Last week, Senate Bill 5 passed unanimously in The Indiana House with a definitive 98-0 vote. The bill already passed in the Senate in a 49-0 vote in February and is now, literally, on the governor’s table. Indiana’s Gov. Eric Holcomb has the power to veto the bill within seven days of receipt but is widely expected to sign the bill into law. If the governor doesn’t sign or veto the bill within a week, it becomes law without a signature on the eighth day. The law is set to be effective on January 1, 2026.
The unanimous vote is taking place just over a year after a similar privacy bill, Senate Bill 358, stalled in the Indiana Senate in 2022. The now-dead Senate Bill 358 was drafted in the style of Europe’s GDPR on consumer privacy. But Sen. Liz Brown reworked the bill this year to more closely follow Virginia’s VCDPA, a much less invasive approach to consumer privacy than the GDPR.
The Virginia Consumer Data Privacy Act (VCDPA) was developed to provide fundamental protections for consumers and clearly define the obligations of businesses to ensure that protection. The law provides guidelines that pave a smooth path toward compliance, without imposing overly complicated requirements.
In Brown’s words, Senate Bill 5 is “very very different” from the legislation she composed last year. “I basically did an entire rewrite,” Brown said.
The Indiana data privacy law has been lauded by groups on both sides of the partisan divide as hitting the right chord on the delicate balance between consumer privacy rights and business interests.
However, it has generated criticism from privacy advocates for supplying too little protection to the personal information of “Hoosiers’” (a term for Indiana residents), or to rein in major tech companies like Google and Facebook.
Privacy advocates feel that opt-out bills, like the Indiana privacy act, shift far too much of the burden onto individual consumers to protect their privacy, instead of putting the onus on the companies that profit from consumer data.
Advocacy groups are also quick to point out that the Indiana data protection law does not give Hoosiers the right to file lawsuits and pursue litigation on their own when their rights are violated, and gives the power of enforcement to the Attorney General’s office. Virginia’s privacy law also follows this line of enforcement. Contrast that to California where individuals are allowed to directly sue entities they believe have violated the state’s data privacy laws.
Opt-In and Opt-Out: What is the Difference?
In an opt-out approach to data privacy, the default rule is that businesses are permitted to collect and sell information commensurate with the provisions of the law, BUT are obligated to provide a way for consumers to opt out of the sale of their data. With this approach, the responsibility to protect the privacy and personal data of an individual is given to the consumer in the form of the right to opt out of allowing the collecting company to process their data.
Let’s take an example of a person that accesses a website and enters their email address in an opt-out jurisdiction. By default, the website is authorized to sell that data to a third party. By law, the business has a legal right to sell this information so long as the customer has received a sufficient notice and an opportunity to opt-out.
An opt-in approach requires an entity to request and obtain the consent of a consumer before processing their personal data. In most opt-in bills, consumer data protection starts even before the data is collected. Opt-in regimes place the burden of data protection on the controllers and processors of data. They are easily identifiable by requests for consent before personal information is collected and processed.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
What Companies Need To Know
Eligible Businesses
Businesses that collect and process the personal data of at least 100,000 Indiana citizens or that process the data of at least 25,000 but make more than half their revenue from that data are covered by the data privacy Indiana law.
Brown said she doesn’t want small businesses under the bill’s 25,000 to 100,000 threshold to be mandated by its requirements until their business operations have grown to meet the thresholds so as not to hinder small business growth.
“The threshold is significant enough that we assume, and frankly haven’t heard otherwise, that these businesses are large enough that they can comply with a security data assessment and the regulations without imposing barriers to entry to the business,” Brown said.
Like other recent data privacy laws, entities not physically located in Indiana may nevertheless be held liable for the law’s provisions if they conduct business or provide goods or services to citizens of Indiana.
Applicability and Exemptions
The law contains some exceptions to applicability. Notably, the law is set to apply only to consumers, which is specifically defined such that it excludes Indiana individuals acting in a commercial or employment context. In other words, the law does not provide these rights to individuals regarding personal data collected and processed while they are acting as employees or job applicants, or where their personal data is used in a commercial or B2B context.
Entities that are already covered by laws like HIPAA and the Gramm–Leach–Bliley Act are exempt from the data privacy law. In a show of difference from the Virginia law, the Indiana law exempts public utilities and affiliated service companies from the legislation.
Definition of Personal Data
Under the bill, personal data is defined as information that is “linked or reasonably linkable to an identified or identifiable individual.” Notably, data that has been aggregated, deidentified, or publicly available is not included in “personal data”.
45 Days To Respond to Opt-Outs
Under the law, upon an Indiana consumer’s request, businesses will be required to stop processing the consumer’s data to target advertising, sell their data, or profile them based on their data. Businesses will have 45 days to respond to such requests. Similar to rights granted to individuals under other state and international laws, this right to opt-out provides Indiana consumers much greater control over the use of their personal data and its transfer to third parties the consumer may or may not know exist or receive their information.
Data Privacy Impact Assessments
Covered businesses will be required to conduct data protection impact assessments (DPIAs) to assess the processing of data for targeted advertising and the sale of personal data. In simple language, a DPIA is an internal assessment of all data processing activities that assess the privacy risk of personal data collection. The frequency of this assessment will be annual.
In general, the DPIA is an internal investigation. However, the Indiana attorney general may request that a business disclose its DPIA if it is relevant to an investigation. Businesses will therefore need to ensure they are properly auditing their documents as part of their data protection compliance program activities.
30-Day Cure Period
Businesses that are found to violate the law will be provided 30 days to cure or remedy the alleged violation. This pro-business clause will help businesses avoid fines and other consequences.
Where Do You Go From Here?
Indiana is joining Iowa in the list of states that have passed new privacy laws in 2023. As the list of states that have joined the “state privacy law club” grows, more companies are likely to be mandated by US data privacy laws. If your company is compliant with the VCDPA, complying with Indiana’s new legislation should be a breeze.
Centraleyes has developed a multi-faceted platform that allows you to assess your risks, develop mitigation strategies, and choose from tens of risk frameworks and compliance standards that apply to you. Time-saving smart mappings between frameworks allow you to cut time and resources spent on compliance tasks with an ever-growing list of requirements.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
