United States:
What's In The Indiana Consumer Data Protection Act?
03 May 2023
Kelley Drye & Warren LLP
To print this article, all you need is to be registered or login on Mondaq.com.
Indiana's Consumer Data Protection Act advanced in the
state legislature last week and now heads to Governor Eric J. Holcomb's
desk. The bill mirrors comprehensive privacy legislation
enacted in Virginia, Utah, and Iowa, further extending the reach of
privacy protections in the United States but without the complex
mandates found in laws in California, Colorado, and Connecticut.
Following on the heels of Iowa's Act Relating to Consumer Data Protection,
Indiana's law is expected to be the second state privacy law
enacted this year, and the seventh comprehensive state privacy law
overall.
The following are highlights of the pending Indiana bill:
- Effective Date. If codified, the Indiana law
would take effect January 1, 2026.
- Applicability. Indiana's privacy law
applies to companies that do business in Indiana and meet certain
thresholds, such as processing personal data of more than 100,000
Indiana consumers, or processing personal data of 25,000 Indiana
consumers while also deriving a significant percentage of income
from the "sale" of personal data - 50 percent. The law
does not apply to government entities (including third parties
while doing business with those entities), nonprofits, public
utilities, or institutions of higher education. The law also does
not apply to Covered Entities or Business Associates subject to
HIPAA or Financial Institutions or data subject to the
Gramm-Leach-Bliley Act. Certain activities of consumer reporting
agencies and furnishers (and users) of consumer reports, where
regulated by the Fair Credit Reporting Act, are exempt.
- Employee and B2B Exceptions. The Indiana law
does not apply to personal data of employees or individuals acting
in a commercial context.
- Opt-Out of Sale and Targeted Advertising. The
Indiana law provides a right to opt-out of the sale of personal
data, defined as "the exchange of personal data for monetary
consideration by a controller to a third party." The law also
creates a right to opt-out of targeted advertising, defined as
"displaying of an advertisement to a consumer in which the
advertisement is selected based on personal data obtained from that
consumer's activities over time and across nonaffiliated
websites or online applications to predict the consumer's
preferences or interests." These definitions mirror the
Virginia law now in effect.
- Consent to Process Sensitive Data. The Indiana
law requires consent to process sensitive data, similar to the
Virginia, Colorado, and Connecticut laws. Sensitive data is defined
to include personal data revealing racial or ethnic origin,
religious beliefs, mental or physical health diagnosis made by a
health care provider, sexual orientation, citizenship and
immigration status; genetic and biometric data that identifies an
individual; precise geolocation data; and personal data collected
from a known child. A unique element of this definition is that
sensitive data only includes health information to the extent a
diagnosis has been made by a health care provider.
- Consumer Rights. The Indiana law includes the
now common rights found in other state privacy laws, such as to:
access personal data in a portable format, delete personal data,
and correct inaccurate personal data.
- Contract Terms. The Indiana law requires a
contract between controllers and processors to include specific
contractual provisions relating to the processor's handling of
personal data and the controller's audit rights. These contract
terms mirror requirements in the Virginia and Colorado laws.
- Enforcement and Regulation. The Indiana law
provides for a 30 day right to cure violations. If a business fails
to cure a violation, the Attorney General may initiate an action
for injunctive relief and civil penalties of up to $7,500 per
violation. There is no private right of action in the law.
The following chart summarizes and compares requirements of
current U.S. state privacy laws (subject to exceptions stated in
each law):
- California (CA) - California Privacy Rights
Act (Effective Jan. 1, 2023)
- Virginia (VA) - Virginia Consumer Data
Protection Act (Effective Jan. 1, 2023)
- Colorado (CO) - Colorado Privacy Act
(Effective July 1, 2023)
- Connecticut (CT) - Connecticut Act Concerning
Personal Data Privacy (Effective July 1, 2023)
- Utah (UT) - Utah Consumer Privacy Act
(Effective Dec. 31, 2023)
- Iowa (IA) - Act Relating to Consumer Data
Protection (Effective Jan. 1, 2025)
- Indiana (IN) - Indiana Consumer Data
Protection Act (Effective Jan. 1, 2026)
Thresholds to Applicability
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Conducts business in CA, Determines the
purposes and means of processing personal info. of CA residents,
and Meets one of the following thresholds: >$25 million in
annual revenue in the preceding year, Buys/sells personal info. of
> 100K consumers or households, or Earns > 50% of annual
revenue from selling or sharing personal info. |
Conducts business in CO or targets
products or services to CO residents, and Meets either of these
thresholds: Processes personal data of > 100K consumers in a
year; or Earns revenue or receives a discount from selling personal
data and processes personal data of >25K consumers. |
Conducts business in VA or targets
products or services to VA residents; and Meets either of these
thresholds: Processes personal data of > 100K consumers; or
Processes personal data of >25K consumers and derives >50% of
gross revenue from the sale of personal data. |
Conducts business in Utah or target
products or services to Utah residents, Have more than $25 million
in annual revenue, and Either: During a calendar year processes
personal data of >100K consumers, or Processes personal data of
> 25K consumers and derive > 50% of revenue from the sale of
personal data. |
Produces products or services that are
targeted to CT residents, and In the preceding year: Processes
personal data of >100K consumers (excluding payment transaction
data), or Processes personal data of > 25K consumers and derive
> 25% of revenue from the sale of personal data. |
Conducts business in IA or targets
products or services to IA residents, and During a calendar year:
Processes personal data of >100K consumers, or Processes
personal data of >25K consumers and derives >50% of revenue
from the sale of personal data. |
Conducts business in IN or targets
products or services to IN residents, and During a calendar year:
Processes personal data of >100K consumers; or Processes
personal data of >25K consumers and derives >50% of revenue
from the sale of personal data. |
Sales
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Right to opt-out of the sale of personal information. Opt-in
consent required to "sell" personal information of minors
under age 16. |
Right to opt-out of the sale of personal data. |
Right to opt-out of the sale of personal data. The definition
of a "sale" requires monetary consideration. |
Right to opt-out of the sale of personal data. The definition
of a "sale" requires monetary consideration. |
Right to opt-out of the sale of personal data. Opt-in consent
required to "sell" personal data of minors 13 to 16. |
Right to opt-out of the sale of personal data. The definition
of a "sale" requires monetary consideration. |
Right to opt-out of the sale of personal data. The definition
of a "sale" requires monetary consideration. |
Targeted Advertising
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Right to opt-out of the "sharing" of personal
information for purposes of cross-context behavioral advertising.
