Privacy at the Crossroads of America: Indiana Becomes the Seventh State to Pass a Comprehensive Privacy Law
Hot on the heels of Iowa’s passage of the nation’s sixth comprehensive state privacy law, the Indiana legislature passed what is likely to be America’s seventh such law, Senate Bill 5 (“SB 5”). As with Iowa’s law, SB 5 passed through both chambers of the Indiana legislature without dissent. It now sits with the state’s governor and, upon his expected signature, will become America’s seventh comprehensive state consumer privacy law.
SB 5 takes a “middle of the road” approach as compared to other state privacy laws. Not as consumer-friendly as Connecticut’s law, and not as business-friendly as the laws in Utah or Iowa, SB 5 most closely resembles the Virginia Consumer Data Protection Act. This post addresses some of the key takeaways from SB 5.
Application and scope are aligned with the majority of states.
SB 5 will apply to persons who conduct business in Indiana or produce products or services that are targeted to Indiana residents and who, during a calendar year, meet one of the following thresholds:
- Control or process the personal data of at least 100,000 Indiana consumers; or
- Control or process the personal data of at least 25,000 Indiana consumers and derive more than 50% of their gross revenue from the sale of personal data.
As with all states other than California, SB 5 excludes individuals “acting in a commercial or employment context” from its definition of a “consumer.” Instead, it applies only to residents of Indiana who are acting “only for a personal, family, or household purpose.”
Helpfully, SB 5 does not deviate from the typical definition of personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” In a move that aligns with the more business friendly privacy laws adopted by Iowa and Utah, SB 5 explicitly excludes aggregate data from its definition of personal data.
SB 5 contains the broad, entity level exceptions that have become familiar in other states’ comprehensive privacy laws, including exclusions for Indiana government entities, financial institutions and their affiliates subject to Title V of the Gramm-Leach-Bliley Act, covered entities or business associates governed by HIPAA, nonprofits, and institutions of higher education.
Consumer rights that mirror other states, with some notable exceptions relating to the rights to correct and opt-out.
SB 5 gives Indiana consumers the right to: (1) confirm whether or not a controller is processing their personal data and, in most cases, obtain access to that personal data, (2) correct inaccuracies in the personal data, (3) delete personal data the consumer provides to the controller or that the controller obtains about the consumer, and (4) opt-out of the processing of their personal data.
Indiana’s right to correct, however, includes a unique limitation that allows consumers to correct only the personal data which the controller collected directly from the consumer.
Similarly, although SB 5 follows the approach taken by the majority of states and grants consumers the right to opt-out of the processing of their personal data for purposes of “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer,” this right would be markedly more limited in Indiana. Specifically, the right to opt-out of profiling applies just to that profiling that takes place through automated means, because SB 5’s definition of profiling applies only to “automated processing.”
Notably, Indiana also declined to follow Iowa’s lead and extend the time for controllers to respond to consumer requests to exercise their rights. Instead, SB 5 follows the remainder of states with comprehensive privacy laws by allowing controllers a maximum 45 days to fulfill a consumer rights request, with a single 45-day extension available to the controller “when reasonably necessary.”
SB5 does however offer some relief for controllers by limiting their obligation to fulfill consumer requests without charge to just one time per year, per consumer.
Unique ability for controllers to exercise discretion to respond to consumer requests to obtain a copy of personal data.
In addition to the consumer rights listed above, SB 5 grants consumers the right to obtain either a copy or representative summary of the consumer’s personal data that the consumer previously provided to the controller. Unique among other state privacy laws, however, SB 5 gives the controller discretion as to whether to provide an actual copy of the personal data or a representative summary.
Time will tell whether this provision is as pro-business as it seems, as SB 5 does not define “representative summary,” and that ambiguity could create risk for controllers who decide to follow that path in lieu of providing an actual copy of the consumer’s personal data.
Affirmative consent required to process sensitive data.
Unlike the laws in Utah and Iowa, which only require an opt-out for processing of sensitive data, SB 5 follows the more consumer-oriented approach of requiring controllers to obtain affirmative consent before processing sensitive data. SB 5 defines “sensitive data” to include personal data that reveals racial or ethnic origin, religious beliefs, health diagnoses made by a health care provider, sexual orientation, or citizenship or immigration status; genetic or biometric information processed for the purpose of uniquely identifying a specific individual; precise geolocation data; and any personal data collected from an individual the controller knows to be under 13 years of age. SB 5 additionally requires that the processing of sensitive data related to children under 13 be done in accordance with COPPA.
Contracting and consumer notice requirements similar to those imposed by Virginia, Colorado, Utah, Connecticut, and Iowa apply.
As we have seen with the laws in Virginia, Colorado, Utah, Connecticut, and now Iowa, SB 5 requires controllers to enter into contracts with processors that contain GDPR-style requirements and processing details. In contrast to Utah’s law, SB 5 specifically requires contracts with processors contain terms obliging the processor to return or delete all personal data, provide information requested by controllers to demonstrate their compliance with SB 5, and allow and cooperate with assessments by the controller.
SB 5’s requirements regarding notices controllers must provide to consumers are similarly aligned to non-California comprehensive state privacy laws.
Data protection impact assessments required for certain activities.
SB 5 contains a requirement that controllers undertake and document a data protection impact assessment for certain activities, including processing for purposes of targeted advertising, selling personal data, processing activities that represent a heightened risk of harm to consumers (including processing for profiling purposes that present a heightened risk of harm), and processing sensitive data. Those requirements align most closely with Virginia’s data protection assessment requirements.
The Indiana Attorney General has enforcement authority, but must offer notice and an opportunity to cure.
Thankfully, SB 5 is very clear that it does not create a private right of action. Instead, Indiana’s Attorney General will have exclusive enforcement authority. That authority, however, is subject to a 30-day notice and cure period very similar to that of Virginia’s law. In the event that a violation is not cured following the 30-day notice and cure period, the Attorney General may obtain injunctive relief, a civil penalty of a maximum $7,500.00 per violation, and the Attorney’s General’s reasonable expenses investigating and preparing the case including attorney’s fees incurred to bring the enforcement action.
Implementing regulations are not expected.
If you’ve made it this far, you may be able to breathe a sigh of relief. SB 5 does not contain any mandate directing the Indiana Attorney General—or any other state entity for that matter—to prepare implementing regulations.
* * * *
With an effective date of January 1, 2026, the Indiana Consumer Data Protection Act may seem like a distant concern. However, its passage by the state legislature so soon after Iowa’s comprehensive consumer privacy law, coupled with the fact that Tennessee’s proposed consumer privacy law also looks likely to pass in the near future, suggests that the state consumer privacy law patchwork, and the challenges for businesses seeking to comply, will continue to grow.
If you would like to discuss your strategies for compliance with those privacy laws that are currently (or soon to be) in force, please reach out to any member of the Wyrick Robbins privacy team.