Indiana now joins California, Utah, Colorado, Connecticut, Virginia, and Iowa as states with their own consumer privacy laws (together, "US State Data Privacy Laws"). The new law got signed on May, 1, 2023 and comes to force January 1, 2026.
Key points:
Application Scope: The law applies to companies that do business in Indiana or produce products or services that are targeted to residents of Indiana and: Control or process the personal data of 100,000 customers or more; or Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Exempts a variety of entities and types of data, including:
Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA);
Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA);
Nonprofit organizations;
Institutions of higher education;
State agencies;
A controller deemed to be in compliance with the Children's Online Privacy Protection Act (COPPA);
Information governed by the Fair Credit Reporting Act (FCRA);
Personal data governed by the Family Educational Rights and Privacy Act (FERPA);
Information governed by the Driver's Privacy Protection Act;
Information governed by the Farm Credit Act; and
Information relating to applicants and employees "to the extent that the data is collected and used within the context of that role," including emergency contact information and benefits.
3. List of sensitive personal data is given: Racial or ethnic origin, religious beliefs, health data, sexual orientation, citizenship status, Genetic / Biometric data, Children’s data, Geolocation. Health information is deemed to be sensitive only to the extent a diagnosis has been made by a healthcare provider
4. Consent definition is given as “a clear affirmative act that signifies a consumer’s freely given, specific, informed, and unambiguous agreement” to process their personal data.
5. For consent opt-out mechanism is recommended. For the processing of sensitive data, additional consent is required.
6. The list of consumer (data subject) rights: right to access; right to correction; right to deletion; right to obtain a copy of data ;right to opt out of targeted advertising, behavioral profiling, sale of personal data. However, there is no private right of action afforded to consumers for violations of the INCDPA under this or "any other law."
7. Privacy Notice has to be “reasonably accessible, clear, and meaningful” . This notice has to include the following information: a)Categories of personal data processed b)Purpose of processing personal data c)Mechanism for consumers to exercise their rights (e.g. right to appeal, correction, etc.) d)Categories of personal data shared with third parties e) Categories of third parties that personal data is being shared with
8.For consumer (data subject) requests the term for the answer is set as 45 days. With the possibility to extend it by an additional 45 days if “reasonably necessary”, depending on the complexity and volume of consumer requests – however, these extensions must be communicated to consumers within the initial 45-day period.
9. Obligations for controllers:
Adopt and implement reasonable administrative, technical, and physical data security practices.
Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed.
Process consumers' sensitive data only after obtaining the consumer's consent. Sensitive data is defined to include genetic or biometric data, data of known children, precise geolocation data, and personal information revealing racial or ethnic origin, religious beliefs, and health status.
Process consumer data in a non-discriminatory manner, and refrain from discriminating against consumers who exercise the rights granted by the statute.
Provide a clear privacy policy that includes the categories of personal data processed, the purpose for processing personal data, the categories of data shared with third parties, the types of third parties, the consumer's rights, and the manner in which consumers may exercise their rights, including an appeal.
Clearly disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out.
Establish a process for consumers to appeal the refusal to take action on requests to exercise their rights.
Conduct a data protection impact assessment on the processing of personal data for targeted advertising, the sale of personal data, profiling, sensitive data, and any processing activities that involve personal data that present a heightened risk of harm to consumers.
When in possession of de-identified data, take reasonable measures to ensure that the data cannot be associated with an individual, commit publicly to maintaining data as de-identified data, and obligate any recipients of the data to comply with the Indiana Data Privacy Law.
11. Obligations for processors:Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding consumer rights requests, security of data processing, and breach notification. The Indiana Data Privacy Law also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.
Comments