Securiti announces a $75M Series C Funding Round
ViewIndiana just became the seventh state in the United States of America to have its own data protection regulation. Modeled closely on the Virginia Consumer Data Protection Act (VCDPA), Indiana's Senate Bill 5 (SB 5), better known as the Indiana Consumer Data Protection Act (ICDPA), is sponsored by Senator Liz Brown.
It originally passed the Senate vote 49-0 back in February 2023. Then on April 11, 2023, the House passed an amended version of the regulation, with the Senate concurring with the amendments. Finally, Governor Eric Holcomb signed the bill into law on May 01, 2023.The ICDPA contains all the necessary provisions to ensure consumers' data privacy rights are appropriately protected while laying down strict obligations for all subject organizations.
The law will come into effect from January 1, 2026.
The ICDPA applies to persons conducting business in Indiana or producing products and services targeted to Indiana residents who meet the following conditions in a calendar year:
The ICDPA exempts certain types of entities and data from its application. The following entities do not fall under the scope of the law:
The law also does not have any application to the following types of data:
Under the ICDPA, a controller must limit the collection of all personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is being collected.
The controller must seek the consumer’s express consent for processing the personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected.
The controllers are barred from discriminating against the consumers for exercising their rights under the provisions of the ICDPA or processing their personal data in violation of state and federal laws prohibiting unlawful discrimination.
However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
A data controller may only proceed with processing a consumer's sensitive personal data after acquiring that consumer's express consent. If the consumer is a known minor, any data processing must align with the relevant consent requirements in the federal Children's Online Privacy Protection Act (COPPA).
A controller must undertake all necessary and reasonable measures to provide consumers with an easily accessible, clear, and meaningful privacy notice that includes:
In case a controller sells consumers' personal data to third parties for targeted advertising purposes, the controller must disclose such arrangements clearly and conspicuously within the privacy notice as well as instructions on how consumers may exercise their right to opt-out of such sales or use.
Additionally, the controller must establish and describe in the privacy notice at least one (1) or more safe and reliable means for consumers to exercise their data subject rights while taking into account the following:
Appropriate to the volume and nature of the personal data, a controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices and measures that ensure the appropriate degree of protection for the confidentiality, integrity, and accessibility of all collected personal data.
A controller is required to conduct and document a thorough data protection impact assessment (DPIA) for each of the following activities:
A single DPIA may be conducted to address a comparable set of processing operations that include similar activities. Moreover, an assessment carried out by the controller in pursuit of compliance with other regulations may also be used if the assessment has a reasonably comparable scope and effect to an assessment conducted under the ICDPA.
With respect to the disclosure of de-identified or pseudonymous data, the controllers must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous or de-identified data is subject and to take appropriate steps to address any breaches of those contractual commitments.
The ICDPA requires the processors to assist the controllers by adopting appropriate technical and organizational measures to fulfill the controllers’ obligations to respond to DSR requests and to meet security and breach notification obligations with respect to the personal data processed.
The processors must also assist the controllers by providing the necessary information to conduct DPIAs.
The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:
The ICDPA empowers consumers to have greater control over their personal data via DSRs. A consumer may invoke one or more data rights by submitting a request to a controller specifying which right they wish to invoke.
In case of a child, their parent or legal guardian may invoke the right(s) on their behalf.
The data subject rights guaranteed by the ICDPA include the following:
All consumers have the right to confirm whether or not a data controller is processing their personal data and to access that data.
All consumers have the right to correct any information that may have become inaccurate/obsolete/misleading since it was collected.
All consumers have the right to request the deletion of any personal data collected by or provided to a controller.
All consumers have the right to obtain either a copy of or a representative summary of their personal data previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data or summary to any controller without any hindrance. The controller is under no obligation to fulfill request to portable data by the same consumer for more than once in a twelve (12) month period. Further, the controller has the discretion to provide a copy of the data or a representative summary of the data depending upon the nature of the personal data.
