The Indiana Consumer Data Protection Act
Indiana has become the seventh US state to enact a comprehensive data privacy law with the signing of Senate Bill 5, also known as the Indiana Consumer Data Protection Act (INCDPA) on May 1, 2023.
Evolution
For those of us who have been following the Indiana Data Privacy Saga a while, ending up with a “Virginia Model” was a bit surprising. The Indiana Consumer Data Protection Act, initially inspired by the EU General Data Protection Regulation and the California Privacy Protection Act, has morphed to resemble Virginia's law, which requires much less compliance and affords much less protection to consumers, due to collaborative efforts by the state's legislators and businesses.
Application
This law applies to companies operating in Indiana or targeting Indiana residents, and that control or process personal data of at least 100,000 residents or at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. The law is similar to those of Virginia, Utah, and Iowa, and unlike California’s CCPA and CCRA, it will not apply to many small and medium-sized businesses.
The INCDPA distinguishes between a "controller" that determines the purpose and means of processing personal data and a "processor" that processes personal data on behalf of a controller. Contracts between controllers and processors must stipulate confidentiality, deletion or return of personal data at the end of the agreement, compliance demonstration, cooperation with data protection impact assessments, and the use of subcontractors subject to the same privacy requirements.
Exemptions
The INCDPA has the same exemptions as other states , including financial institutions, entities governed by HIPAA, non-profit organizations, institutions of higher education, state agencies, information under the purview of several federal acts like COPPA, FCRA, FERPA, and data related to applicants and employees used within their roles.
Privacy Notices
Controllers must provide clear and meaningful privacy notices to consumers detailing the categories of personal data processed, processing purposes, how consumers can exercise their rights, categories of personal data shared with third parties, and third party categories with whom data is shared. Controllers must also obtain clear consent before processing "sensitive data," which includes information revealing racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship and immigration status, genetic and biometric data, precise geolocation data, and personal data collected from a known child.
Consumer Rights and Data Protection Impact Assessments
The INCDPA gives consumers the right to access, correct, delete, and obtain a copy of their personal data, and the right to opt out of the "sale" of their personal data, targeted advertising, and profiling. It requires controllers to complete annual data protection impact assessments (DPIAs) for specific processing activities.
Unique to Indiana, when an Indiana resident requests to see their data, the covered companies may provide that data or a “representative summary” of that data. Also unique to Indiana, the data provided by the company only needs to be the data that company collected or purchased. As we know, a company can come into possession of consumer data in other ways. This could likely be fixed by a definition change in the document, but it is worth clarification to avoid the legal fight.
Remedies
Included in its exceptions and limitations is that the law does not provide a private right of action for violations. Violations of the INCDPA can lead to an injunction, civil penalties not exceeding $7,500 per violation, and attorneys' fees. The Indiana attorney general has exclusive enforcement authority, with the ability to issue a civil investigative demand to investigate suspected violations. Companies are given a 30-day cure period to remedy any alleged violations.
Future Outlook
With the enactment of the INCDPA, other states like Montana and Tennessee are expected to follow suit with their own comprehensive privacy laws. Businesses are advised to keep abreast of proposed state legislation and prepare for compliance with new state privacy laws
