On May 1, 2023, Governor Eric Holcomb’s signed Indiana’s Consumer Data Protection Act into law, making Indiana the seventh US state to pass comprehensive consumer data privacy law — joining California, Iowa, Utah, Connecticut, Virginia, and Colorado (Tennessee has since enacted a consumer privacy statute; and Montana and Texas have passed laws that are currently awaiting their respective governors’ signatures). The Consumer Data Protection Act closely tracks prevailing trends in US state privacy legislation and in particular emulates the Virginia Consumer Data Protection Act (VCDPA), which came into force at the start of 2023. The new law will come into effect on January 1, 2026.
An earlier bill introduced last year, SB 358, modeled after Europe’s General Data Protection Regulation (GDPR), passed the Senate but languished in the House. SB 5, introduced at the start of this year’s Senate session and which would ultimately be enacted as the Consumer Data Protection Act, deliberately eschews the burdensome compliance requirements of laws like the GDPR and the California Consumer Privacy Act (CCPA) in favor of a more streamlined framework modeled after the VCDPA. One of the bill’s principle drafters, State Senator Liz Brown commented, “Talking to constituencies, (I) realized that’s not workable for a lot of reasons. They have different laws than we have, so the Virginia model was presented as something more workable and that had already been passed.”
In Senate Committee hearings, business associations including the Indiana Chamber of Commerce and the Indiana Technology and Innovation Association expressed support for the bill, with the Chamber of Commerce calling it “a win for both technology companies and Indiana consumers.” On the other hand, privacy advocates Consumer Reports and the Electronic Privacy Information Center (EPIC) opposed the proposals. Having passed by 98-0 and 49-0 in the Indiana House of Representatives and Senate respectively, a motion to concur the bill passed on April 13, sending the bill to the desk of Governor Eric Holcomb for final signature. Governor Holcomb signed the bill on May 1.
Following its passage a spokesperson for the Office of the Attorney General, the sole investigative and enforcement authority for the Consumer Data Protection Act, said of the new law: “One of my office’s main priorities is to protect consumers. As technology advances, the opportunities for personal data to be leaked increases. This law doesn’t ensure complete safety online, but it is a step in the right direction.”
Scope: The law will apply to businesses that conduct business in Indiana or markets products or services to Indiana residents and who either (1) controls or processes the personal data of at least 100,000 Indiana residents or (2) controls or processes the personal data of at least 25,000 Indiana residents and derive more than half their revenue from the sale of personal data. State agencies, nonprofit organizations, institutions of higher education, public utilities, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and covered entities under Health Insurance Portability and Accountability Act (HIPAA) are exempt from SB5’s provisions. Under the new law, personal data is defined as “information that is linked or reasonably linkable to an identified or identifiable individual” and expressly excludes de-identified and aggregate data, as well as publicly available information. The term “consumer” is defined specifically to exclude those acting in an employment or commercial context.
Consumer rights: The Consumer Data Protection Act establishes a number of consumer rights in respect of their data. Indiana consumers will have the right to:
- Confirm whether their data is being processed (i.e., notice) and access such data;
- Correct inaccuracies in the personal data;
- Request that the data controller delete the consumer’s personal data;
- Obtain a copy of the personal data (or a representative summary of it); and
- Opt out of processing for the purpose of targeted advertising, the sale of the data or profiling that produces legal or significant effects on the consumer.
While the establishment of data subject rights is a common feature of data protection legislation, the rights conferred by the Consumer Data Protection Act are limited in some key respects. For example, the Consumer Data Protection Act gives controllers the option to provide a representative summary of a consumer’s personal data in lieu of the data itself, a feature that may reduce the organizational burdens of responding to such requests. As with other existing privacy laws, the Consumer Data Protection Act requires controllers to post a privacy notice, setting out in clear terms what data is processed, and for what purposes, and explaining how consumers can exercise their statutory rights.
Controller obligations: The new law also creates transparency obligations on data controllers. For example, the collection of data should be limited to that which is reasonably necessary for the purpose for which it is processed and controllers must obtain a customer’s consent to process their sensitive data. Controllers must also establish, implement and maintain reasonable security measures.
Controller-processor contracts: The Consumer Data Protection Act will also require data controllers to ensure that certain contractual measures are in place in their agreements with data processors. For example, such contracts will need to include provisions ensuring the confidentiality of personal data shared with the processor and empowering the controller to request the deletion or return of personal data.
Data Protection Impact Assessment: Under the Consumer Data Protection Act, data controllers will be required to prepare a Data Protection Impact Assessment in regards to certain activities, including targeted advertising, the sale of personal data, the use of data for profiling that creates a risk of certain harms (e.g., unfair or deceptive treatment), the processing of sensitive data or other processing activities that could pose a risk of harm to consumers. In recognition of the fact that controllers already may bear the obligation of producing overlapping impact assessments pursuant to other privacy laws, the Consumer Data Protection Act specifically states that an impact assessment prepared for the purpose of complying with other laws may suffice, so long as the assessment is comparable in scope.
Enforcement and penalties: Under the Consumer Data Protection Act, Indiana’s attorney general will be empowered to investigate potential violations of the law’s provisions and to seek injunctions and monetary penalties up to USD 7,500 per violation against offenders. In common with the VCDPA, the Consumer Data Protection Act contains a cure period, under which the attorney general must provide notice of suspected violations and give the alleged offender 30 days to remedy violations before proceeding to enforcement. The Indiana’s law does not allow for private enforcement of its provisions and the attorney general would have no rulemaking authority under the Consumer Data Protection Act.
Because the Consumer Data Protection Act is expressly modeled on recent consumer privacy laws, businesses may be relieved that it doesn’t introduce onerous new obligations and those who have already taken steps to comply with the CCPA and VCDPA should be well-positioned to meet the requirements of the new law. Nonetheless, businesses that process the data of Indiana consumers should note that Indiana’s attorney general is among the most active in the area of privacy enforcement.
Although the new law will only come into effect on January 1, 2026, business would be well advised to begin to take actions to prepare for the new law. As a first step, organizations may conduct data mapping to confirm their compliance requirements under the Consumer Data Protection Act as they apply to them. They may also look to determine whether their existing data protection programs address the new law’s requirements, identify any key gaps, and engage with counsel and their business units to review vendor contracts, website and data subject request response processes in light of the new law.