The Indy 358: Complying with Indiana's Privacy Bill

Indiana Senate Bill 358 unanimously passed through the Indiana Senate and is expected to be become the fourth U.S. state privacy law later this year. The Bill models itself after Virginia’s Consumer Data Protection Act (CDPA) and has an effective date of January 1, 2025. Indiana legislators recognized that many U.S. businesses are on the verge of compliance with California, Virginia, and Colorado state laws. Replicating Indiana’s privacy legislation to current state laws makes the Bill consumer and business friendly.

A list of identical provisions is provided below. Any additions or changes of Senate Bill 358 from the CDPA will be underlined. The italicized text represents paraphrased portions of Indiana’s Bill.

Identical Provisions

These provisions are exactly the same in Indiana’s Bill and the CDPA:

· Applicability and Scope

· Data Exemptions

· Data Controller Responsibilities

· Data Protection Assessments

· Processing De-identified Data

· Limitations

· Investigative Authority

· Enforcement

Exemptions

Indiana borrows exemptions from the CDPA for its Bill, but adds one exemption for public utilities.

Entity Exemptions:

(1) State government;

(2) Companies regulated under federal laws like the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPPA);

(3) Non-profit organizations;

(4) Institutions of higher education; and

(5) Public utilities and affiliated service companies.

Consumer Rights

The Indiana Bill states what the controller should do when it receives a data request from a consumer. Additionally, a provision was added in right (4) to allow a representative summary of the personal data, instead of a copy of the personal data, at the controller’s discretion. The controller’s burden is also lightened by ensuring it does not need to provide a copy or representative summary to a consumer more than once per year.

A consumer has the following rights:

(1) To confirm whether or not a controller is processing the consumer's personal data

(2) Correct inaccuracies in the consumer's personal data previously provided to a controller. Upon receiving a request from a consumer under this subdivision, a controller shall correct inaccurate information as requested by the consumer, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

(3) Delete the consumer's personal data held by a controller.

(4) Obtain a copy or representative summary of the consumer's personal data previously provided to the controller. The controller has the discretion to send either a copy or a representative summary of the consumer's personal data under this subdivision, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. A controller is not required to provide a copy or a representative summary of a consumer's personal data to the same consumer under this subdivision more than one(1) time in a twelve (12) month period.

(5) Opt out of processing the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling that produces significant effects concerning the consumer.

If your company is compliant with the CDPA, complying with Indiana’s new legislation should be a breeze. All entities must be compliant by January 1, 2025. A helpful guide on current U.S. privacy laws can be found here.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.