Dominoes Continue to Fall: Indiana Becomes 7th State to Enact Comprehensive Privacy Law

On May 1, 2023, Indiana enacted the Indiana Consumer Data Protection Act (the “ICDPA”) after Governor Eric Holcomb signed Senate Bill 5. Indiana is now the seventh state to enact a comprehensive privacy law, which comes on the heels of Iowa enacting a similar law about a month ago (as discussed here) and expands the presence of these types of laws in the Midwest. The ICDPA will take effect on January 1, 2026 and is akin to the six other state comprehensive privacy laws, in particular the law in Virginia, which took effect on January 1, 2023.

Applicability

The ICDPA will apply to persons conducting business in Indiana or producing products or services that are targeted to residents of Indiana and that during a calendar year either:

  1. control or process personal data of at least 100,000 consumers (defined below); or
  2. control or process personal data of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal data.

The applicability thresholds under the ICDPA law replicate those under the privacy laws in Virginia and Iowa. Notably, unlike California’s and Utah’s privacy laws, there is no monetary threshold for businesses as part of applicability under the ICDPA.

Additionally, like the other state comprehensive privacy laws, the ICDPA contains exemptions for certain types of entities, such as governmental entities, third-party contractors acting on behalf of governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA and HITECH, non-profit organizations, and institutions of higher education. The ICDPA also exempts certain types of information and data, such as protected health information under HIPAA, information that is intermingled with protected health information under HIPAA, personal data regulated by the Family Educational Rights and Privacy Act (“FERPA”), and data processed or maintained in the course of employment.

Key Definitions

Like all of the state comprehensive privacy laws, other than California's, the ICDPA narrowly defines “consumer” to mean an individual who is an Indiana resident, but excludes an individual acting in a commercial or employment context. As a result, employee personal information and business contact personal information fall outside the scope of the ICDPA.

With respect to these consumers, the ICDPA regulates their “personal data” as well as a special category of personal data known as “sensitive data,” which it defines as (i) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. The ICDPA’s definition of “sensitive data” is similar to the definitions used the other state comprehensive privacy laws, except for California’s law, which uses a broader definition.

Under the ICDPA, the “sale of personal data” means the exchange of personal data for monetary consideration only (as opposed to monetary or other valuable consideration) by the controller to a third party. This definition mirrors the definitions of “sale” in Virginia’s, Utah’s, and Iowa’s laws, meaning that a majority of the state comprehensive privacy laws use this definition. Additionally, the ICDPA provides broad exceptions to the definition of “sale” that are similar to exceptions in other state privacy laws and should cover may ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, to a third party for the purpose of providing a product or service requested by a consumer, and to an affiliate of the controller.

Compliance

The compliance obligations found in the ICDPA are substantially similar to those found in the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data for the controller. Further, like the privacy laws in Colorado, Connecticut, and Virginia, the ICDPA requires controllers to undertake data protection impact assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, profiling (in certain instances), sensitive data, and data that presents a heightened risk of harm to consumers. This is unlike the recently-enacted Iowa law, which, along with California and Utah, does not currently require data protection impact assessments.

Consumer Rights and Requests

One common and critical component of the state comprehensive privacy laws is the granting of rights to individuals regarding their own personal data. The ICDPA grants consumers the right to make requests to (1) know and access their personal data; (2) correct inaccuracies in their personal data; (3) delete their personal data; (4) obtain a copy or a representative summary of their personal data; and (5) opt out of the processing of their personal information for targeted advertising, the sale of personal data, or certain types of profiling. These rights align with the rights granted to consumers under Colorado’s, Connecticut’s, and Virginia’s laws. Some of the other comprehensive privacy laws do not grant consumers this whole slate of rights. For example, the laws in Iowa and Utah do not include the right to correct inaccuracies.

Under the ICDPA, a controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer’s requests. Like under the comprehensive privacy laws in Colorado, Connecticut, Virginia, and Iowa, the ICDPA requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 60 days to respond to an appeal. There is no right to appeal in California or Utah.

Enforcement

All of the state comprehensive privacy laws exclude a private right of action for individuals (except for a limited right under California’s law), and the ICDPA is no different. The ICDPA grants enforcement exclusively to the Indiana Attorney General, who can seek civil penalties of up to $7,500 for each violation of the law, the same amount under Virginia’s, Utah’s and Iowa’s privacy laws. However, violators first receive an opportunity to cure violations within 30 days of receiving notice of a violation from the Attorney General.

Conclusion

The privacy law movement at the state level is moving quicker and quicker. The states with these laws seem to be uniting around common core components in these laws, with California’s law—though the first in the country—beginning to be more of an outlier. As states continue to enact similar laws at this rate, there may be a stronger push for a federal law. Meanwhile, the benefits of a universal approach to privacy compliance, especially for medium to large businesses, is increasingly important. Although the ICDPA will not take effect until January 1, 2026, given its similarities to other laws, impacted businesses may want to consider integrating compliance for the ICDPA into their currently ongoing privacy compliance plans.

If you would like assistance with, or have any questions about, complying with the ICDPA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.