Indiana's New Law is on the Books
Last month, three more state legislatures passed comprehensive data privacy laws. Just this week, Indiana’s governor signed one of them - the Indiana Consumer Data Privacy Act (“ICDPA’) - into law. Montana and Tennessee are likely right behind. These newcomers will join the six other states (California, Virginia, Colorado, Connecticut, Utah, and Iowa) with data privacy statutes already enacted.
Our May Madness series this month will catch you up on developments in the states and provide the details and information you and your business need to know about the new laws. First up is Indiana:
The ICDPA’s applicability criteria mirrors the Virginia law and applies to persons that conduct business in Indiana or produce products or services that are targeted to Indiana residents that during a calendar year: (i) control or process personal data of at least 100,000 consumers who are Indiana residents; or (ii) control or process personal data of at least 25,000 consumers who are Indiana residents and derive over 50% of gross revenue from the sale of personal data.
The notion of “consumer” as used in the ICDPA means a resident of Indiana acting for a personal, family, or household purpose. It does not include individuals acting in a commercial or employment context. This important distinction is the predominant approach we are seeing adopted by the states, with the notable exception being California.
The ICDPA does not apply to:
- Indiana government entities (or third parties contracted by such entities)
- Financial institutions and affiliates, or data subject to the federal GLBA
- Covered entities or business associates governed by certain rules under HIPAA
- Nonprofit organizations
- Institutions of higher education
- Public utilities or service companies affiliated with a public utility
- Certain research data or employment-related information; and information governed by laws such as HIPAA, the Fair Credit Reporting Act or the Farm Credit Act
Consumers who are Indiana residents will be able to exercise the following rights under the ICDPA:
- Right to confirm whether or not their personal data is processed
- Right to access their personal data
- Right to correct their personal data (limited to data the consumer previously provided)
- Right to deletion of their personal data
- Right to portability of their personal data (business may decide whether to provide a copy of the personal data or a representative summary)
- Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling through automated means
Business Obligations to Consumers
The ICDPA looks a lot like the business-friendly regulation enacted in Virginia two years ago, but businesses subject to the ICDPA will have plenty of time to prepare for compliance since the law does not take effect until 2026! Here are some of the compliance obligations on the horizon for those businesses:
- Respond to consumer requests under the ICDPA within 45 days of receipt (may be extended an additional 45 days when reasonably necessary)
- Provide required information to consumers free of charge, up to once per year
- Authenticate requests using commercially reasonable efforts
- Establish a process for consumers to appeal any refusal to take action on a consumer request
Notices to Consumers
- Businesses must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that meets requirements under the ICDPA, including how consumers may submit requests to exercise their rights under the ICDPA
- Businesses must “clearly and conspicuously” disclose any sale of personal data or use of personal data for targeted advertising (and how to opt-out of such sale or use)
Other Business Obligations
- Conduct and document data protection impact assessments for data processing activities created or generated after December 31, 2025, which include extensive requirements and an obligation to provide assessments to the Attorney General upon request
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which such data is processed
- Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents (noting that aggregate data is excluded from the definition of personal data)
- Establish, implement, and maintain data security practices
And the Do Not’s:
- Do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers
- Do not discriminate against a consumer for exercising any consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers
- Do not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act
“Sensitive data” will include (1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual; (3) personal data collected from a known child (under the age of 13); and (4) precise geolocation data (identifying a location within a radius of 1,750 feet).
Impacts on Vendors/Data Processors
Vendors that are data processors have direct obligations under the ICDPA, such as adhering to instructions from data controllers, assisting data controllers with their own compliance obligations, assisting data controllers with data protection impact assessments, and required subcontractor flow-down obligations.
The ICDPA also contains specific requirements that must be included in data processing agreements between data controllers and data processors.
Private right of action
Like comprehensive data privacy laws in most other states where they have been enacted (except California’s limited private right related to data breaches), the ICDPA does not provide for a private right of action. The ICDPA will be enforced exclusively by Indiana’s Attorney General and, before initiating an enforcement action, the Indiana AG must provide 30 days’ prior written notice of an alleged violation and an opportunity to cure the violation.
Fines and Penalties
Civil penalties up to $7500 per violation, injunctive relief, and recoupment of reasonable investigation and case preparation expenses, including attorney fees, incurred by the Attorney General.
Effective Date for ICDPA
January 1, 2026.