An Overview of Indiana’s Consumer Data Protection Act (ICDPA)

I. Introduction

Indiana just became the seventh state in the United States of America to have its own data protection regulation. Modeled closely on the Virginia Consumer Data Protection Act (VCDPA), Indiana's Senate Bill 5 (SB 5), better known as the Indiana Consumer Data Protection Act (ICDPA), is sponsored by Senator Liz Brown.

It originally passed the Senate vote 49-0 back in February 2023. Then on April 11, 2023, the House passed an amended version of the regulation, with the Senate concurring with the amendments. Finally, Governor Eric Holcomb signed the bill into law on May 01, 2023.The ICDPA contains all the necessary provisions to ensure consumers' data privacy rights are appropriately protected while laying down strict obligations for all subject organizations.

The law will come into effect from January 1, 2026.

II. Who Needs to Comply with the Law

Material Scope

The ICDPA  applies to persons conducting business in Indiana or producing products and services targeted to Indiana residents who meet the following conditions in a calendar year:

• Control or process the personal data of at least one hundred thousand (100,000) consumers that are Indiana residents; or;
• Control or process the personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derive more than fifty percent (50%) of their gross revenue from the sale of personal data.

Exemptions

The ICDPA exempts certain types of entities and data from its application. The following entities do not fall under the scope of the law:

• The state, a state agency, or a body, authority, board, bureau, commission, district, or agency of any political subdivision of the state;
• A third party under contract with an entity as described above;
• Financial institutions or affiliates subject to Gramm-Leach-Bliley Act Act;
• An entity subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA);
• A non-profit organization;
• Higher education institutions;
• Any public utility entity.

The law also does not have any application to the following types of data:

• Medical data covered under any medical laws: Many forms of health information, records, data and documents protected and covered under HIPAA, or other federal or state medical laws;
• Personal data used for research: Identifiable private information collected, used or shared in research conducted in accordance with applicable laws;
• FCRA-covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
• Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
• FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
• FCA data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
• Exempt under ICDPA: Information originating from, indistinguishable from, or treated in the same manner as information that is exempt as per ICDPA;
• Data used to protect human subjects: Identifiable private information used to protect human subjects under applicable laws or for formulating the related federal policy;
• Emergency contact: Information used to contact an individual in an emergency; and
• Employment-related data: Data processed or maintained:
  • in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party;
  • that is necessary to retain to administer benefits for another individual relating to the individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party.

III. Obligations of Controllers

Purpose Limitation

Under the ICDPA, a controller must limit the collection of all personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is being collected.

The controller must seek the consumer’s express consent for processing the personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected.

Non-discrimination

The controllers are barred from discriminating against the consumers for exercising their rights under the provisions of the ICDPA or processing their personal data in violation of state and federal laws prohibiting unlawful discrimination.

However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Processing of Sensitive Personal Data

A data controller may only proceed with processing a consumer's sensitive personal data after acquiring that consumer's express consent. If the consumer is a known minor, any data processing must align with the relevant consent requirements in the federal Children's Online Privacy Protection Act (COPPA).

Privacy Notice

A controller must undertake all necessary and reasonable measures to provide consumers with an easily accessible, clear, and meaningful privacy notice that includes:

• Categories of personal data processed by the controller;
• Purposes of a controller's data processing activities;
• How consumers may exercise their data subject rights (DSRs);
• How consumers may appeal a controller's decision related to a consumer's request;
• Categories of third parties with whom the controller shares the personal data.

In case a controller sells consumers' personal data to third parties for targeted advertising purposes, the controller must disclose such arrangements clearly and conspicuously within the privacy notice as well as instructions on how consumers may exercise their right to opt-out of such sales or use.

Additionally, the controller must establish and describe in the privacy notice at least one (1) or more safe and reliable means for consumers to exercise their data subject rights while taking into account the following:

• How consumers usually interact with the controller;
• The need for secure and reliable communication when dealing with such requests;
• The controller's ability to authenticate the identity of the individual exercising DSRs on their own or someone else's behalf.

Data Security Requirements

Appropriate to the volume and nature of the personal data, a controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices and measures that ensure the appropriate degree of protection for the confidentiality, integrity, and accessibility of all collected personal data.

