What’s in the Indiana Consumer Data Protection Act?
Indiana’s Consumer Data Protection Act advanced in the state legislature last week and now heads to Governor Eric J. Holcomb’s desk. The bill mirrors comprehensive privacy legislation enacted in Virginia, Utah, and Iowa, further extending the reach of privacy protections in the United States but without the complex mandates found in laws in California, Colorado, and Connecticut. Following on the heels of Iowa’s Act Relating to Consumer Data Protection, Indiana’s law is expected to be the second state privacy law enacted this year, and the seventh comprehensive state privacy law overall.
The following are highlights of the pending Indiana bill:
- Effective Date. If codified, the Indiana law would take effect January 1, 2026.
- Applicability. Indiana’s privacy law applies to companies that do business in Indiana and meet certain thresholds, such as processing personal data of more than 100,000 Indiana consumers, or processing personal data of 25,000 Indiana consumers while also deriving a significant percentage of income from the “sale” of personal data – 50 percent. The law does not apply to government entities (including third parties while doing business with those entities), nonprofits, public utilities, or institutions of higher education. The law also does not apply to Covered Entities or Business Associates subject to HIPAA or Financial Institutions or data subject to the Gramm-Leach-Bliley Act. Certain activities of consumer reporting agencies and furnishers (and users) of consumer reports, where regulated by the Fair Credit Reporting Act, are exempt.
- Employee and B2B Exceptions. The Indiana law does not apply to personal data of employees or individuals acting in a commercial context.
- Opt-Out of Sale and Targeted Advertising. The Indiana law provides a right to opt-out of the sale of personal data, defined as “the exchange of personal data for monetary consideration by a controller to a third party.” The law also creates a right to opt-out of targeted advertising, defined as “displaying of an advertisement to a consumer in which the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.” These definitions mirror the Virginia law now in effect.
- Consent to Process Sensitive Data. The Indiana law requires consent to process sensitive data, similar to the Virginia, Colorado, and Connecticut laws. Sensitive data is defined to include personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis made by a health care provider, sexual orientation, citizenship and immigration status; genetic and biometric data that identifies an individual; precise geolocation data; and personal data collected from a known child. A unique element of this definition is that sensitive data only includes health information to the extent a diagnosis has been made by a health care provider.
- Consumer Rights. The Indiana law includes the now common rights found in other state privacy laws, such as to: access personal data in a portable format, delete personal data, and correct inaccurate personal data.
- Contract Terms. The Indiana law requires a contract between controllers and processors to include specific contractual provisions relating to the processor’s handling of personal data and the controller’s audit rights. These contract terms mirror requirements in the Virginia and Colorado laws.
- Enforcement and Regulation. The Indiana law provides for a 30 day right to cure violations. If a business fails to cure a violation, the Attorney General may initiate an action for injunctive relief and civil penalties of up to $7,500 per violation. There is no private right of action in the law.
The following chart summarizes and compares requirements of current U.S. state privacy laws (subject to exceptions stated in each law):
- California (CA) – California Privacy Rights Act (Effective Jan. 1, 2023)
- Virginia (VA) – Virginia Consumer Data Protection Act (Effective Jan. 1, 2023)
- Colorado (CO) – Colorado Privacy Act (Effective July 1, 2023)
- Connecticut (CT) – Connecticut Act Concerning Personal Data Privacy (Effective July 1, 2023)
- Utah (UT) – Utah Consumer Privacy Act (Effective Dec. 31, 2023)
- Iowa (IA) – Act Relating to Consumer Data Protection (Effective Jan. 1, 2025)
- Indiana (IN) – Indiana Consumer Data Protection Act (Effective Jan. 1, 2026)
Thresholds to Applicability
| CA | CO | VA | UT | CT | IA | IN |
| Conducts business in CA, Determines the purposes and means of processing personal info. of CA residents, and Meets one of the following thresholds: >$25 million in annual revenue in the preceding year, Buys/sells personal info. of > 100K consumers or households, or Earns > 50% of annual revenue from selling or sharing personal info. | Conducts business in CO or targets products or services to CO residents, and Meets either of these thresholds: Processes personal data of > 100K consumers in a year; or Earns revenue or receives a discount from selling personal data and processes personal data of >25K consumers. | Conducts business in VA or targets products or services to VA residents; and Meets either of these thresholds: Processes personal data of > 100K consumers; or Processes personal data of >25K consumers and derives >50% of gross revenue from the sale of personal data. | Conducts business in Utah or target products or services to Utah residents, Have more than $25 million in annual revenue, and Either: During a calendar year processes personal data of >100K consumers, or Processes personal data of > 25K consumers and derive > 50% of revenue from the sale of personal data. | Produces products or services that are targeted to CT residents, and In the preceding year: Processes personal data of >100K consumers (excluding payment transaction data), or Processes personal data of > 25K consumers and derive > 25% of revenue from the sale of personal data. | Conducts business in IA or targets products or services to IA residents, and During a calendar year: Processes personal data of >100K consumers, or Processes personal data of >25K consumers and derives >50% of revenue from the sale of personal data. | Conducts business in IN or targets products or services to IN residents, and During a calendar year: Processes personal data of >100K consumers; or Processes personal data of >25K consumers and derives >50% of revenue from the sale of personal data. |
Sales
| CA | CO | VA | UT | CT | IA | IN |
| Right to opt-out of the sale of personal information. Opt-in consent required to “sell” personal information of minors under age 16. | Right to opt-out of the sale of personal data. | Right to opt-out of the sale of personal data. The definition of a “sale” requires monetary consideration. | Right to opt-out of the sale of personal data. The definition of a “sale” requires monetary consideration. | Right to opt-out of the sale of personal data. Opt-in consent required to “sell” personal data of minors 13 to 16. | Right to opt-out of the sale of personal data. The definition of a “sale” requires monetary consideration. | Right to opt-out of the sale of personal data. The definition of a “sale” requires monetary consideration. |
Targeted Advertising
| CA | CO | VA | UT | CT | IA | IN |
| Right to opt-out of the “sharing” of personal information for purposes of cross-context behavioral advertising. Opt-in consent required to “share” personal information of minors under age 16. | Right to opt-out of targeted advertising. | Right to opt-out of targeted advertising. | Right to opt-out of targeted advertising. | Right to opt-out of targeted advertising. Opt-in consent required for processing personal data of minors 13 to 16 for targeted advertising. | Although there is no explicit right to opt-out of targeted advertising, a controller must still disclose how a consumer can opt out of targeted advertising. | Right to opt-out of targeted advertising. |
Global Privacy Controls
| CA | CO | VA | UT | CT | IA | IN |
| Yes (optional subject to regulatory process) | Yes, required by July 1, 2024. | No | No | Yes, required by Jan. 1, 2025. | No | No |
Sensitive Data
| CA | CO | VA | UT | CT | IA | IN |
| Right to limit the use and disclosure of sensitive personal information. | Consent to process sensitive data. | Consent to process sensitive data. | Provide notice and an opportunity to opt out of processing of sensitive data. | Consent to process sensitive data. | Provide notice and opportunity to opt out of processing of sensitive data. | Consent to process sensitive data. |
Profiling
| CA | CO | VA | UT | CT | IA | IN |
| Pending regulations | Right to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. | Right to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. | N/A | Right to opt-out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. | N/A | Right to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. |
Minor & Children’s Data
| CA | CO | VA | UT | CT | IA | IN |
| Opt-in consent required to “sell” or “share” personal information of minors under age 16. | COPPA exception; obtain parental consent to process personal data concerning a known child. | Process sensitive data of a known child in accordance with COPPA. | Process personal data of a known child in accordance with COPPA. | Process sensitive data of a known child in accordance with COPPA. Consent to sell personal data of minors 13 to 16 or process their personal data for targeted advertising. | Process sensitive data concerning a known child in accordance with COPPA. | Process sensitive data of a known child in accordance with COPPA. |
Consumer Rights
| CA | CO | VA | UT | CT | IA | IN |
| Access, Deletion, Correction, Portability | Access, Portability, Deletion, Correction | Access, Portability, Deletion, Correction | Access, Portability, Deletion | Access, Deletion, Correction, Portability | Access, Portability, Deletion | Access, Deletion, Correction, Portability |
Authorized Agent
| CA | CO | VA | UT | CT | IA | IN |
| Permitted for all consumer rights requests | Permitted for opt-out requests | N/A | N/A | Permitted for opt-out requests | N/A | N/A |
Appeals
| CA | CO | VA | UT | CT | IA | IN |
| N/A | Must create process for consumers to appeal refusal to act on consumer rights | Must create process for consumers to appeal refusal to act on consumer rights | N/A | Must create process for consumers to appeal refusal to act on consumer rights | Must create process for consumers to appeal refusal to act on consumer rights | Must create process for consumers to appeal refusal to act on consumer rights |
Private Right of Action
| CA | CO | VA | UT | CT | IA | IN |
| Yes, for security breaches involving certain types of sensitive personal information | No | No | No | No | No | No |
Cure Period
| CA | CO | VA | UT | CT | IA | IN |
| 30-day cure period is repealed as of Jan. 1, 2023. | 60 days until provision expires on Jan. 1, 2025. | 30 days | 30 days | 60 days until provision expires on Dec. 31, 2024. Starting Jan. 1, 2025, AG may grant the opportunity to cure. | 90 days | 30 days |
Data Protection Assessments
| CA | CO | VA | UT | CT | IA | IN |
| Annual cybersecurity audit and risk assessment requirements to be determined through regulations. | Required for targeted advertising, sale, sensitive data, certain profiling. | Required for targeted advertising, sale, sensitive data, certain profiling. | N/A | Required for targeting advertising, sale, sensitive data, certain profiling. | N/A | Required for targeted advertising, sale, sensitive data, certain profiling, and activities that present a heighted risk of harm to consumers. |