Key Points:

• Indiana Consumer Data Protection Act will be in effect on January 1, 2026
• Outlines 15 protections for Indiana consumers
• Does not provide Indiana consumers with a private right of action
• Nonprofits, utility companies, banks, entities covered by HIPAA and Gramm-Leach Bliley Act, higher education institutions, and state political subdivisions or entities are exempted from this Act

 

In 2023, the Indiana General Assembly passed the Indiana Consumer Data Protection Act (“ICDPA” or “Act”) unanimously. The ICDPA goes into effect January 1, 2026. The purpose of the ICDPA is to provide protection to Indiana citizens when they visit websites. It applies to a person that conducts business in Indiana or produces products targeting Indiana residents and during a calendar year either: 1) controls or processes personal data of at least 100,000 Indiana residents; or 2) controls or processes personal data of at least 25,000 Indiana residents and derives over fifty percent (50%) of gross revenue from the sale of any personal data. Individuals acting in an employment or commercial context are excluded, i.e. business to business activities. Nonprofits, utility companies, banks, entities covered by HIPAA and Gramm-Leach Bliley Act, higher education institutions, and state political subdivisions or entities are exempted from the ICDPA.

The ICDPA outlines fifteen protections for Indiana consumers. These protections include rights to delete personal data held by companies, opt out of targeted advertising and data sales, and request a copy of their information in a portable format (The Act in its entirety can be found here: https://iga.in.gov/pdf-documents/123/2023/senate/bills/SB0005/SB0005.05.ENRH.pdf). Under the ICDPA, personal information of consumers cannot be processed without explicit consent from the consumer. Personal information is defined as information pertaining to a consumer’s health, biometric, immigration, religious, precise location data, ethnicity, sexual orientation, citizenship, and all children’s data. De-identified data, pseudonymous data, and publicly available data is excluded from the definition of personal data. De-identified data is data that cannot be reasonably linked to an identified or identifiable individual and requires companies to publicly commit not to re-identify de-identified data. Pseudonymous data is data that cannot be attributed to a specific individual because additional information that would allow such data to be attributable to an individual is kept separately and is subject to appropriate technical and organizational safeguards.

The ICDPA requires individuals or companies that fall under the purview of the Act to place a clearly marked privacy notice or data-rights link in a prominent spot on their website. If a consumer requests to exercise a right, companies have 45 days from the date of the request to comply. The company can extend the response period by an additional 45 days when it is reasonably necessary and taking in consideration the number of consumer requests it has received within the initial 45 days. If it extends the response period, the company must provide notice and an explanation to the consumer. If the company denies a consumer’s request, it must explain to the consumer why and provide the consumer instructions for an appeal. Within 60 days of receipt of an appeal request from a consumer, the company must inform the consumer of any action taken or not taken regarding the appeal. If the company denies the appeal, it must provide the consumer with an online mechanism or other method through which the consumer may contact the Indiana Attorney General to submit a complaint.

Fortunately, the ICDPA does not provide consumers with a private right of action and is not enforced by a dedicated privacy agency. The ICDPA is enforced by the Indiana Attorney General. The Attorney General will provide a company with a 30 day written notice that identifies specific provisions alleged to be violated. The company must then cure such violations within a 30 day period. If it does not, the Attorney General may initiate action against the violating company and recover up to $7,500 in civil penalties per violation.

In closing, we encourage you to review if the ICDPA applies to you or your business and its requirements. As you review, and if you should have any questions or concerns regarding the ICDPA and its possible effect on you or your company, please contact any of our Business Service attorneys.