Indiana Passes Comprehensive Data Privacy Law
Indiana joined the growing ranks of states that have passed comprehensive data privacy laws and became the seventh state to pass a comprehensive data privacy upon signing by the governor on May 1. Indiana’s law follows the blueprint of Colorado, Connecticut, Utah, Virginia, and Iowa in broadly defining personal data and providing thresholds for businesses that are subject to the law. Additionally, the law provides Indiana residents specific rights with respect to their data.
Scope of the Act
The Act applies to all person that conduct business in Indiana or produce products or services that are targeted to residents of Indiana and that in any calendar year do one of the following:
- Control or process personal data of at least 100,00 consumers, or
- Control or process personal data of least twenty-five thousand consumers and derive over 50% gross revenue from the sale of personal data.
Notably, the Act excludes certain entities from being subject to the law including, political subdivisions, financial institutions subject to GLBA, covered entities and business associates governed by HIPAA, non-profit institutions, and institutions of higher education. Further, the definition of consumers includes Indiana residents acting in a personal or household capacity and specifically excluding consumers that are acting in a commercial or employment context.
The Act provides consumers key rights with respect to their personal data, including:
- The right to confirm whether a controller is processing the consumer’s personal data and to access such personal data.
- The right to delete personal data provided by the consumer.
- The right to obtain a copy or a representative summary of the consumer’s personal data.
- The right to data portability by providing the consumer their data in a readily usable format that allows the consumer to transfer their data to another controller.
- The right to opt out of the sale of personal data, use of personal data for targeted advertising, and profiling for legal decision making.
Controllers have a number of obligations under the law, including among other requirements:
- Implementing and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Abstaining from processing sensitive personal information without the consumer’s consent.
- Providing a privacy notice to consumers that details the processing of consumers’ personal data.
- Limiting collection of personal information to that which is adequate, relevant, and reasonably necessary to the purpose for the processing of the personal information.
In addition to the entity level exemptions noted under the Scope of the Law section above, the law exempts certain data as being subject to the law, including protected health information under HIPAA, personal data used or shared in compliant research projects, creditworthiness data protected by the FCRA, personal data protected by the Driver’s Privacy Protection Act, student data protected by the FERPA, among other data types.
The Indiana Attorney General has exclusive authority to enforce the Act, where controllers and processors are provided with a 30 day grace period to cure any improper activity. If a cure is not successful the Attorney General may seek injunctive relief and up to $7500 per violation of the law.
Iowa’s law takes effect on January 1, 2026.