Indiana Consumer Data Protection Act

By enacting the Indiana Consumer Data Protection Act, Indiana became the seventh US state to pass a law dedicated to protecting consumer data privacy.

If you operate in Indiana, it may create obligations for you, and you need to learn more about it.

What is the Indiana Consumer Data Protection Act (ICDPA)?

The Indiana Consumer Data Protection Act (ICDPA) protects the consumer data privacy of Indiana residents. It closely follows the provisions present in other US state laws regulating the same matter.

It was signed into law on May 1, 2023, but it won’t be enforced until January 1, 2026. You have enough time to learn about it and prepare for compliance.

Does the ICDPA apply to your business?

The ICDPA applies to your business if you operate in Indiana or target Indiana customers, and either:

• Control or process personal data of at least 100,000 Indiana residents, or
• Control or process personal data of at least 25,000 Indiana residents and derive over 50% of its gross revenue from the sale of personal data.

These criteria are similar to what we have seen in other US states’ laws. It won’t apply to many businesses.

However, keep in mind that processing IP addresses with Google Analytics or browsing behavior with Meta Pixel can easily allow you to control the data of more than 100,000 consumers and slide you into the applicability requirements.

Are some businesses or data exempt from ICDPA?

ICDPA exempts from its scope the same types of organizations and data that you’ll find in other privacy laws around the US, which include:

• Government entities
• Non-profits
• HIPAA and HITECH-covered entities
• Higher education entities
• Utility companies
• Financial institutions subject to the GLBA

The list of exempted data is long and includes, but is not limited to:

• Data protected by industry-specific laws such as HIPAA, GLBA, FCRA, and others
• Employment information
• Research data for the public interest

What is ICDPA personal data?

ICDPA defines personal data as any information that identifies a person.

That includes a wide variety of data. Aside from obvious data categories, such as personal names, email addresses, and government-issued numbers, personal data also involves health history, fitness app data, purchase behavior, and other data that could point out an individual.

What is ICDPA sensitive data?

CDPA explicitly lists the categories of personal information considered sensitive. They include:

• Data revealing an individual’s racial origin, ethnic origin, sexual orientation, citizenship or immigration status, or health diagnosis
• Precise geolocation data
• Child’s data
• Biometric data for the purpose of identifying a person

Sensitive data must not be processed without obtaining explicit consent from the user.

What are the general duties of controllers and processors under the ICDPA?

Every controller that needs to comply with this law must:

• Ensure data security by implementing adequate technical and organizational measures
• Process the data only for the purposes it has been collected
• Ensure that the categories of collected data are adequate for processing purposes
• Obtain consent for the processing of sensitive data
• Conduct data protection assessments if required
• Provide consumers with a privacy notice
• Honor consumer requests
• Enter into data processing contracts with processors

Processors, on the other hand, are obliged to protect the data in their own work and help the controller to do the same. In particular, it means obligations to:

• Implement adequate data security measures
• Process data only based on the contract with the controller
• Assist the controller in compliance with the law

What is a data processing contract?

The data processing contract regulates the relationship between the controller and the processor. You need to have one to make your processing legal. Without such a contract, you violate the ICDPA.

Your contract must include provisions on:

• The identity of both parties
• Categories of personal data to be processed
• The nature and purposes of processing
• The duration of processing
• Rights and duties of both parties
• Requirement for the processor to prove compliance to the controller, upon request
• Requirement for deletion of data upon the controller’s request
• Confidentiality
• Hiring subcontractors

What is a privacy notice according to the ICDPA?

Your ICDPA privacy notice is actually your privacy policy. It is the document where you provide transparency about your privacy practices to consumers.

Your notice must contain at least:

• Processing purposes
• Categories of processed data
• The categories of data you sell, if applicable
• The categories of third parties to whom you sell data, if applicable
• Consumer rights and how to exercise them

Although not required by the law, you can always add more information to increase transparency.

Is it necessary to obtain consumer consent for data processing?

Yes, explicit consumer consent is required for processing sensitive personal data. The consent should be freely given, specific, informed, and unambiguous.

In cases where you collect information from a known child for processing, you can follow the parental consent standards outlined in COPPA (Children's Online Privacy Protection Act).

Are we required to honor universal opt-out mechanisms?

The ICDPA does not explicitly address universal opt-out mechanisms, so there is no obligation to adhere to them. However, it is important to provide consumers with the ability to opt-out using the designated methods you have established with the privacy policy.

What is a Data Protection Assessment?

A Data Protection Assessment is a procedure in which the controller evaluates the potential risks associated with processing the personal data of consumers. This assessment helps identify the risks involved in your processing activities and determines the necessary measures to mitigate those risks.

It is not required by all businesses, but it is good practice. If you are not sure whether you need to conduct one, it is better to opt for it.

The law explicitly states that businesses must conduct and document a Data Protection Assessment in the following scenarios:

• Sale of personal data
• Processing of sensitive data
• Processing data for targeted advertising
• Processing of data for profiling
• Any other processing that presents an elevated risk to consumers.

What are the ICDPA consumer rights and requests?

Consumers have the ability to exercise these rights by submitting requests to your organization, and it is essential for you to comply with these requests to avoid potential penalties.

Consumers have the right to:

• Know about the processing
• Access data
• Have their data deleted
• Data portability
• Correction of data
• Opt-out of the sale of data, targeted advertising, or profiling
• Opt-in for the processing of sensitive data

You must respond to the request within 45 days. You can take an additional 45 days for complex requests, but keep in mind that it will rarely be justified.

How is ICDPA enforced, and what are the penalties?

Indiana has not established a data protection agency like California. It follows the trend of all the other US states that have given power to the Attorney General to enforce the law.

The Attorney General has the power to investigate violations and issue businesses a notice with a 30-day cure period.

If you don't remedy the violation within 30 days, you may be fined up to $7,500 per violation.