By Tim Rollins
Indiana has become the seventh US state to have a comprehensive privacy law enacted, underscoring the need for organizations to adopt holistic privacy programs based on best practices and privacy-by-design principles rather than attempting to respond to regulations on a one-by-one basis.
The Indiana House of Representatives voted unanimously (98-0) to pass Senate Bill 5 on consumer data protection in April, a year after the bill had stalled out in its progress toward becoming law. Due to the legislative process in Indiana, the Senate had to vote on concurrence, before it went to the governor's desk for final signature into law.
The concurrence vote passed unanimously as well, 47-0. Both the President of the Senate and the Speaker have signed the bill, and on May 1, 2023, Indiana Governor Eric Holcomb signed it into law.
The bill is modeled after the Virginia Consumer Data Protection Act, as well as laws passed in Iowa and Utah, in that it does not pose serious burdens on businesses in compliance with other existing state privacy laws. Most businesses, therefore, can expect to be in compliance with Indiana’s requirements if they are making solid progress toward compliance in other states.
The bill will take effect on January 1, 2026. It remains an interesting question whether passage of more state laws will prompt the US Congress to act, and if a preemptive federal law is passed.
What Is Covered
SB 5 will apply to businesses that control or process personal data on 100,000 consumers or derive half or more of their revenue from selling the data on more than 25,000 Indianans. The bill also requires some features shared in common with many recently passed privacy laws, including:
- Data protection impact assessments
- Requirements for processing de-identified data
- Consumer opt outs for targeted advertising and data sales
- A 30-day cure provision allowing organizations to avoid fines for violations
Expert Analysis from Tyler G. Newby, Partner, Fenwick
As has become the trend among states that have passed omnibus privacy laws after California’s Consumer Privacy Rights Act amended the California Consumer Privacy Act (“CCPA”), Indiana’s law contains concessions to business, most notably, exempting employment information and business-to-business information from the law. But, like Virginia, it also includes consumer rights that are not found in the CCPA, like the requirement for controllers to obtain consent before processing consumers’ ”sensitive data,” including racial or ethnic origin, religious beliefs, sexual orientation, unique biometric information, and precise geolocation information. Additionally, the requirement to conduct data protection impact assessments is likely to create a significant compliance burden, which is only multiplied by the complexity of ensuring compliance with other states’ laws with similar requirements. This state-by-state approach to privacy law is inconsistent with operating nationwide and global businesses and calls for a federal standard with broad pre-emption of state laws.