission from the GDPR’s set of Data Rights is the private right of action, which allows individuals to sue organizations that have violated data rights. Only California’s amended CCPA features that right among the current batch of American legislation. 

Indiana is a step forward in regards to the Iowa bill that passed in April 2023, as Indiana features the right to correct as well as the right to opt-out of profiling and targeted advertising, all of which are absent or lacking in Iowa’s data privacy law. The opt-outs featured in Indiana’s law largely mirror the way opt-outs work in the VCDPA.

Indiana Data Privacy Law Requirements

Organizations subject to the Indiana law have standard obligations to consumers, notably:

  • Data minimization: Entities must limit personal data collection to only what is necessary for data processing purposes. This is a core tenet of GDPR, and although it is written into most U.S. state laws, it has had less talk of enforcement around the practice. 
  • Explicit consent and transparency: Data controllers and processes must obtain consumer consent to processing data outside of the disclosed purposes.

         "Consent" in the Indiana law is defined as a clear affirmative act that shows a consumer freely gives specific, informed, and unambiguous agreement to a covered            entity to process their personal data.

           In turn, data controllers must provide an accessible and clear privacy notice to consumers that details data processing purposes, categories of personal data            processed, and how consumers can exercise their data rights.

  • Data security: Entities are required to implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Nondiscrimination: Controllers must not process personal data in a way that violates anti-discrimination laws and are prohibited from denying goods, services, or charging different prices to consumers that choose to exercise their data rights.
  • Data processing contracts: Indiana’s data privacy law defines controllers as previous state laws have, with virtually identical data processing contractual obligations.

Impact Assessments

After Iowa’s law did not require impact assessments, it is good to see Indiana’s law follow in the footsteps of Virginia, Colorado, and Connecticut by requiring them. Controllers must conduct data protection impact assessments for these processing activities:

  1. Processing personal data for targeted advertising purposes.
  2. Selling personal data.
  3. Processing personal data for profiling purposes if that profiling creates a foreseeable risk of unfair or deceptive treatment or impact on consumers, financial, physical, or reputational injury, a violation of consumer privacy, or other substantial injury to consumers.
  4. Processing sensitive data.
  5. Processing any personal data in a way that heightens the risk of harm to consumers.

Indiana Data Privacy Enforcement

Like Virginia and other states, the fine for non-compliant behavior is $7500 for each violation. Enforcement again mirrors Virginia, Colorado, and nearly every state but California, as the Attorney General’s office is the only body capable of enforcement. 

Another edge Indiana’s data privacy law has over Iowa’s is the cure period. Indiana offers a 30-day perpetual cure period for organizations notified of violations to correct them, whereas Iowa’s cure period is 90 days, the longest on record.

The cure period–like Virginia’s and Utah’s–is permanent and does not sunset, making it a bit different from Colorado’s and Connecticut’s laws, both of which will no longer offer companies the right to cure after January 1, 2025 (which is before Indiana’s bill will even become binding). 

Overall, the new Indiana data privacy law is not going to alter American companies’ compliance picture, but its passing represents a good sign as more states formally recognize the importance of data privacy.