Data Protection Impact Assessment

A controller is required to conduct and document a thorough data protection impact assessment (DPIA) for each of the following activities:

• Processing of personal data for purposes of targeted advertising;
• The sale of personal data;
• Personal data processing activities carried out for profiling purposes, if such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers;
• Processing of sensitive personal data;
• Any personal data processing activity that poses a heightened risk of harm to consumers.

A single DPIA may be conducted to address a comparable set of processing operations that include similar activities. Moreover, an assessment carried out by the controller in pursuit of compliance with other regulations may also be used if the assessment has a reasonably comparable scope and effect to an assessment conducted under the ICDPA.

Disclosure of Pseudonymous Data or De-identified Data

With respect to the disclosure of de-identified or pseudonymous data, the controllers must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous or de-identified data is subject and to take appropriate steps to address any breaches of those contractual commitments.

IV. Obligations of Processors

Assistance to Controller

The ICDPA requires the processors to assist the controllers by adopting appropriate technical and organizational measures to fulfill the controllers’ obligations to respond to DSR requests and to meet security and breach notification obligations with respect to the personal data processed.

The processors must also assist the controllers by providing the necessary information to conduct DPIAs.

Processing under Contract

The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:

• Ensure the confidentiality of the personal data;
• Delete or return the personal data to the collector on the direction of the controller, unless the law requires the retention of personal data;
• Upon reasonable request from the controller, make available all the information in possession necessary to demonstrate compliance with its obligations;
• Allow the controller to conduct an assessment, or arrange for a qualified and independent assessor to conduct an assessment, of the processor's policies and technical and organizational measures in support of the processor's obligations; and
• Engage any subcontractor or agent through a written instrument requiring them to fulfill obligations towards the personal data.

V. Data Subject Rights

The ICDPA empowers consumers to have greater control over their personal data via DSRs. A consumer may invoke one or more data rights by submitting a request to a controller specifying which right they wish to invoke.

In case of a child, their parent or legal guardian may invoke the right(s) on their behalf.

The data subject rights guaranteed by the ICDPA include the following:

Right to Access

All consumers have the right to confirm whether or not a data controller is processing their personal data and to access that data.

Right to Correction

All consumers have the right to correct any information that may have become inaccurate/obsolete/misleading since it was collected.

Right to Deletion

All consumers have the right to request the deletion of any personal data collected by or provided to a controller.

Right to Data Portability

All consumers have the right to obtain either a copy of or a representative summary of their personal data previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data or summary to any controller without any hindrance. The controller is under no obligation to fulfill request to portable data by the same consumer for more than once in a twelve (12) month period. Further, the controller has the discretion to provide a copy of the data or a representative summary of the data depending upon the nature of the personal data.

Right to Opt-Out

All consumers have the right to opt out of the processing of their personal data for purposes of:

• Targeted advertising;
• Sale of personal data;
• Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Response Period for DSR Requests

A controller is required to respond to any DSR request without undue delay but not later than forty-five (45) days after receiving the DSR request. This prescribed period may be extended by another forty-five (45) days when reasonably necessary, owing to the number of requests or the complexity of a particular request. However, the consumer must be informed of the delay as well as the reasons behind the delay.

Denial of a DSR Request

If a controller declines to take any action related to the consumer's request, it must inform the consumer of such denial within the forty-five (45) day period, along with a justification for declining to take action and appropriate instructions on how to appeal the decision.

A controller must establish an appropriate process for a consumer to appeal any decision made by the controller in relation to their DSR requests within a reasonable period. The process to launch appeals must be just as easily available as the process to submit a DSR request.

A controller must inform the consumer of any action taken or not taken as a result of their appeal within sixty (60) days of receiving their appeal. If the appeal is rejected, the controller is required to provide the consumer with information on how they may contact the Attorney General to launch a complaint.

Charges for DSR Requests

Any information provided to the consumers due to a DSR request must be provided free of charge once annually. A controller may charge a reasonable fee covering administrative costs if the requests are manifestly unfounded, excessive, or repetitive. However, the controller bears the burden of demonstrating that a particular request is manifestly unfounded, excessive, or repetitive.

If a controller cannot authenticate a DSR request via commercially reasonable efforts, they may decline to take action and may request additional information from the consumer to authenticate the request.

Limitations

Limiting its scope of application, the ICDPA provides that it cannot restrict the ability of the controllers and the processors to do the following:

• Comply with federal, state, or local laws, rules, or regulations or implement and operate a facial recognition program approved by the Indiana gaming commission;
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental authority;
• Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Provide a product or service specifically requested by a consumer, perform a contract to which the consumer, or a parent of a child, is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent before entering into a contract;
• Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual, if the processing cannot be manifestly based on another legal basis;
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems;
• Assist another controller, processor, or third party with any of their obligations per this regulation;
• Partake in scientific or statistical research in the public interest that follows all ethical guidelines and privacy regulations, duly governed by an institutional review board that determines:
  • The information is likely to provide substantial benefits that do not exclusively accrue to the controller;
  • The expected benefits of the research outweigh the privacy risks;
  • The controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

Further, ICDPA provides that any obligations placed on a controller or processor under its provisions do not prohibit or restrict a controller or a processor from collecting, maintaining, using, or storing data to:

• Conduct internal research to develop, improve, or repair products, services, or technology;
• Initiate a product recall;
• Identify and repair technical errors that impair existing or future functionalities;
• Perform internal operations that are:
  • Reasonably compatible with the expectations of the consumer;
  • Reasonably anticipated based on the consumer's existing relationship with the controller;
  • Reasonably compatible with the product or service specifically requested by a consumer, or parent of a child;
  • Reasonably compatible with the performances of a contract to which the consumer is a part.

Similarly, any obligations placed on a controller or a processor under ICDPA do not apply if compliance with such a requirement would violate an evidentiary privilege under Indiana law.

VI. Regulatory Authority

The Office of the Attorney General of Indiana has the exclusive regulatory authority to enforce the provisions of the ICDPA.

The Attorney General's powers and responsibilities include:

• Initiating an action in the name of the state and seeking an injunction to restrain any violations of ICDPA as well as levying a civil penalty for each violation as prescribed by the law;
• Recover reasonable expenses incurred in investigating and preparing the case, including attorney's fees;
• Provide a controller or processor thirty (30) days' written notice identifying the specific provisions of ICDPA that the Attorney General alleges have been or are being violated.

Within the third (30) days’ period, the Attorney General will not initiate any action against the controller or processor if the controller:

• Cures the alleged violation; or;
• Provides the Attorney General with an express written statement stating that the violation has been corrected and appropriate actions and measures have been taken to ensure no such violations occur in the future.

However, the Attorney General may initiate any legal action necessary if the controller or processor:

• Continue the alleged violation; or;
• Commit breach of the express written statement provided to the attorney General.

VII. Penalties for Non-compliance

The ICDPA stipulates a civil penalty not exceeding seven thousand five hundred dollars ($7,500) for every single violation of its provisions.

VIII. How an Organization Can Operationalize ICDPA

Here are some effective steps organizations can take to ensure their practices and daily operations are compliant with the law when it comes into effect:

• Develop formal policies and procedures for data collection (consent framework etc.) and processing, and update privacy policies as needed;
• Catalog their data inventories and classify sensitive personal data and personal data;
• Have a comprehensive data subject requests framework in place;
• Have technical and organizational security measures in place to protect personal data; and
• Conduct DPIAs, vendor assessments, and other risk assessments at regular intervals; and
• Ensure all the company's employees and staff are aware of their responsibilities under the law.

IX. How Can Securiti Help

While there have been legislative attempts to bring a federal data privacy regulation on par with the GDPR within the United States, it's still a long way off from becoming anything concrete. Hence, regulations at the state level will continue to provide Americans with the appropriate degree of data privacy rights.

Indiana is just one of the latest states that have decided to follow suit, with several other states expected to either have similar regulations in effect or are drafting them. This will directly affect organizations operating within the United States, as different regulations often have different regulatory requirements.

Additionally, owing to the sheer amount of data involved, most organizations may find this unenviable task reasonably intimidating. The margin for error is extremely low, and violations of any kind are punished heavily under every such regulation.

This is where Securiti can help.

Securiti is a world-renowned leader in providing enterprise data privacy, security, governance, and compliance solutions.

The PrivacyCenter.cloud allows organizations to address their data compliance obligations via a single centralized platform. Other modules include vendor risk assessment, universal consent, breach management, as well as Sensitive Data Intelligence (SDI), to name a few. Request a demo today to see what else Securiti has to offer and how it can help your organization comply with its obligations under Indiana's Consumer Data Protection Act.