Whither Indiana? Somewhere in the Middle for Consumer Privacy Protection 

On April 13, 2023, Indiana Senate Bill 5 unanimously cleared the state legislature. If enacted by Governor Holcomb, Indiana will become the seventh state to enact a baseline consumer privacy law.

To help stakeholders assess where Indiana fits into the expanding U.S. state privacy landscape, the Future of Privacy Forum has released a chart comparing SB 5 to the Connecticut Data Privacy Act (“CTDPA”), which currently stands as one of the most protective baseline state privacy laws, and the recently-enacted Iowa SF 262 (“IPA”), which stands as one of the narrowest. 

Indiana SB 5 adopts a similar framework for protecting consumer privacy as both the Iowa and Connecticut privacy laws. However, in the scope of its consumer rights, business obligations, and enforcement mechanisms, Indiana lies somewhere between these two existing regimes. In particular, our chart shows that: 

1. Indiana SB 5 applies to a roughly equivalent range of covered entities as both the CTDPA and IPA.
2. Indiana SB 5 covers much of the same data as the CTDPA and IPA, though aligning more closely with the IPA by: (a) not recognizing data that reveals mental or physical health “condition” absent a diagnosis as sensitive information; (2) defining “biometric data” with a broad exclusion for data generated from photographs, video, or audio; and (3) explicitly excluding aggregate data from its scope. 
3. Indiana SB 5 establishes similar consumer rights as the CTDPA, including the rights to access, correct, and delete personal data and to consent to the processing of sensitive personal information. However, SB 5 provides slightly narrower rights of both access and correction and does not provide heightened protections for adolescents’ data.
4. Indiana SB 5 creates opt-out rights for targeted advertising, profiling, and the sale of personal data, consistent with the CTDPA. However, like the IPA, “sale” is narrowly defined to only include exchanges for “monetary consideration.” 
5. Like most comprehensive U.S. state privacy laws, Indiana SB 5 would require businesses to limit the amount of personal data they collect, to disclose their data processing practices, and to conduct data protection impact assessments for certain processing activities. 
6. Indiana SB 5 would be exclusively enforced by the State Attorney General. Like the IPA, businesses would have a non-sunsetting right to “cure” any alleged violations of the Act, though SB 5’s timeframe to cure is much shorter than both the CTDPA and the IPA.

Indiana’s SB 5 has a substantial compliance on-ramp and will not take effect until January 1, 2026.