Indiana’s Consumer Data Protection Act advanced in the state legislature last week and now heads to Governor Eric J. Holcomb’s desk. The bill mirrors comprehensive privacy legislation enacted in Virginia, Utah, and Iowa, further extending the reach of privacy protections in the United States but without the complex mandates found in laws in California, Colorado, and Connecticut. Following on the heels of Iowa’s Act Relating to Consumer Data Protection, Indiana’s law is expected to be the second state privacy law enacted this year, and the seventh comprehensive state privacy law overall.
The following are highlights of the pending Indiana bill:
- Effective Date. If codified, the Indiana law would take effect January 1, 2026.
- Applicability. Indiana’s privacy law applies to companies that do business in Indiana and meet certain thresholds, such as processing personal data of more than 100,000 Indiana consumers, or processing personal data of 25,000 Indiana consumers while also deriving a significant percentage of income from the “sale” of personal data – 50 percent. The law does not apply to government entities (including third parties while doing business with those entities), nonprofits, public utilities, or institutions of higher education. The law also does not apply to Covered Entities or Business Associates subject to HIPAA or Financial Institutions or data subject to the Gramm-Leach-Bliley Act. Certain activities of consumer reporting agencies and furnishers (and users) of consumer reports, where regulated by the Fair Credit Reporting Act, are exempt.
- Employee and B2B Exceptions. The Indiana law does not apply to personal data of employees or individuals acting in a commercial context.
- Opt-Out of Sale and Targeted Advertising. The Indiana law provides a right to opt-out of the sale of personal data, defined as “the exchange of personal data for monetary consideration by a controller to a third party.” The law also creates a right to opt-out of targeted advertising, defined as “displaying of an advertisement to a consumer in which the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.” These definitions mirror the Virginia law now in effect.
- Consent to Process Sensitive Data. The Indiana law requires consent to process sensitive data, similar to the Virginia, Colorado, and Connecticut laws. Sensitive data is defined to include personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis made by a health care provider, sexual orientation, citizenship and immigration status; genetic and biometric data that identifies an individual; precise geolocation data; and personal data collected from a known child. A unique element of this definition is that sensitive data only includes health information to the extent a diagnosis has been made by a health care provider.
- Consumer Rights. The Indiana law includes the now common rights found in other state privacy laws, such as to: access personal data in a portable format, delete personal data, and correct inaccurate personal data.
- Contract Terms. The Indiana law requires a contract between controllers and processors to include specific contractual provisions relating to the processor’s handling of personal data and the controller’s audit rights. These contract terms mirror requirements in the Virginia and Colorado laws.
- Enforcement and Regulation. The Indiana law provides for a 30 day right to cure violations. If a business fails to cure a violation, the Attorney General may initiate an action for injunctive relief and civil penalties of up to $7,500 per violation. There is no private right of action in the law.
The following chart summarizes and compares requirements of current U.S. state privacy laws (subject to exceptions stated in each law):
- California (CA) – California Privacy Rights Act (Effective Jan. 1, 2023)
- Virginia (VA) – Virginia Consumer Data Protection Act (Effective Jan. 1, 2023)
- Colorado (CO) – Colorado Privacy Act (Effective July 1, 2023)
- Connecticut (CT) – Connecticut Act Concerning Personal Data Privacy (Effective July 1, 2023)
- Utah (UT) – Utah Consumer Privacy Act (Effective Dec. 31, 2023)
- Iowa (IA) – Act Relating to Consumer Data Protection (Effective Jan. 1, 2025)
- Indiana (IN) – Indiana Consumer Data Protection Act (Effective Jan. 1, 2026)
Thresholds to Applicability
Sales
Targeted Advertising
Global Privacy Controls
Sensitive Data
Profiling
Minor & Children’s Data
Consumer Rights
Authorized Agent
Appeals
Private Right of Action
Cure Period
Data Protection Assessments
[View source.]