Indiana Becomes the Seventh State to Enact a Comprehensive Data Privacy Law

On May 1, 2023, Indiana Governor Eric Holcomb signed into law Senate Enrolled Act No. 5 ("Indiana Data Privacy Law"), Indiana's new state consumer privacy law, which will become effective January 1, 2026. Indiana now joins California, Utah, Colorado, Connecticut, Virginia, and Iowa as states with their own consumer privacy laws (together, "US State Data Privacy Laws"). The Indiana Data Privacy Law does not stand out from the group of existing US State Data Privacy Laws in its requirements, so controllers should have little difficulty adapting their existing data privacy compliance program to the Indiana Data Privacy Law. Similar to our other client alerts on US State Data Privacy Laws, we summarize the key components of the Indiana Data Privacy Law below.

Who does the Indiana Data Privacy Law apply to?

Similar to the US State Data Privacy Laws, the Indiana Data Privacy Law imposes transparency and disclosure obligations on a "controller" (a person or entity who determines the purpose and means of processing personal data) or "processor" (a person or entity who processes personal data on behalf of a controller) who either:

• conducts business in Indiana; or
• produces products or services that are targeted to the residents of Indiana;

and that, during a given calendar year:

• controls or processes personal data of at least 100,000 Indiana residents; or
• controls or processes personal data of at least 25,000 Indiana residents and derives over 50 percent of its gross revenue from the sale of personal data.

Notably, the Indiana Data Privacy Law does not have a revenue threshold for entities to be subject to privacy obligations. In addition, the Indiana Data Privacy Law does not apply to government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private), and Gramm-Leach-Bliley Act-regulated entities and data. The Indiana Data Privacy Law also does not apply to certain classes of data including health records, scientific research data, consumer credit-reporting data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information. 

What rights does the Indiana Data Privacy Law grant consumers?

The Indiana Data Privacy Law grants Indiana residents acting in an individual or household context ("consumers") certain access and control rights concerning their personal data. A consumer may submit authenticated requests to a controller to: 

(1) confirm whether they are processing the consumer's data and provide access to the consumer's data; 

(2) correct inaccuracies in the consumer's personal data that the consumer provided to the controller;

(3) delete personal data provided by or obtained about the consumer; 

(4) obtain a copy of or a representative summary of the consumer's personal data that the consumer previously provided to the controller (i.e., data portability); and 

(5) opt out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling.

A controller must respond to consumer requests within 45 days, though that time period may be extended for an additional 45 days if reasonably necessary depending on the complexity and number of requests. The Indiana Data Privacy Law also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights, to which the controller must reply within 60 days. If the controller denies the appeal, the controller must provide a method for those consumers to contact the Indiana Office of the Attorney General to submit a complaint. 

What obligations does the Indiana Data Privacy Law impose on controllers?

The Indiana Data Privacy Law applies to "personal data." Personal data is defined as "information that is linked or reasonably linkable to an identified or identifiable individual," but the definition of personal data notably excludes de-identified or aggregate data or publicly available information.

The Indiana Data Privacy Law requires controllers to:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed.
• Adopt and implement reasonable administrative, technical, and physical data security practices.
• Process consumers' sensitive data only after obtaining the consumer's consent. Sensitive data is defined to include genetic or biometric data, data of known children, precise geolocation data, and personal information revealing racial or ethnic origin, religious beliefs, and health status. 
• Process consumer data in a non-discriminatory manner, and refrain from discriminating against consumers who exercise the rights granted by the statute.
• Provide a clear privacy policy that includes the categories of personal data processed, the purpose for processing personal data, the categories of data shared with third parties, the types of third parties, the consumer's rights, and the manner in which consumers may exercise their rights, including an appeal. 
• Clearly disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out. 
• Establish a process for consumers to appeal the refusal to take action on requests to exercise their rights.
• Conduct a data protection impact assessment on the processing of personal data for targeted advertising, the sale of personal data, profiling, sensitive data, and any processing activities that involve personal data that present a heightened risk of harm to consumers.
• When in possession of de-identified data, take reasonable measures to ensure that the data cannot be associated with an individual, commit publicly to maintaining data as de-identified data, and obligate any recipients of the data to comply with the Indiana Data Privacy Law. 

The Indiana Data Privacy Law imposes additional requirement on processors. Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding consumer rights requests, security of data processing, and breach notification. The Indiana Data Privacy Law also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.

Key Aspects of the Indiana Data Privacy Law

• Right for Consumers to Opt Out: The Indiana Data Privacy Law permits consumers to opt out of the processing of personal data for the sale of personal data, profiling, or for targeted advertisements.
• Processing Agreement Required between Controllers and Service Providers: Like certain other US State Data Privacy Laws, the Indiana Data Privacy Law requires controllers to enter into contracts with data processors that regulate how processors process data. Contracts under the Indiana Data Privacy Law must set forth clear instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The contracts also must include a duty of confidentiality and must require processors' subcontractors to sign contracts with the same requirement. The Indiana Data Privacy Law also requires processors to delete or return personal data upon the controller's request. 
• Attorney General Investigations and Enforcement: Like most of the US State Data Privacy Laws, the Indiana Data Privacy Law does not provide for a private right of action. The Indiana Office of the Attorney General has authority to conduct enforcement actions and issue investigative demands. The Indiana Data Privacy Law provides a 30-day cure period for alleged violations. A controller or processor who continues to violate the law after this cure period may be subject to an injunction and civil penalties of up to $7,500 for each violation. 

While the Indiana Data Privacy Law is not significantly distinguishable in substance from other US State Data Privacy Laws, businesses should not overlook the law. Historically, the Indiana Attorney General has been one of the more active state regulators in opening inquiries and investigations into entities data breach reporting practices under Indiana's data breach notification law. As such, businesses should not be surprised by a similarly aggressive enforcement approach by the Indiana Attorney General under the Indiana Data Privacy Law. White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as these laws and regulations emerge. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US data privacy laws.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2023 White & Case LLP}