The Indiana Consumer Data Protection Act (ICDPA): What You Need to Know
Jeffrey Edwards
|Privacy & Compliance | June 05, 2023
On May 1, 2023, Indiana Governor Eric Holcomb signed the Indiana Consumer Data Privacy Act into law, making the Hoosier state the seventh US state to pass a comprehensive data privacy law after California, Utah, Colorado, Connecticut, Virginia, and Iowa.
The Indiana Consumer Data Protection Act (ICDPA) gives Indiana citizens substantial rights regarding their personal data, including the rights to access, correction, deletion, data portability, and opting out of data processing. Indiana’s law is largely based on the content of the Virginia Consumer Data Protection Act (VCDPA) and has considerable overlap with both Virginia’s law and other VCDPA-based laws in Connecticut and Iowa. The law will go into effect on January 1, 2026.
In this blog, we’ll cover the scope of the Indiana Consumer Data Protection Act, the rights it grants to Indiana, regulatory requirements for businesses, and how the law will be enforced.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
Who does the Indiana Consumer Data Protection Act Apply to?
The Indiana Consumer Data Protection Act (ICDPA) applies to persons conducting business in Indiana or producing products and services targeted to Indiana residents who meet one of two yearly thresholds:
- Controlling or processing the personal data of at least one hundred thousand (100,000) consumers that are Indiana residents.
- Controlling or processing the personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derive more than fifty percent (50%) of gross revenue from the sale of personal data.
However, the ICDPA has a long list of exempt entities, including the state, state agencies, bodies, authorities, boards, bureaus, commissions, districts, or agencies of any political subdivision of the state, third parties under contract with such entities, financial institutions and affiliates, entities governed by HIPAA, nonprofit organizations, institutions of higher education, and public utilities or service companies affiliated with public utilities.
What Rights does the Indiana Consumer Data Protection Act provide for Indiana citizens?
Indiana’s privacy law closely follows the template of the Virginia Consumer Data Privacy Act in granting citizens of the state several new rights, largely based on the rights put forth by the EU’s General Data Protection Regulation (GDPR) in 2018. Below, we examine several rights common among US data privacy laws, whether Indiana’s law provides them, and the specific requirements for each right.
Right to Access
As stated in Section 2 of Chapter 2 of the ICDPA, which outlines the data subject rights guaranteed by the law, all consumers have the right to confirm whether or not a data controller is processing their personal data and to gain access to that data.
Right to Correction
Indiana consumers have the right to correct any information that may have become inaccurate, obsolete, or misleading since it was collected. To exercise this right, consumers can submit a request to the data controller, who must respond within 45 days and correct the information if it is indeed inaccurate or misleading.
Right to Deletion
Indiana consumers have the right to request the deletion of their personal data held by a data controller, and the controller must respond within a reasonable timeframe. Data necessary for the performance of a contract or for compliance with a legal obligation is exempt from this requirement.
Right to Data Portability
Indiana consumers have the right to obtain a copy of their personal data previously provided to a data controller in a portable and readily usable format that allows them to transmit the data or summary to any controller without any hindrance. However, the controller is under no obligation to fulfill requests for portable data by the same consumer more than once in a twelve (12) month period. The ICDPA provides exceptions to this right when the data is necessary for the performance of a contract or for compliance with a legal obligation.
Right to Opt-Out of Data Processing
Consumers have the right to opt out of the processing of their personal data for purposes of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Data necessary for the performance of a contract or for compliance with a legal obligation is exempt from opt-out requirements. The right to opt out is also extended to “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.”
What are the Regulatory Requirements for Businesses?
Privacy Notice Requirements
Businesses are required to provide a clear privacy notice detailing their data collection and processing practices. This includes the categories of personal data processed, the purpose for processing personal data, the categories of data shared with third parties, and the types of third parties that data is shared with. The privacy notice must also detail the consumer’s rights and how consumers may exercise their rights, including the process to appeal a rejection of a consumer rights request. Finally, the privacy notice must disclose if the controller sells consumers’ personal data to third parties or engages in targeted advertising, and give consumers the means to opt out of such processing.
Consent Management Requirements
As demonstrated by the ‘right to opt-out,’ Indiana’s law generally follows the opt-out consent model common to US laws. However, the law does require businesses to obtain affirmative express consent from consumers before processing sensitive data or engaging in the sale of personal data. Sensitive data is defined as any data that reveals genetic or biometric data, data of known children, precise geolocation data, personal information revealing racial or ethnic origin, religious beliefs, or health status. This requirement means that businesses dealing with sensitive personal data must provide an opt-in consent banner before collecting or processing such information.
Data Security Requirements
The ICDPA requires businesses to implement and maintain reasonable data security practices and procedures appropriate to the nature of the personal data they collect, process, or store. These practices must protect personal data from unauthorized access, destruction, use, modification, or disclosure. Additionally, the ICDPA requires businesses to take reasonable steps to ensure that any third-party service providers that process personal data on their behalf also implement and maintain appropriate data security practices and procedures. Businesses in possession of de-identified data must take reasonable measures to ensure that the data cannot be associated with an individual, commit publicly to maintaining data as de-identified data, and obligate any recipients of the data to comply with the Indiana Data Privacy Law.
Data Protection Assessment Requirements
Data controllers must conduct and document data protection assessments of each of their processing activities that involve personal data. These assessments must identify and weigh the benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. DPAs must be made available to the Indiana Attorney General upon request.
Data Collection and Purpose Limitation Requirements
Businesses are required to limit their collection, use, retention, and disclosure of personal data to what is reasonably necessary to achieve the purposes for which the data was collected or subsequently authorized by the consumer. Specifically, businesses must provide consumers with a clear and conspicuous notice at or before the time of collection that describes the purposes for which the personal data will be processed. If the business seeks to process the personal data for a purpose that is materially different from the purpose for which it was collected, the business must obtain the consumer’s consent before doing so.
Non-Discrimination Requirements
Businesses must process consumer data in a non-discriminatory manner, and refrain from discriminating against consumers who exercise the rights granted by the law.
How will the law be enforced?
Enforcement of Indiana’s privacy law will be the responsibility of the Office of the Attorney General of Indiana. The Attorney General can initiate actions against violations, recover reasonable expenses related to investigating and preparing the case, and issue penalties for non-compliance. The ICDPA stipulates a civil penalty of up to $7,500 for each violation of its provisions.
Once a violation is discovered, a controller or processor must be given 30 days written notice identifying the specific provisions of the ICDPA that the Attorney General alleges have been or are being violated. Within this period, the Attorney General will not initiate any action against the controller or processor if the violation is cured or if the controller provides an express written statement stating that the violation has been corrected. There is no private right of action under the law.
Get Compliant with CHEQ Privacy
State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Indiana’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.
With CHEQ Privacy and Compliance Enforcement, you can set up geo-targeted opt-out of sale links for consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. A simple line of JavaScript added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.
Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.
Author
Jeffrey Edwards
Content Marketing Manager
Jeff is the resident content marketing expert at CHEQ. He has several years of experience as a trained journalist, and more recently in his career found a knack for communicating complex cybersecurity topics in an approachable yet detailed manner.
