On April 13, 2023, the Indiana legislature passed Senate Bill 5 (“SB 5”)—more commonly referred to as the Indiana Consumer Data Privacy Act or “Indiana CDPA”—sending the legislation to Governor Eric Holcomb’s desk for signature. Governor Holcomb has until Thursday, April 20 to act on the bill. The Indiana CDPA will become law either if the governor signs the bill or takes no action before the April 20 deadline.
Assuming the governor does not expressly veto SB 5, Indiana will become the second state to pass a comprehensive consumer privacy law in 2023, along with Iowa. These two states join California, Colorado, Connecticut, Utah, and Virginia, all of which have their own consumer privacy laws that go into effect over the course of 2023. The following post summarizes some of the key similarities and differences between the Indiana law and its other state-level counterparts.
How Does the Indiana CDPA Compare With Other Similar Laws?
Generally speaking, the Indiana CDPA is most closely aligned with the business-friendly Virginia Consumer Data Protection Act (“VCDPA”), and is less onerous than the consumer-friendly California Consumer Privacy Act (“CCPA”), Colorado Privacy Act (“CPA”), and Connecticut Data Privacy Act (“CTDPA”). While this is a welcome development for businesses that fall under the scope of the Indiana law, if states continue to favor similar business-oriented consumer privacy laws, this may raise the likelihood that Congress will act to put a federal privacy regulatory regime in place—sooner than later.
When Does the Indiana CDPA Go Into Effect?
One of the unique aspects of the Indiana CDPA is its effective date of July 1, 2026—an intentional maneuver on the part of Indiana lawmakers designed to give the state additional time to assess how businesses implement similar state laws. This delayed effective date not only provides companies with ample time to modify their compliance programs to align with the Indiana CDPA, but also affords Hoosier State legislators the opportunity to amend the current version of the law’s statutory text.
What Businesses Are Subject to the Indiana CDPA?
The Indiana CDPA generally mirrors the VCDPA in terms of its applicability thresholds, in that the statute applicable to businesses (1) that conduct business in Indiana or produce products or services that are targeted to Indiana residents; and (2) (a) control or process the personal data of at least 100,000 consumers during a calendar year; or (b) control or process the personal data of at least 25,000 consumers during a calendar year and derive more than 50% of gross revenue from the sale of personal data. Importantly, however, the Indiana CDPA provides a key limitation that is unique to the Indiana law, which limits the personal data processing thresholds to only those consumers who are Indiana residents (as opposed to consumers generally).
What Rights Does the Indiana CDPA Provide to Consumers?
The Indiana CDPA is very similar to the CPA, CTDPA, and VCDPA in terms of the rights afforded to consumers, which entail the following:
-
know and access;
-
correction;
-
deletion;
-
data portability; and
-
opt-out.
Like the Utah Consumer Privacy Act (“UCPA”) and VCDPA, the Indiana CDPA defines the “sale” of personal data, relevant to the right to opt-out, as encompassing only monetary consideration, but not to “other valuable” consideration (as provided in the CCPA, CPA, and CTDPA). In addition, similar to the CPA, CTDPA, and VCDPA, the right to opt-out under the Indiana CDPA extends to: (1) targeted advertising; (2) the sale of personal data; and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Also of note, in parallel fashion to the UCPA and VCDPA, the Indiana CDPA does not mandate that controllers recognize universal opt-out mechanisms or opt-out preference signals.
With that said, there are three notable aspects regarding the rights afforded to consumers that are unique to the Indiana statute. First, with respect to the right to data portability, controllers possess discretion under the Indiana CDPA to provide a complete copy of a consumer’s data that was provided by the consumer to the controller or, alternatively, a “representative summary” of that data. Second, the Indiana CDPA’s right to opt-out of profiling extends only to processing carried out “solely” by automated means. Third, the Indiana CDPA’s right to correct extends only to personal data that was previously provided by the consumer to the controller, which is more narrow in scope than the CCPA, CPA, CTDPA, and VCDPA, all of which extend this consumer right to all data in the possession of the controller.
What Disclosures Are Required to Be Made Under the Indiana CDPA?
Like the CPA, CTDPA, UCPA, and VCDPA, the Indiana CDPA requires controllers to provide an accessible, clear, and meaningful privacy notice that satisfies certain content requirements, as well as a disclosure to consumers in the event the controller sells personal data or uses it for targeted advertising. However, the Indiana CDPA does not require any notice of financial incentives similar to that required under the CCPA.
