On Tuesday, April 11, the Indiana House passed Senate Bill No. 5, a comprehensive state privacy law similar to the ones that are already in effect in California, Colorado, Virginia, Utah and Connecticut. This bill previously passed (49 – 0) in the Indiana Senate on February 9. Due to minor House amendments, the House version of the bill received Senate concurrence on April 13, and now moves to the Indiana Governor’s desk for signature. If Senate Bill No. 5 is signed into law, Indiana, would join Iowa and become the second state this year to pass a comprehensive privacy law.
Unlike the Iowa bill set to go into effect in 2025, the Indiana bill would not go into effect until July 1, 2026, leaving plenty of time for amendments to current provisions. As drafted, the bill does not pose any substantive requirements for companies that do not already exist under the other six active laws. However, companies should track amendments to these proposals as there is still plenty of time for them to change before they go into effect. Further, companies should prepare to review and revise their privacy compliance program and assess whether they wish to undertake a nationwide approach and provide certain privacy rights to all US consumers.
Notably, and similar to the Iowa bill, Senate Bill No. 5 has industry-friendly provisions, including a cure period and lack of a private right of action that will minimize the compliance risk faced by companies. Similarities between the Indiana and Iowa bills forecast an early trend in which models of comprehensive privacy legislation are most likely to be successful. So far this year, successful legislation most closely mirrors the Virginia and Utah legislative models (as opposed to the California and Colorado models). If states continue to coalesce around similar model legislation, this could have an effect if and when Congress considers federal privacy legislation this year.
In this post, we summarize key takeaways from the pending enactment of Senate Bill No. 5 and summarize the bill’s key provisions. We are happy to answer any questions you might have about Senate Bill No. 5 and what it means for your company’s privacy compliance programs.
- An Industry-Friendly Bill: Though companies will have to take the Indiana law into consideration when developing their compliance programs, the law does not create any new substantive obligations for businesses that did not previously exist under the other laws. This will allow companies to expand their current compliance programs to account for Indiana, without needing to take many different compliance steps. However, unlike in Iowa, companies will need to conduct data protection impact assessments for processing in Indiana. However, this is not a new requirement for companies that are already taking steps to comply with the laws in California, Colorado, Connecticut, and Virginia. Additionally, the bill does not contain a private right of action, instead relying solely on the Indiana state attorney general (AG) for enforcement. Although a more restrictive cure-period than offered in the Iowa bill, controllers and processors are provided with a 30-day cure period to resolve any deficient practices before the state AG may bring an enforcement action. Finally (and as we elaborate on below), the law has broad exemptions for entities and data regulated under certain federal laws, limiting how “comprehensive” the law actually is.
- Limited Enforcement Mechanisms: In addition to the lack of a private right of action, Senate Bill No. 5 is also lacking various enforcement features prominent in other state privacy laws. For instance, the bill does not create any rulemaking authority for the state AG (unlike Colorado’s law, for instance). Nor does the bill create a separate privacy-centered enforcement agency (like the California Privacy Protection Agency).
- More Potential State Laws Incoming: As our state comprehensive privacy law updates make clear, Indiana will likely not be the last state that passes a comprehensive state privacy law in 2023. At this point, Tennessee seems most likely to become the eighth state to enact such a law.
Key provisions of Senate Bill No. 5 include the following:
- Applicability Thresholds: Applies to businesses that conduct business in Indiana, produce products or services that are targeted to Indiana residents, and control or process personal data of either: a) at least 100,000 consumers during a calendar year; or b) at least 25,000 consumers during a calendar year and derive more than 50% of gross revenue from the sale of personal data.
- Broad Exemptions: Exempts various entities and information types, including state entities and political subdivisions of the state; financial institutions and data subject to GLBA; covered entities or business associates governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; personal data governed by FERPA; information governed by the Driver’s Privacy Protection Act, information governed by the Farm Credit Act; and specified employee-related information. A controller that complies with the Children’s Online Privacy Protection Act (COPPA) is deemed in compliance with obligations under this Act.
- Consumer Data Rights: Creates individual rights for consumers, including the right to confirm whether a controller is processing personal data; the right to access personal data; the right to delete personal data; the right to correct inaccuracies; the right to obtain a portable copy of personal data; the right to obtain a portable copy of personal data; and the right to opt out of the processing of data for purposes of targeted advertising, sale of data, and “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.”
- Privacy Design: Incorporates privacy by design principles, such as purpose limitation and reasonable security practices. Further, controllers cannot collect additional categories of personal information or use collected information for additional purposes without notice.
- Privacy Notice: Covered businesses must inform consumers of (1) the categories of personal information collected; (2) purposes for processing personal data; (3) how to exercise the consumer rights created under the bill; (4) the categories of personal information that are shared with third parties; (5) the categories of third parties that will receive the personal information. Covered businesses must clearly disclose the sale or use of personal data for targeted advertising.
- Processor Duties: Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.
- Data Protection Impact Assessments: Requires data protection assessments for the following activities: (1) the processing of data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of data for purposes of profiling if certain risk factors are met; (4) the processing of sensitive data; (5) any processing activities that present a heightened risk of harm.
- Enforcement: Violations are only enforceable by the Indiana AG’s office. Imposes civil penalties of up to $7,500 for each violation. The AG may recover reasonable expenses incurred in investigating and preparing the case, including attorneys’ fees.
- Cure Period: Creates a 30-day cure period after the AG provides written notice. If entity cures violation and provides AG express written statement, no action against the controller or processor will be initiated.
- Effective Date: Would go into effect on July 1, 2026.