On May 2, 2023, Indiana Governor Eric Holcomb signed Senate Bill 5 into law – making it the 7th state in the US with a comprehensive state privacy law. The bill bears many similarities to other recent state laws, such as those in Virginia, Utah, and Iowa.
Which businesses does this law apply to?
The law applies to companies that do business in Indiana or produce products or services that are targeted to residents of Indiana and:
- Control or process the personal data of 100,000 customers or more; or
- Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
What are the key highlights of the law?
As noted, Indiana’s Consumer Data Protection Act shares many similarities with Virginia’s Consumer Data Protection Act.
Consent
Consent is defined as “a clear affirmative act that signifies a consumer’s freely given, specific, informed, and unambiguous agreement” to process their personal data. Indiana’s data privacy law operates on an opt-out mechanism.
Sensitive Personal Information
Under this law, SPI is considered to be any personal data that falls under the categories below.
- Racial or ethnic origin
- Religious beliefs
- Health data
- Sexual orientation
- Citizenship status
- Genetic / Biometric data
- Children’s data
- Geolocation
Data controllers must receive additional consent from a consumer to process sensitive personal information.
Consumer Rights
Indiana’s law affords the following privacy rights to consumers.
- Right to access
- Right to correction
- Right to deletion
- Right to obtain a copy of data
- Right to opt out of targeted advertising, behavioral profiling, sale of personal data
The response period under Indiana’s privacy law entails that data controllers should respond to consumers within 45 days of a consumer rights request. This can be extended by an additional 45 days if “reasonably necessary”, depending on the complexity and volume of consumer requests – however, these extensions must be communicated to consumers within the initial 45-day period.
Data Protection Impact Assessments
Controllers are required to conduct a DPIA when the following activities are taking place:
- Personal data processed for targeted advertising
- Personal data sold
- SPI is being processed
- Personal data processed for profiling with any “foreseeable” risk
- Personal data processed with heightened risk to consumers
Privacy Notices
The Indiana Consumer Data Protection Act states that data controllers must provide a “reasonably accessible, clear, and meaningful” privacy notice to its consumers. This notice has to include the following information:
- Categories of personal data processed
- Purpose of processing personal data
- Mechanism for consumers to exercise their rights (e.g. right to appeal, correction, etc.)
- Categories of personal data shared with third parties
- Categories of third parties that personal data is being shared with
What does this mean for your organization?
This latest comprehensive state privacy law is set to go into effect in 2026, so organizations will have time to prepare. Also, by this time organizations will have compliance measures for other state laws that come into effect this year in place, including Virginia’s CDPA, which shares many similarities with Indiana’s state privacy law.
How can OneTrust help with compliance?
OneTrust DataGuidance can help your organization stay compliant with the latest news and updates on privacy regulatory changes worldwide, with blogs, infographics, eBooks, and checklists – giving you the tools to understand new regulations and update your data processes to maintain compliance.
Stay up to date on all the latest US privacy law updates with the DataGuidance US Privacy Law tracker, with effective dates, US privacy news, insights, and overviews all in one place.
