Indiana Consumer Data Protection Act  

What is the Indiana Consumer Data Protection Act?

The Indiana Consumer Data Protection Act, or Senate Enrolled Act No. 5, is Indiana’s data privacy law, signed into law by Governor Eric Holcomb on May 1, 2023 right after Iowa, which was signed into law in March of 2023. In signing a data privacy law, Indiana joins the ranks of other US states as the seventh state to pass such a law. One way it stands out is through its allowing covered entities a longer period to prepare for compliance, as its effective date is January 1, 2026.  

What is Personal Information and what are other key definitions?

Under the Indiana Consumer Data Protection Act ‘personal data’ is “information that is linked or reasonably linkable to an identified or identifiable individual” but which does not include de-identified data; aggregate data; or publicly available information. ‘Sensitive data’ is defined here as “a category of personal data that includes any of the following: personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status; genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual; personal data collected from a known child; or precise geolocation data.”

When referring to ‘biometric data’ under the Indiana Consumer Data Protection Act  it is to be understood as data that is “generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, images of the retina or iris, or other unique biological patterns or characteristics; and is used to identify a specific individual,” but which excludes “a physical or digital photograph, or data generated from a physical or digital photograph; a video or audio recording, or data generated from a video or audio recording; or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.”

Consent has to be “a clear affirmative act that signifies a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer,” which includes “a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.” 

A ‘consumer’ is “an individual who is a resident of Indiana; and is acting only for a personal, family, or household purpose,” but this excludes “an individual acting in a commercial or employment context,” a ‘controller’ is “a person that, alone or jointly with others, determines the purpose and means of processing personal data,” and a ‘processor’ is “a person that processes personal data on behalf of a controller.”

The Indiana Consumer Data Protection Act defines the activity of ‘processing,’ with respect to personal data, as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data,” and states that determining the role of controller or processor with respect to data processing “is a fact based determination that depends upon the context in which personal data is processed.”

Finally, Indiana’s privacy law offers a definition for the ‘sale of personal data’ as “the exchange of personal data for monetary consideration by a controller to a third party,” which excludes the following:

• “the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by:
  • the consumer; or
  • the parent of a child; to whom the personal data pertains;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure of information that the consumer:
  • intentionally made available to the general public via a channel of mass media; and
  • did not restrict to a specific audience; 
• the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.”

Who has to comply with the Indiana Consumer Data Protection Act ?

The Indiana Consumer Data Protection Act applies to entities that conduct business in Indiana or produce products or services that are targeted to residents of Indiana who, during one calendar year, do any of the following:

• control or process personal data of at least 100,000 consumers who are Indiana residents; or 
• control or process personal data of at least 25,000 consumers who are Indiana residents and derive more than 50% of gross revenue from the sale of personal data. 

Who is excluded from compliance with the Indiana Consumer Data Protection Act? 

The Indiana Consumer Data Protection Act excludes several types of entities and of data, such as 

• government entities or third parties under contract with these; 
• financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act; 
• any nonprofit organization; 
• institutions of higher education; 
• entities and business associates covered by the United States Department of Health and Human Services, pursuant to HIPAA;
  public utility or their affiliated service companies;
• protected health information under HIPAA;
• patient identifying information;
• data covered by the federal Health Care Quality Improvement Act of 1986, the federal Patient Safety and Quality Improvement Act, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, or the Farm Credit Act;
• employment related data;
• human research data covered by federal laws.  
  
  
  

How can I keep my organization compliant with the Indiana Consumer Data Protection Act? 

