Indiana Governor Signs Comprehensive Privacy Law
Indiana has become the seventh state to enact a "comprehensive" data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, and Iowa. On May 1, 2023, the governor of Indiana signed Senate Bill 5, also known as the Indiana Consumer Data Protection Act (INCDPA). Indiana's new law is similar to the Virginia, Utah, and Iowa privacy laws in that it takes a more "business-friendly" approach by, for instance, narrowly defining the kinds of disclosures of personal data ("sales") requiring opt-in consent and providing a mandatory right to cure.
We highlight key provisions of the INCDPA below.
Application Thresholds
The INCDPA applies to companies conducting business in Indiana or producing products or services targeted to Indiana residents that during a calendar year either: (1) control or process[1] personal data of at least 100,000 Indiana residents acting in a personal, family, or household capacity ("consumers"); or (2) control or process personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data. Under these thresholds, the INCDPA will not apply to many small and medium-sized Indiana businesses. These applicability provisions mirror those in the Virginia, Utah, and Iowa privacy laws and are considerably narrower than those in the California law (which, among other things, apply to companies that do business in California and that have $25 million in annual revenue, wherever earned, even if they do not meet the data thresholds).
Processor Contracts
Like most of the other state privacy laws, the INCDPA distinguishes a "controller"—an entity that "determines the purpose and means of processing personal data"—from a "processor"—an entity that "processes personal data on behalf of a controller."[2] A processor must adhere to the controller's instructions, including those regarding the nature, purposes, and duration of the processing, and the contract between a controller and processor must require:
- Confidentiality of personal data;
- Deletion or return of personal data at termination of the agreement;
- Demonstration of compliance with the INCDPA upon request;
- Cooperation with data protection impact assessments; and
- Use of subcontractors that are subject to the same privacy requirements as processors.
Exemptions
The INCDPA exempts a variety of entities and types of data, including:
- Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA);
- Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA);
- Nonprofit organizations;
- Institutions of higher education;
- State agencies;
- A controller deemed to be in compliance with the Children's Online Privacy Protection Act (COPPA);
- Information governed by the Fair Credit Reporting Act (FCRA);
- Personal data governed by the Family Educational Rights and Privacy Act (FERPA);
- Information governed by the Driver's Privacy Protection Act;
- Information governed by the Farm Credit Act; and
- Information relating to applicants and employees "to the extent that the data is collected and used within the context of that role," including emergency contact information and benefits.[3]
Privacy Notices
Like all state privacy laws, the INCDPA requires controllers to provide a "reasonably accessible, clear, and meaningful" privacy notice to consumers that discloses the categories of personal data processed, the purpose of such processing, how consumers can exercise their rights (e.g., right to delete), categories of personal data shared with third parties, and categories of third parties with whom the data is shared. Controllers must not collect additional categories of personal data or use personal data collected for additional purposes without providing notice to consumers. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purposes for which the personal data is processed, unless the controllers obtain consumer consent.
Sensitive Data
Like the Virginia law and some of the other state privacy laws, the INCDPA requires companies to obtain consent, which must be a "clear affirmative act" signifying a consumer's "freely given, specific, informed, and unambiguous agreement," before processing "sensitive data."[4] The INCDPA specifically defines "sensitive data" as personal data that includes any of the following:
- Personal data revealing
- Racial or ethnic origin,
- Religious beliefs,
- Mental or physical health diagnosis made by a healthcare provider (more on this below),
- Sexual orientation, or
- Citizenship and immigration status;
- Genetic and biometric data that identifies an individual;
- Precise geolocation data; and
- Personal data collected from a known child.
A unique aspect of the INCDPA's definition of sensitive data is that health information is deemed to be sensitive only to the extent a diagnosis has been made by a healthcare provider.
Narrow Definition of "Sale"
The INCDPA narrowly defines the term "sale" as an exchange of personal data for monetary consideration only, excluding any disclosure to an affiliate of the controller, to the controller's processor, for the purpose of providing a requested product or service, in a merger or acquisition of the controller's business or assets, or of information that the consumer intentionally made public via mass media. The narrow definition of "sale," which mirrors the definition from the Virginia law, is noteworthy because a consumer can only opt out of a "sale" of their personal data (see below), and not from other disclosures, such as to an affiliate or service provider.
Consumer Rights
Indiana's law affords the usual rights to consumers to access, correct, delete, and obtain a copy of their personal data. As provided in other state privacy laws, controllers must respond to such requests within 45 days (with a 45-day extension available, if "reasonably necessary") and must offer consumers the right to appeal an adverse decision. As noted earlier, the INCDPA also gives consumers the right to opt out of the "sale" of their personal data, as well as the right to opt out of the use of such data for targeted advertising and profiling.
Data Protection Impact Assessments
Like other state privacy laws, the INCDPA requires controllers to complete annual data protection impact assessments (DPIAs) for the following five processing activities:
- Processing data for targeted advertising;
- Selling personal data;
- Processing data for the purposes of profiling, if certain risk factors are met;
- Processing sensitive data; and
- Any processing activities that present a "heightened risk of harm."
Exceptions and Limitations
The INCDPA includes the usual exceptions and limitations by stating that the law will not restrict a controller or processor from collecting, using, or retaining personal data to "conduct internal research to develop, improve, or repair products, services or technology"; "effectuate a product recall"; "identify and repair technical errors that impair existing or intended functionality"; or "perform internal operations" that are reasonable based on consumer expectations or the consumer relationship.
In addition, the INCDPA allows controllers and processors to disclose personal data when necessary to "comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental authority" or "cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations."
The INCDPA further allows companies to "take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual, if the processing cannot be manifestly based on another legal basis."
No Private Right of Action
There is no private right of action afforded to consumers for violations of the INCDPA under this or "any other law."
AG Authority and Penalties for Non-Compliance
The INCDPA gives the Indiana attorney general (AG) exclusive enforcement authority and provides that whenever the AG "has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of [the INCDPA], the [AG] is empowered to issue a civil investigative demand to investigate the suspected violation." The AG may seek an injunction and civil penalties for violations, not to exceed $7,500 per violation, along with attorneys' fees. The INCDPA does not give any rulemaking authority to the AG and does not fund or create a privacy-focused enforcement bureau (such as the California Privacy Protection Agency (CPPA), which was created under the California privacy law).
Cure Period
The AG must give a company notice and a chance to cure any alleged violation of the INCDPA within 30 days of receiving the notice of violation. If the company fails to take remedial measures within 30 days, the AG may initiate an action against the company, including by seeking injunctive and monetary relief.
Looking Ahead
Iowa and Indiana will not be the only states to pass comprehensive privacy laws in 2023. The statehouses in Montana and Tennessee have already passed their own privacy laws that are awaiting the governors' signatures. More states are likely to follow suit. Companies are advised to actively monitor proposed state legislation and prepare to comply with new state privacy laws.
DWT's Privacy and Security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.
[1] "Processing" is broadly defined to include collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
[2] The exception is the California law, which uses the concepts of a "business," a "service provider," and a "third party."
[3]The law also does not restrict riverboat casino operators in their implementation and operation of facial recognition technology approved by the Indiana Gaming Commission.
[4] The consent requirement is similar to provisions in the Colorado, Connecticut, and Virginia privacy laws. Consent can be obtained by electronic means or "any other unambiguous affirmative action."