On May 1, 2023 the Indiana governor signed the Indiana Consumer Data Protection Act (ICDPA), making Indiana the seventh state to enact a comprehensive data privacy law.

The final form of the ICDPA largely mirrors the Virginia Consumer Data Protection Act (which we covered in detail here), establishing similar consumer data privacy rights and obligations for data controllers, with a few unique provisions.

(1) Applicability: The ICDPA covers persons that conduct business in or produce products or services targeted to the residents of Indiana and who, in a calendar year, either:

a. Control or process the personal data of at least 100,000 consumers who are Indiana residents, or

b. Derive more than 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers who are Indiana.

(2) Consumer Rights: The law grants Indiana residents several individual rights over their personal data:

a. Right of access: consumers have the right to confirm whether a controller is processing their personal data. However, unlike other similar state laws, the ICDPA allows covered entities to respond to a consumer request with a "representative summary" of the data.

b. Right to correct: consumers have the right to correct data they provided to the controller. The right does not extend to all data as is required by Colorado, Connecticut and Virginia law.

c. Right to data portability: personal data provided to the consumer must be in a portable and readily usable format.

d. Right to delete: consumers have the right to request controllers delete the consumer's personal data. Unlike the right to correct this extends to personal data the consumer provided and personal data otherwise obtained by the controller.

e. Right to opt-out of targeted advertising and sale of personal data: consumers have the right to opt out of the processing of their personal data for the purposes of targeted advertising, sale of personal data, and profiling. However, this right does not extend to pseudonymous data. The term "sale of personal data" requires monetary consideration and does not include exchanges for "other valuable consideration" as required in California.

(3) Controller Obligations:

a. Purpose limitations: controllers must limit personal data collection to what is "adequate, relevant, and reasonably necessary" for the purposes of processing and must disclose that purpose to and obtain consent from the consumer.

b. Data security: controllers must have reasonable data security practices for the protection of personal data.

c. Consent requirements: consumer consent, meaning "a clear affirmative act", is required for a number of activities. Unlike in California, Colorado and Connecticut, there is no requirement to offer a method for consumers to revoke their consent. Controllers must obtain consent before processing sensitive data, as defined under the ICDPA.

d. Nondiscrimination: controllers cannot process data in a way that violates antidiscrimination laws, nor can they discriminate against a consumer for exercising their rights.

e. Transparency: controllers must have a clear, accessible and meaningful privacy notice which includes information on the categories of data processed, the purpose of the processing, categories of personal data (if any) shared with third parties and the categories of those third parties as well as an explanation of how consumers may exercise their rights.

f. Assessments: controllers must conduct data protection impact assessments for certain activities.

i. Processing personal data for the purposes of targeted advertising.

ii. The sale of personal data.

iii. The processing of personal data for the purposes of profiling if that profiling presents a reasonably foreseeable risk of, among others: unfair or deceptive treatment; financial, physical or reputational injury; intrusion on the solitude or personal affairs of a consumer; other substantial injury.

iv. Processing of sensitive data.

v. Processing activities involving personal data that presents a heightened risk of harm to consumers.

g. Data processing contracts: controllers must provide processors with a binding data processing contract that includes certain required terms. Processors are expected to assist the controller in meeting their duties under the law.

(4) Enforcement: The law is enforced by the Indiana attorney general and has no private right of action. The ICDPA includes a 30-day period to cure alleged violations. The right to cure is not subject to any sunset period, unlike those in California, Colorado and Connecticut.

The ICDPA contains several exemptions common to other state privacy laws. It excludes government entities, data subject to certain federal sector-specific privacy laws, such as the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act, and it does not apply to employment-related data. The law has a unique carve out for riverboat casinos, allowing them to operate facial recognition software programs approved by the Indiana gaming commission.

The law will go into effect starting January 1, 2026, giving covered entities a long runway to reach compliance. Additionally, many covered entities that already comply with Virginia, Colorado, and other recent state privacy laws should be able to leverage their existing governance structure to achieve compliance.

Baker Botts will continue to monitor developments with these and other data privacy regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.