All consumers have the right to opt out of the processing of their personal data for purposes of:
A controller is required to respond to any DSR request without undue delay but not later than forty-five (45) days after receiving the DSR request. This prescribed period may be extended by another forty-five (45) days when reasonably necessary, owing to the number of requests or the complexity of a particular request. However, the consumer must be informed of the delay as well as the reasons behind the delay.
If a controller declines to take any action related to the consumer's request, it must inform the consumer of such denial within the forty-five (45) day period, along with a justification for declining to take action and appropriate instructions on how to appeal the decision.
A controller must establish an appropriate process for a consumer to appeal any decision made by the controller in relation to their DSR requests within a reasonable period. The process to launch appeals must be just as easily available as the process to submit a DSR request.
A controller must inform the consumer of any action taken or not taken as a result of their appeal within sixty (60) days of receiving their appeal. If the appeal is rejected, the controller is required to provide the consumer with information on how they may contact the Attorney General to launch a complaint.
Any information provided to the consumers due to a DSR request must be provided free of charge once annually. A controller may charge a reasonable fee covering administrative costs if the requests are manifestly unfounded, excessive, or repetitive. However, the controller bears the burden of demonstrating that a particular request is manifestly unfounded, excessive, or repetitive.
If a controller cannot authenticate a DSR request via commercially reasonable efforts, they may decline to take action and may request additional information from the consumer to authenticate the request.
Limiting its scope of application, the ICDPA provides that it cannot restrict the ability of the controllers and the processors to do the following:
Further, ICDPA provides that any obligations placed on a controller or processor under its provisions do not prohibit or restrict a controller or a processor from collecting, maintaining, using, or storing data to:
Similarly, any obligations placed on a controller or a processor under ICDPA do not apply if compliance with such a requirement would violate an evidentiary privilege under Indiana law.
The Office of the Attorney General of Indiana has the exclusive regulatory authority to enforce the provisions of the ICDPA.
The Attorney General's powers and responsibilities include:
Within the third (30) days’ period, the Attorney General will not initiate any action against the controller or processor if the controller:
However, the Attorney General may initiate any legal action necessary if the controller or processor:
The ICDPA stipulates a civil penalty not exceeding seven thousand five hundred dollars ($7,500) for every single violation of its provisions.
Here are some effective steps organizations can take to ensure their practices and daily operations are compliant with the law when it comes into effect:
While there have been legislative attempts to bring a federal data privacy regulation on par with the GDPR within the United States, it's still a long way off from becoming anything concrete. Hence, regulations at the state level will continue to provide Americans with the appropriate degree of data privacy rights.
Indiana is just one of the latest states that have decided to follow suit, with several other states expected to either have similar regulations in effect or are drafting them. This will directly affect organizations operating within the United States, as different regulations often have different regulatory requirements.
Additionally, owing to the sheer amount of data involved, most organizations may find this unenviable task reasonably intimidating. The margin for error is extremely low, and violations of any kind are punished heavily under every such regulation.
This is where Securiti can help.
Securiti is a world-renowned leader in providing enterprise data privacy, security, governance, and compliance solutions.
The PrivacyCenter.cloud allows organizations to address their data compliance obligations via a single centralized platform. Other modules include vendor risk assessment, universal consent, breach management, as well as Sensitive Data Intelligence (SDI), to name a few. Request a demo today to see what else Securiti has to offer and how it can help your organization comply with its obligations under Indiana's Consumer Data Protection Act.
Get all the latest information, law updates and more delivered to your inbox
August 4, 2020
Overview In 2016, the European Commission replaced its long-existing Data Protection Directive with a modernised version, the General Data Protection Regulation (GDPR). The GDPR...
September 30, 2020
With emerging technology and the world becoming more digital, countries all over the world are drafting comprehensively data privacy regulations. Joining the global movement,...
December 28, 2020
Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128