What Other Key Obligations Apply to Businesses Under the Indiana CDPA?
Like the CPA, CTDPA, and VCDPA, the Indiana CDPA requires controllers to establish a process by which consumers can appeal the controller’s decision not to act on a consumer’s request. Further, in parallel fashion to the CTDPA and VCDPA, in the event an appeal is denied, the controller must not only inform the consumer of the decision, but must also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint (note that the CPA sets forth a similar, albeit slightly different, requirement mandating that the controller inform the consumer of his or her ability to contact the attorney general if the consumer has concerns about the result of the appeal).
The Indiana CDPA’s heightened compliance obligations imposed on the processing of sensitive personal data mirror those of the CPA, CTDPA, and VCDPA by requiring both consent and the completion of data protection impact assessments (“DPIA”) prior to the processing of any sensitive data.
Also similar to the CPA, CTDPA, and VCDPA, under the Indiana CDPA DPIAs are also required for the following activities: (1) the processing of personal data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of certain harms; and (4) any processing activities involving personal data that present a heightened risk of harm to consumers.
Lastly, in parallel fashion to the CCPA, CPA, CTDPA, UCPA, and VCDPA, the Indiana CDPA imposes a requirement for controllers and processors to enter into a binding contracts governing the processing of personal data by the processor on behalf of a controller that contains the following:
-
instructions for processing personal data;
-
the nature and purpose of processing;
-
the type of data subject to processing;
-
the duration of processing;
-
the rights and obligations of both parties;
-
a requirement that the processor ensure each individual processing personal data is subject to a duty of confidentiality regarding the data;
-
a requirement that at the controller’s direction, the processor delete or return all personal data to the controller as requested at the end of the provision of services (unless retention of the personal data is required by law);
-
a requirement that, upon the reasonable request of the controller, the processor make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with its obligations set forth under the Indiana CDPA;
-
a requirement that the processor allow and cooperate with reasonable assessments by the controller or the controller’s designated assessor (alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the processor’s obligations under the Indiana CDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments; in such scenarios, the processor must provide a report of any assessment to the controller upon request); and
-
a requirement that the processor engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor under the Indiana CDPA with respect to the personal data.
How Will the Indiana CDPA Be Enforced?
Enforcement of the Indiana CDPA most closely mirrors the enforcement schemes of the UCPA and VCDPA. In this respect, enforcement authority over the Indiana CDPA rests exclusively with the Indiana attorney general (“AG”). Civil penalties of up to $7,500 per violation can be imposed for non-compliance. The Indiana CDPA does not include a private right of action allowing consumers to pursue class litigation for violations of the law.
The Indiana CDPA also provides a business-friendly 30-day cure period to remediate any alleged non-compliance and, in turn, avoid an enforcement action by the state’s AG. Like the UCPA and VCDPA—and unlike the CPA and CTDPA—the Indiana CDPA does not provide a sunset date for the law’s cure period provision, meaning that the ability to cure will remain available to businesses indefinitely.
Will Indiana CDPA Regulations or Rules Be Issued?
Like the UCPA and VCDPA, the Indiana CDPA does not contemplate the promulgation of regulations or rules to assist in the implementation of the law. As such, the only modifications to companies’ current compliance obligations and restrictions as they exist today as set forth under the current version of the Indiana CDPA would be through amendments to its statutory text by the Indiana legislature.
What Should Companies Do Now to Prepare for Compliance?
While the Indiana CDPA does not contain any notable unique provisions that would impose obligations on companies not already in existence under the current patchwork of state consumer privacy laws, that may change in the event Indiana lawmakers make amendments to the Indiana CDPA’s statutory text before July 1, 2026. As such, companies should monitor Hoosier State legislative activity for any amendments that may require additional tweaks to compliance programs for Indiana-specific compliance.
In addition, other state legislatures also continue to consider consumer privacy legislation, while Congress is also continuing the debate on Capitol Hill as it relates to the implementation of a comprehensive federal privacy regulatory regime, including whether a federal privacy law will set a floor or a ceiling for privacy rights and/or whether to offer a private right of action allowing consumers to pursue class litigation for non-compliance.