Similar to other US consumer privacy laws, the Indiana Consumer Data Protection Act established a series of duties for controllers as follows: 

• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;
• unless otherwise provided by the law, you are not allowed to process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purposes for which the personal data is processed, unless you obtain the consumer's consent;
• you are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, which must be appropriate to the volume and nature of the personal data at issue;
• you are not allowed to process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers, or discriminate against a consumer for exercising any of their consumer rights, including by denying goods or services to them, charging different prices or rates for goods and services, or providing a different level or quality of goods or services;
• you cannot process sensitive data concerning a consumer without obtaining their consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act;
• you have to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
  • the categories of personal data you process;
  • the purpose for processing personal data;
  • one or more secure and reliable means through which consumers can exercise their rights, including how they can appeal your decision with regard to their request, which has to take into account the ways in which consumers normally interact with you, the need for secure and reliable communication of such requests, and your ability to verify the identity of the consumer making the request.
  • the categories of personal data that you share with third parties, and the categories of third parties you share personal data with, if any;
  • if you sell personal data to third parties or process personal data for targeted advertising, you are required to clearly and conspicuously disclose such processing, as well as the manner in which consumers can exercise the right to opt out of such processing.
• you cannot require a consumer to create a new account in order to exercise their rights you are allowed to use an existing account.

A processor’s duties under Indiana’s data privacy law are to “adhere to the instructions of a controller” and “assist the controller in meeting its obligations” based on a contract that governs “the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”

In addition to the above duties, the Indiana Consumer Data Protection Act requires controllers to perform a data protection impact assessment (DPIA), which will only apply to  “processing activities created or generated after December 31, 2025, and are not retroactive to any processing activities created or generated before January 1, 2026.” Said processing activities that require a data protection impact assessment are as follows: 

• “the processing of personal data for purposes of targeted advertising;
• the sale of personal data;
• the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.
• the processing of sensitive data.
• any processing activities involving personal data that present a heightened risk of harm to consumers.”

What data access rights does the Indiana Consumer Data Protection Act grant? 

The Indiana Consumer Data Protection Act grants consumers the following rights: 

• The Right to Know
• The Right to Access
• The Right to Correct
• The Right to Delete
• The Right to Data Portability
• The Right to Opt Out of personal data processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. 

How to address data subject access requests under the Indiana Consumer Data Protection Act?

As a controller, you are required to respond to a consumer request “without undue delay, but in any case not later than 45 days after receipt of the request” and may extend this with an additional 45 days “when reasonably necessary, taking into account the complexity and number of the consumer's requests” as long as you inform the consumer of any such extension within the initial 45 day response period, along with the reason for the extension.

If you refuse a consumer request you are required to inform the consumer “without undue delay, but in any case not later than 45 days after receipt of the consumer's request of the justification for declining to take action, and to provide instructions for how they can appeal your decision. In order for consumers to be able to appeal your decision, you are required to establish a process for this and make it available to consumers. Said appeal process has to be “conspicuously available and similar to the process for submitting requests” and you have 60 days after receipt of an appeal to inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If you deny the appeal, you must also provide the consumer with an online mechanism, if available, or other methods through which they can contact the Attorney General to submit a complaint.

Information provided in response to a consumer request has to be provided free of charge, up to one time per year, per consumer. If a consumer sends multiple requests that are “manifestly unfounded, excessive, or repetitive,” you are allowed to charge them “a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request,” but you have to demonstrate the manifestly unfounded, excessive, or repetitive nature of the request. 

Before responding to a consumer request, you must be able to authenticate this. If you are unable to do so “using commercially reasonable efforts,” you will not be required to comply with the request and are allowed to ask that the consumer provide additional information reasonably necessary to authenticate them and their request.

In the case of a request for correcting inaccuracies in their personal data that you hold, you are required to “correct inaccurate information as requested by the consumer, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.” Where a request for data portability is made, according to the law, the information “must be in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data or summary to another controller without hindrance, in any case in which the processing is carried out by automated means.” Furthermore, you are not required to provide a copy or a representative summary of a consumer's personal data to the same consumer more than one time in a 12 month period. 

Enforcement and penalties

The Attorney General has exclusive authority to enforce the Indiana Consumer Data Protection Act. According to the law, they “may initiate an action in the name of the state and may seek an injunction to restrain any violations of this article and a civil penalty not to exceed $7,500 for each violation” and “may recover reasonable expenses incurred in investigating and preparing the case, including attorney's fees, in any action initiated” under this law. However, before initiating any action, the Attorney General will provide a cure period of 30 days for the controller or processor to cure the violation. 

Data Subject Rights - GDPR vs. the Indiana Consumer Data Protection Act 

FAQs about the Indiana Consumer Data Protection Act