With the end of several state legislative sessions on the horizon, it is perhaps unsurprising that we are seeing an uptick in state legislatures passing consumer (or health) data privacy laws. You can now count Indiana among the ranks of states passing such laws. The Indiana Consumer Data Protection Act (ICDPA) has passed both houses of the Indiana legislature and heads to Governor Eric Holcomb, who is expected to sign the bill. The ICDPA closely tracks the laws in Connecticut and Virginia, which is good news for many companies already subject to those laws. Another bit of good news is that the ICDPA will not go into effect until January 1, 2026, giving companies time to achieve compliance.
Below we provide an overview of some of the key aspects of Indiana’s new consumer privacy law.
What Businesses Are Subject to the ICDPA?
Unlike California and Utah’s consumer privacy laws, the ICDPA does not include a revenue threshold. To be subject to the ICDPA, a business must either do business in Indiana or target products or services to Indiana consumers, and must do one of the following:
- Control or process personal data of 100,000 or more Indiana consumers; or
- Control or process personal data of 25,000 or more Indiana consumers and derive more than 50% of gross revenue from the sale of that data.
Who Is a “Consumer”?
In the ICDPA, a “consumer” is a natural person who is a resident of Indiana acting in a personal context. This means that employees and business-to-business contacts are expressly excluded from the definition of “consumer.”
What Is “Personal Data”?
“Personal data” in the ICDPA is “information that is linked or reasonably linkable to an identified or identifiable individual.” It excludes de-identified data, aggregate data and publicly available data. The limitations for de-identified data and publicly available data closely track those of Virginia (e.g., de-identification requires a public commitment to keep data de-identified, and public data includes both data from government files and data that is generally available through mass media sources).
Although not expressly excluded from the definition of “personal data”, just as in Virginia, companies do not need to include pseudonymous data (under certain circumstances) when responding to consumer requests under the ICDPA.
Who Can Enforce?
The Indiana Attorney General has exclusive enforcement authority, and an express provision disclaims any private right of action. Before initiating any enforcement proceeding, the attorney general must give 30 days’ written notice and an opportunity to cure to the controller. If an enforcement action follows, violations of the ICDPA are subject to fines of up to $7,500 per violation.
Who Is Exempt?
The ICDPA’s exemptions closely mimic those of other state privacy laws. For example, personal information covered by laws such as the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act and a litany of other federal laws is exempt.
In addition, the ICDPA does not apply to government entities, nonprofit organizations or higher education institutions.
The ICDPA also exempts the use of personal data for certain specific purposes, such as compliance with law, preventing fraud or injury to others, and defending legal claims (just as in Virginia).
What Obligations Are Imposed?
The ICDPA imposes what have become “standard” obligations on data controllers under state consumer privacy laws. Specifically, controllers must:
- Limit the purpose of processing personal data to that which is reasonably necessary and proportional;
- Take steps to implement reasonable safeguards for the personal data within their control;
- Refrain from discriminating against consumers for exercising their rights and from processing personal data in violation of federal laws that prohibit discrimination;
- Be transparent in their reasonably accessible, clear and meaningful privacy notice; and
- Ensure that contracts control relationships with their processors (note: the law itself details the minimum necessary provisions of these contracts).
What Consumer Rights Are Created by the ICDPA?
Controllers must provide a limited but standard set of consumer rights to Indiana consumers:
- Opt-out rights related to the sale of personal data, targeted marketing and profiling (automated decision making that could have significant legal effects, such as those related to housing, drinking water, credit, etc.);
- Deletion rights (with respect to the data provided by or about the consumer);
- Access rights, including a right to confirm whether a controller is processing any data at all;
- Correction rights, but limited to data the consumer previously provided;
- Appeal rights; and
- Data portability rights, but limited to data the consumer previously provided (controllers are given the option to respond to a data portability request with a “representative summary” of the personal data held rather than the data itself).
Sensitive Personal Information
Under the ICDPA, “sensitive data” is considered personal data that includes information such as racial/ethnic origin, religious beliefs, mental or physical health diagnoses made by a healthcare provider, sexual orientation, citizenship or immigration status, genetic or biometric information used to uniquely identify an individual, personal data collected from a known child (under the age of 13) and precise geolocation (location within a radius of 1,750 feet). Under the ICDPA, controllers may not process (including collection) sensitive data without obtaining the consumer’s consent or, in the case of a child, complying with COPPA.
Response to Consumer Inquiries
As has become relatively standard in state consumer privacy laws, controllers must respond to a consumer personal data request within 45 days of receipt of the request, with a 45-day extension available. If a consumer appeals a controller’s decision to deny the consumer’s request, the appeal response must be delivered within 60 days. As in Virginia, if the appeal is denied, controllers must provide the consumer with a method for contacting the attorney general.
Data Protection Impact Assessments
As under the laws on which the ICDPA is modeled, controllers must document impact assessments before they engage in various processing activities, including the following:
- Processing for targeted marketing;
- Sale of personal data;
- Processing of personal data for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms;
- Processing sensitive data; and
- A catch-all category of “any processing activities involving personal data that present a heightened risk of harm to consumers.”
As in Virginia, Colorado, Connecticut and elsewhere, these impact assessments must analyze the benefits of the processing to the company, consumer and public, while weighing the harms and potential mitigants. Thankfully, the ICDPA allows for the use of impact assessments done under other state laws to count towards the requirements of ICDPA and does not require retroactive impact assessments for processing activities occurring prior to the effective date of the law.
When Does the ICDPA Take Effect?
The ICDPA comes into effect on January 1, 2026.
Creating a successful, effective and comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David P. Saunders or Jonathan Ende.