Privacy

And Then There Were Seven: Indiana Enacts Consumer Privacy Law

Published: May. 04, 2023

On May 1, 2023, Indiana became the seventh U.S. state to enact a consumer privacy law with the governor’s signing of Senate Bill 5. Effective January 1, 2026, the law mirrors other state privacy laws, including with regard to privacy policies, responding to consumer rights requests, opt-out mechanisms, data protection impact assessments (“DPIAs”), security measures, and contracts with processors. Thus, while businesses should review their obligations under the law, businesses that comply with other state privacy laws have likely taken most of the steps required to comply with Indiana’s law.

Scope

Indiana’s law applies to a person that conducts business in Indiana or produces products or services targeted at Indiana residents (“consumers”) and that, during a calendar year, either:

  • Controls or processes personal data of at least 100,000 consumers; or
  • Controls or processes personal data of at least 25,000 consumers and derives 50% or more of its gross revenue from the sale of personal data.

The law exempts employee and B2B data, nonprofits, and data and entities covered by various federal privacy laws such as HIPAA and GLBA.

Controller and Processor Obligations

Indiana’s requirements for controllers are not unique amongst privacy laws. Controllers must have a privacy policy (those prepared for other state privacy laws likely satisfy Indiana’s requirements), implement “reasonable” security measures, and limit their collection of personal data to what is adequate, relevant, and reasonably necessary in relation to their processing purposes. DPIA requirements mirror those of other states that require DPIAs, and a DPIA prepared to comply with another state’s privacy law satisfies Indiana’s law as long as it contains the required elements.

As in other states, processors must adhere to the controller’s instructions and assist the controller in meeting its obligations under Indiana’s law. Contracts between controllers and processors must contain the provisions required by most other state privacy laws, so contracts prepared to comply with other laws will likely satisfy Indiana’s requirements.

Consumer Rights and Consent Requirements

Indiana’s law provides consumers with the rights to access, correct, delete, and obtain a copy or summary (in the controller’s discretion) of personal data processed by a controller. Controllers must respond to requests within 45 days (with a possible 45-day extension), and consumers have the right to appeal denials of their requests.

As with most other state privacy laws, consumers have the right to opt out of the sale of personal data and the use of personal data for targeted advertising or profiling that produces legal or similarly significant effects. (“Sale” means the exchange of personal data with a third party for monetary consideration, the narrower of the two definitions adopted in other states.) Indiana’s law does not prescribe a specific opt-out method, but only requires it to be clear, conspicuous, and similar to the method for submitting requests to exercise other rights.

As in Colorado, Connecticut, and Virginia, controllers must obtain consent to process sensitive data (defined similarly to other state privacy laws) and to process personal data for purposes that are not reasonably necessary or compatible with the purposes of processing disclosed to consumers (e.g., the purposes listed in the controller’s privacy policy). 

Enforcement

No private right of action exists under Indiana’s privacy law – the state Attorney General (“AG”) has sole enforcement authority. Before bringing an enforcement action, the AG must notify controllers or processors of alleged violations and allow them a 30-day cure period. If violations persist, the AG can seek injunctive relief and penalties of up to $7,500 per violation.