May 30, 2023

Volume XIII, Number 150


May 29, 2023

Subscribe to Latest Legal News and Analysis

Indiana’s New Consumer Privacy Law

On May 2, 2023, Indiana Governor Eric Holcomb signed Senate Bill 5 (Bill) into law – making it the seventh U.S. state with a comprehensive privacy law. The Bill takes effect January 1, 2026, and mirrors states such as Virginia, Iowa and Colorado in setting out increased protection for consumer data and the sale of personal data.  In addition, the Bill will grant data subjects with a range of rights, including access and opt-out rights.

Under the Bill, “personal data” is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The Bill applies to a person who conducts business in Indiana or produces products or services that are targeted to residents of Indiana and during a calendar year (1) controls or processes personal data of at least 100,000 consumers who are Indiana residents or (2) controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data.

Additionally, the Bill affords an Indiana consumer the right to:

  • Confirm whether or not a controller is processing the consumer's personal data

  • Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller

  • Delete the consumer's personal data held by a controller

  • Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller

  • Opt out of the processing of the consumer's personal data for certain purposes.

Further, the Bill creates responsibilities for data controllers and processors. Controllers must limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer, unless the controller obtains the consent of the consumer. To continue, a controller shall establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.

Also, a controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes:

  • The categories of personal data processed by the controller

  • The purpose for processing personal data

  • How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request

  • The categories of personal data that the controller shares with third parties, if any

  • The categories of third parties, if any, with whom the controller shares personal data.

Lastly, the Bill outlines the requirements for selling consumer data, and provides for posting on the Attorney General's website a list of resources for controllers, including sample privacy notices and disclosures, to assist controllers with compliance. Processors shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations.

In conclusion, Indiana Senate Bill 5 represents a significant step forward in enhancing data privacy protections and underscores the importance of safeguarding personal information. As other states begin adopting similar statutes, companies must prioritize compliance with these consumer laws to ensure the privacy and security of individuals’ data.

© 2023 Wilson ElserNational Law Review, Volume XIII, Number 143

About this Author

Anjali C. Das, Wilson Elser, professional liability insurance lawyer, shareholder obligations attorney, illinois

With nearly two decades of experience, Anjali Das represents insurers in connection with professional liability insurance coverage matters and claims involving accounting, finance and other complex business issues. She is a coordinating partner for the firm’s Directors & Officers practice and a member of the Diversity Committee.

Anjali represents the interests of U.S., London and Bermuda-based primary and excess insurers in high-exposure claims against directors and officers of public and private companies, non-profit boards, financial...