Opt-in consent required to "share" personal information
of minors under age 16. |
Right to opt-out of targeted advertising. |
Right to opt-out of targeted advertising. |
Right to opt-out of targeted advertising. |
Right to opt-out of targeted advertising. Opt-in consent
required for processing personal data of minors 13 to 16 for
targeted advertising. |
Although there is no explicit right to opt-out of targeted
advertising, a controller must still disclose how a consumer can
opt out of targeted advertising. |
Right to opt-out of targeted advertising. |
Global Privacy Controls
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Yes (optional subject to regulatory
process) |
Yes, required by July 1, 2024. |
No |
No |
Yes, required by Jan. 1, 2025. |
No |
No |
Sensitive Data
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Right to limit the use and disclosure of sensitive personal
information. |
Consent to process sensitive data. |
Consent to process sensitive data. |
Provide notice and an opportunity to opt out of processing of
sensitive data. |
Consent to process sensitive data. |
Provide notice and opportunity to opt out of processing of
sensitive data. |
Consent to process sensitive data. |
Profiling
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Pending regulations |
Right to opt-out of profiling in furtherance of decisions that
produce legal or similarly significant effects concerning a
consumer. |
Right to opt-out of profiling in furtherance of decisions that
produce legal or similarly significant effects concerning the
consumer. |
N/A |
Right to opt-out of profiling in furtherance of solely
automated decisions that produce legal or similarly significant
effects concerning the consumer. |
N/A |
Right to opt-out of profiling in furtherance of decisions that
produce legal or similarly significant effects concerning the
consumer. |
Minor & Children's Data
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Opt-in consent required to "sell" or
"share" personal information of minors under age 16. |
COPPA exception; obtain parental consent to process personal
data concerning a known child. |
Process sensitive data of a known child in accordance with
COPPA. |
Process personal data of a known child in accordance with
COPPA. |
Process sensitive data of a known child in accordance with
COPPA. Consent to sell personal data of minors 13 to 16 or process
their personal data for targeted advertising. |
Process sensitive data concerning a known child in accordance
with COPPA. |
Process sensitive data of a known child in accordance with
COPPA. |
Consumer Rights
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Access, Deletion, Correction, Portability |
Access, Portability, Deletion, Correction |
Access, Portability, Deletion, Correction |
Access, Portability, Deletion |
Access, Deletion, Correction, Portability |
Access, Portability, Deletion |
Access, Deletion, Correction, Portability |
Authorized Agent
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Permitted for all consumer rights requests |
Permitted for opt-out requests |
N/A |
N/A |
Permitted for opt-out requests |
N/A |
N/A |
Appeals
CA |
CO |
VA |
UT |
CT |
IA |
IN |
N/A |
Must create process for consumers to appeal refusal to act on
consumer rights |
Must create process for consumers to appeal refusal to act on
consumer rights |
N/A |
Must create process for consumers to appeal refusal to act on
consumer rights |
Must create process for consumers to appeal refusal to act on
consumer rights |
Must create process for consumers to appeal refusal to act on
consumer rights |
Private Right of Action
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Yes, for security breaches involving certain types of sensitive
personal information |
No |
No |
No |
No |
No |
No |
Cure Period
CA |
CO |
VA |
UT |
CT |
IA |
IN |
30-day cure period is repealed as of Jan. 1, 2023. |
60 days until provision expires on Jan. 1, 2025. |
30 days |
30 days |
60 days until provision expires on Dec. 31, 2024. Starting Jan.
1, 2025, AG may grant the opportunity to cure. |
90 days |
30 days |
Data Protection Assessments
CA |
CO |
VA |
UT |
CT |
IA |
IN |
Annual cybersecurity audit and risk assessment requirements to
be determined through regulations. |
Required for targeted advertising, sale, sensitive data,
certain profiling. |
Required for targeted advertising, sale, sensitive data,
certain profiling. |
N/A |
Required for targeting advertising, sale, sensitive data,
certain profiling. |
N/A |
Required for targeted advertising, sale, sensitive data,
certain profiling, and activities that present a heighted risk of
harm to consumers. |
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
State Data Breach Notification Laws
Foley & Lardner
While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice.