Indiana’s New Consumer Privacy Law

On May 2, 2023, Indiana Governor Eric Holcomb signed Senate Bill 5 (Bill) into law – making it the seventh U.S. state with a comprehensive privacy law. The Bill takes effect January 1, 2026, and mirrors states such as Virginia, Iowa and Colorado in setting out increased protection for consumer data and the sale of personal data.  In addition, the Bill will grant data subjects with a range of rights, including access and opt-out rights.

Under the Bill, “personal data” is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The Bill applies to a person who conducts business in Indiana or produces products or services that are targeted to residents of Indiana and during a calendar year (1) controls or processes personal data of at least 100,000 consumers who are Indiana residents or (2) controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data.

Additionally, the Bill affords an Indiana consumer the right to:

• Confirm whether or not a controller is processing the consumer's personal data

• Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller

• Delete the consumer's personal data held by a controller

• Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller

• Opt out of the processing of the consumer's personal data for certain purposes.

Further, the Bill creates responsibilities for data controllers and processors. Controllers must limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer, unless the controller obtains the consent of the consumer. To continue, a controller shall establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.

Also, a controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes:

• The categories of personal data processed by the controller

• The purpose for processing personal data

• How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request

• The categories of personal data that the controller shares with third parties, if any

• The categories of third parties, if any, with whom the controller shares personal data.

Lastly, the Bill outlines the requirements for selling consumer data, and provides for posting on the Attorney General's website a list of resources for controllers, including sample privacy notices and disclosures, to assist controllers with compliance. Processors shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations.

In conclusion, Indiana Senate Bill 5 represents a significant step forward in enhancing data privacy protections and underscores the importance of safeguarding personal information. As other states begin adopting similar statutes, companies must prioritize compliance with these consumer laws to ensure the privacy and security of individuals’ data.