Indiana Privacy Law Passes

Indiana is the seventh state to pass its own privacy law, and the second to do so in early 2023, following Iowa. Both the Indiana House and the Senate passed Senate Bill 5 unanimously.

The Indiana privacy law most closely resembles the law enacted in Virginia. Because of its similarity to existing state laws, the Indiana law should pose fewer new compliance burdens on organizations already complying with other laws. The law goes into effect in January 2026, giving businesses that handle the personal data of Indiana consumers time to comply with the regulations.

The Indiana law applies to for-profit businesses that control or process personal data on at least 100,000 Indianans or that derive more than 50% of their gross revenue from selling the data of 25,000 or more Indiana consumers. Senate Bill 5 only applies to consumers. Data from employees and job applicants is excluded, as well as data used in a commercial or business to business contexts.

Here’s a breakdown of the law.

Consumer Rights

The Indiana privacy law gives consumers the following rights:

Right to Know

Consumers can request confirmation of whether a business is processing their personal data, the type of data being processed, and how it’s being processed.

Right to Access

Consumers can request to view their personal data. Businesses have the option to provide copies of raw data or a representative summary of the data collection. Consumers can make this request once a year.

Right to Correct/Delete

Consumers can request that inaccurate data be corrected. They can request data obtained by a business be deleted.

Opt-out

Consumers can opt out of the processing of their data for targeting advertising, the sale of their data, or profiling.

Businesses have 45 days to respond to consumer requests.

Business Requirements

The Indiana law contains many of the business requirements that have become standard in state privacy laws, including:

• Detailed privacy notices
• Service provider agreements
• The obligation to only process data if necessary
• Reasonable data security
• Establish a consumer appeals process
• Non-retaliation

Businesses that are covered by the law are required to conduct a data protection impact assessment (DPIA) for the following data processing activities:

• The processing of personal data for purposes of targeted advertising
• The sale of personal data
• The processing of personal data for purposes of profiling
• The processing of sensitive data
• Any processing activities involving personal data that present a heightened risk of harm to consumers

Enforcement

There is no private right of action in the Indiana privacy law, all enforcement will come from the Attorney General. There is a 30-day right to cure that does not sunset. Fines will be up to $7500 per violation.

CompliancePoint has a team of experienced privacy professionals that can help your organization establish and maintain compliance with all state privacy laws, including the CCPA, and GDPR. Reach out to us at connect@compliancepoint.com to learn more.