On May 2, 2023, Indiana Governor Eric Holcomb signed Senate Bill 5 into law – making it the 7th state in the US with a comprehensive state privacy law. The bill bears many similarities to other recent state laws, such as those in Virginia, Utah, and Iowa.
Which businesses does this law apply to?
The law applies to companies that do business in Indiana or produce products or services that are targeted to residents of Indiana and:
What are the key highlights of the law?
As noted, Indiana’s Consumer Data Protection Act shares many similarities with Virginia’s Consumer Data Protection Act.
Consent is defined as “a clear affirmative act that signifies a consumer’s freely given, specific, informed, and unambiguous agreement” to process their personal data. Indiana’s data privacy law operates on an opt-out mechanism.
Sensitive Personal Information
Under this law, SPI is considered to be any personal data that falls under the categories below.
Data controllers must receive additional consent from a consumer to process sensitive personal information.
Indiana’s law affords the following privacy rights to consumers.
The response period under Indiana’s privacy law entails that data controllers should respond to consumers within 45 days of a consumer rights request. This can be extended by an additional 45 days if “reasonably necessary”, depending on the complexity and volume of consumer requests – however, these extensions must be communicated to consumers within the initial 45-day period.
Data Protection Impact Assessments
Controllers are required to conduct a DPIA when the following activities are taking place:
The Indiana Consumer Data Protection Act states that data controllers must provide a “reasonably accessible, clear, and meaningful” privacy notice to its consumers. This notice has to include the following information:
What does this mean for your organization?
This latest comprehensive state privacy law is set to go into effect in 2026, so organizations will have time to prepare. Also, by this time organizations will have compliance measures for other state laws that come into effect this year in place, including Virginia’s CDPA, which shares many similarities with Indiana’s state privacy law.
How can OneTrust help with compliance?
OneTrust DataGuidance can help your organization stay compliant with the latest news and updates on privacy regulatory changes worldwide, with blogs, infographics, eBooks, and checklists – giving you the tools to understand new regulations and update your data processes to maintain compliance.
Stay up to date on all the latest US privacy law updates with the DataGuidance US Privacy Law tracker, with effective dates, US privacy news, insights, and overviews all in one place.