On May 1, 2023, Indiana became the seventh U.S. state to enact a consumer privacy law with the governor’s signing of Senate Bill 5. Effective January 1, 2026, the law mirrors other state privacy laws, including with regard to privacy policies, responding to consumer rights requests, opt-out mechanisms, data protection impact assessments (“DPIAs”), security measures, and contracts with processors. Thus, while businesses should review their obligations under the law, businesses that comply with other state privacy laws have likely taken most of the steps required to comply with Indiana’s law.
Indiana’s law applies to a person that conducts business in Indiana or produces products or services targeted at Indiana residents (“consumers”) and that, during a calendar year, either:
- Controls or processes personal data of at least 100,000 consumers; or
- Controls or processes personal data of at least 25,000 consumers and derives 50% or more of its gross revenue from the sale of personal data.
The law exempts employee and B2B data, nonprofits, and data and entities covered by various federal privacy laws such as HIPAA and GLBA.
Controller and Processor Obligations
As in other states, processors must adhere to the controller’s instructions and assist the controller in meeting its obligations under Indiana’s law. Contracts between controllers and processors must contain the provisions required by most other state privacy laws, so contracts prepared to comply with other laws will likely satisfy Indiana’s requirements.
Consumer Rights and Consent Requirements
Indiana’s law provides consumers with the rights to access, correct, delete, and obtain a copy or summary (in the controller’s discretion) of personal data processed by a controller. Controllers must respond to requests within 45 days (with a possible 45-day extension), and consumers have the right to appeal denials of their requests.
As with most other state privacy laws, consumers have the right to opt out of the sale of personal data and the use of personal data for targeted advertising or profiling that produces legal or similarly significant effects. (“Sale” means the exchange of personal data with a third party for monetary consideration, the narrower of the two definitions adopted in other states.) Indiana’s law does not prescribe a specific opt-out method, but only requires it to be clear, conspicuous, and similar to the method for submitting requests to exercise other rights.
No private right of action exists under Indiana’s privacy law – the state Attorney General (“AG”) has sole enforcement authority. Before bringing an enforcement action, the AG must notify controllers or processors of alleged violations and allow them a 30-day cure period. If violations persist, the AG can seek injunctive relief and penalties of up to $7,500 per violation.