Skip to main content

By: Juliana Cipolla

On May 1, 2023, Indiana became the seventh state to enact a comprehensive data privacy law. Indiana Governor Eric Holcomb signed Senate Bill 5, known as the Indiana Consumer Data Protection Act (“INCDPA”), following the footsteps of previous state privacy laws, going into effect January 1, 2026.

The law applies to entities that conduct business in the state or produce products or services targeted to Indiana residents that either control or process the personal data or either 100,000 consumers or 25,000 consumers while deriving 50% of their gross revenue from the sale of personal data.

However, data that is subject to the Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, data covered by existing federal laws, and employment data and human subjects research data covered by federal law or other standards are exempted types of data under the INCDPA. Additionally, the law does not apply to government entities or the parties under contract with such entities acting on behalf of the entity and within the scope of the agreed upon contract. Other exempt entities include financial institutions, nonprofit organizations, higher education institutions or public utilities.

Under this act, the INCDPA distinguishes a “controller,” an entity that determines the purpose and means of processing personal data, from a “processor,” an entity that processes personal data on behalf of a controller. Processors must adhere to the controller’s instructions and must require: (1) confidentiality of personal data; (2) deletion or return of personal data at termination of the agreement; (3) demonstration of compliance with the INCDPA upon request; (4) cooperation with data protection impact assessments; and (5) use of subcontractors that are subject to the same privacy requirements as processors.

Additionally, the INCDPA provides the following rights for consumers:

  • Right to Access: Consumers can request access to the personal data processed by the controller.
  • Right to Correct: Consumers can request covered entities to correct inaccuracies in personal data provided to the controller.
  • Right to Data Portability: Consumers can obtain a copy or summary of the personal data in a portable and readily usable format that allows the consumer to
  • share it with another controller.
  • Right to Delete: Consumers can request to delete data provided or obtained about the consumer.
  • Right to Opt Out: Consumers can opt out of the processing of their personal data.
  • Right to Opt In: Controllers cannot process sensitive data without consent of the consumer.

In addition to the consumer rights, the INCDPA requires controllers to complete annual data protection assessments for (1) processing data for targeted advertising; (2) selling personal data; (3) processing data for the purpose of profiling if certain risk factors are met; (4) processing sensitive data; and (5) any processing activities that present a “heightened risk of harm.”

Covered entities are required to limit personal data collection to what is adequate, have reasonable administrative technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, and provide and accessible, clear, and meaningful privacy notice. Covered entities must also provide processors with a binding data processing contract, detailing instructions for processing personal data, the nature and purpose of the processing, type of data subject to processing, duration of processing, and the rights and obligations of both parties.

Despite the robust framework of the INCDPA, the law does not afford a private right of action to consumers who suffer violations under the INCDPA. Under the INCDPA, the Indiana Attorney General has the power to issue a civil investigative demand to investigate a suspected violation. Violations can be enforced by an injunction and/or seeking a civil penalty of up to $7,500 for each violation if not cured within 30 days of written notice.

Indiana is not going to be one of the only states to pass a comprehensive privacy law in 2023, as Montana and Tennessee are on track to pass their own state privacy laws. Companies are advised to actively monitor proposed state legislation and ensure compliance with new state privacy laws. At The Beckage Firm, we have a team of seasoned attorneys who stay up-to-date with emerging state law and can help ensure your business stays compliant.

The Beckage Firm is a boutique, woman and veteran owned law firm focusing on tech, data security, and privacy. It is one of only a handful of law firms certified as a BreachCoach© to work on data breaches, and its team are peer nominated for numerous awards and interviewed by global media on emerging tech and data security and privacy topics.
24/7 (o) 2 BECK FIRM 2 (223 253 4762)
24/7 Data Incident Help