Listen to this post

Indiana has now become the seventh US state to enact a comprehensive privacy law after Senate Bill 5 (“SB5”) was signed by the governor on May 1, 2023. The new law will go into effect January 1, 2026, and is almost identical to recent comprehensive privacy laws in other states.

The law will apply to those that do business in Indiana and either: (1) control or process personal data of at least 100,000 Hoosiers; or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Hoosiers. Like most other states, it contains an exemption for entities covered by HIPAA or GLBA, and applies only to consumer (and not employee) information).  Key provisions include:

  • Notice. The impact of the Indiana law on business’s privacy notices should be minimal. Like other state laws, the policy must outline the categories of data being processed, the purpose, categories of data being sold or shared, and provide consumers with information about exercising their consumer rights. It is this last category that will prompt privacy policy modifications, in particular for those companies that have indicated in their policies that rights can be exercised only by individuals in the jurisdictions where currently legally required.
  • Consumer Rights. Once in effect, Indiana consumers will have rights of access, correct, deletion, and portability. They can also opt out of the sale of their personal data. The right to correct only extends to personal data that the consumer has previously provided to the business. Businesses will have 45 days to respond to rights requests.
  • Consumer Opt-Outs. SB5 follows Iowa, Virginia, Utah, and defines “sale” as the exchange of personal data for “monetary consideration” rather than the broader definition of California[1] and Connecticut[2] which includes “monetary or other valuable consideration”. Like other states, consumers can also opt-out of targeted advertising, as well as profiling that could produce legal or other similarly significant effects. Those who profile must do a data impact assessment. Indiana will not require that companies recognize universal opt-out mechanisms (similar to Iowa, Utah, and Virginia).
  • Sensitive Personal Data. Like Colorado, Connecticut and Virginia, a business must obtain consumer consent before processing sensitive information, rather than -as in California- give consumers the ability to opt-out.
  • Contracts. Companies who use third party data processors/contractors will need to have contracts in place, just as in other states. The requirements under this new Indiana law are almost identical to those in place in Virginia.

As with other states, there is no private right of action under the law. Before the attorney general can initiate an action, it must give companies written notice and 30 days to cure the violation (this right does not “sunset,” unlike in Colorado, where the 60 day cure period will be sunsetting in January 2025). The Indiana law provides for statutory civil penalties of up to $7,500 for each violation.

Putting It into Practice: Companies will need to add January 2026 to their US state privacy law roadmap. While the Indiana law does not add substantively to the list of requirements, it does mean that companies will need to keep track of another state when determining its notice and choice practices, among other things.

[1] 1798.140(ad)

[2] 22-15 Sec. 1(26).