Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe NowMost people would like to know how companies are handling their personal data.
A new state law passed earlier this year, Senate Enrolled Act 5, has set up a framework for Hoosier consumers to find what personal information of theirs is being collected and what companies are doing with that data.
The new law doesn’t go into effect until Jan. 1, 2026, giving companies more than two years to come into compliance.
Indiana’s passage of the new consumer data protection law puts it on the list with a growing number of states looking to respond to citizens’ privacy concerns.
Sen. Liz Brown, R-Fort Wayne, was one of the new law’s co-authors in the Indiana Senate.
Brown said work began on the legislation in 2022 and was influenced by passage of the European Union General Data Protection Regulation in 2018 and data protection laws passed in the U.S. in California and Virginia. She said legislators tried to find something that was relatively uniform and gave protections for Indiana consumers, but was also crafted to not be overly burdensome to businesses.
Brown mentioned thresholds within the new law, which applies to for-profit businesses that control or process personal data on at least 100,000 consumers, or derive 50% of their revenue from selling the data of 25,000 or more consumers. Those thresholds were implemented so as to not impact smaller and startup businesses, Brown said.
“We didn’t want to make it burdensome for mom-and-pop businesses,” she said.
Data privacy rights under the new law
SEA 5 gives Indiana consumers several new data protection rights, including the right to know how a business is using their data, the right to access their personal data upon request, the ability to correct inaccuracies in their data or delete information, and an opt-out option where companies would have to stop processing data upon request.
According to Brian McGinnis, a partner with Barnes & Thornburg LLP and a founding member and co-chair of the firm’s Data Security and Privacy Law practice group, California’s passage of a data protection law in 2018 marked the first time that U.S. companies really began adapting to new legal standards for data collection and use.
“If you’re a company of any size and you have customers outside the state, you likely have been dealing with these new laws,” McGinnis said.
McGinnis said businesses have become increasingly concerned with data breaches and cybersecurity issues. Indiana’s new law not going into effect until 2026 provides enough preparation time for companies, he added.
Businesses and most states have been waiting for a comprehensive federal law that deals with consumer data protection, but it’s never happened, McGinnis said.
“So the states have kind of taken matters into their own hands,” he said.
Any company, whatever their size, can improve from where they’re at now, as far as protecting data and data collection, McGinnis continued. For example, he said companies can ask themselves questions like whether they need to collect Social Security numbers or other sensitive information that could be leaked in a data breach.
Nationwide trend
When Gov. Eric Holcomb signed SEA 5 into law earlier this year, Indiana became the seventh state to pass a comprehensive data privacy law.
Sid Bose, a partner in Ice Miller LLP’s Data Security and Privacy practice, said SEA 5 follows a trend he’s seeing across the United States.
As of Aug. 4, there were 11 states where data privacy laws had been signed, according to the International Association of Privacy Professionals.
Businesses that are based in or operate in Indiana need to start thinking about data privacy and building out a privacy program, Bose said.
“Better to start earlier than later,” he said, in terms of his recommendations to clients regarding their preparations for the new law.
Bose has been talking to clients about the importance of having appropriate notices for consumers about their company and its privacy practices when collecting consumer data. He said a lot of the firm’s clients are looking for ways to get a better handle on personal information collected by their companies, including identifying who has access to the information and what they’re using it for.
Further, Bose said companies need to make sure they have strong information protection programs that include a timely response to security incidents and breaches.
Some concerns
Sen. Brown acknowledged there are some consumer groups that don’t think Indiana’s new consumer data protection law goes far enough. Looking ahead, she said there could be additional legislative discussions about threshold levels and other aspects of the law.
The American Civil Liberties Union of Indiana is one of the groups with concerns about SEA 5.
Katie Blair, the ACLU of Indiana’s director of advocacy and public policy, said the new law needs to better regulate the amount of personal information that can be collected and how it’s used.
According to Blair, the ACLU feels consumers need to be able to “opt in” when it comes to use of their personal data, rather than opting out, to give them more control over how their information is used. The group would also like to see stronger civil rights protections.
Additionally, the ACLU would like for there to be a private right of action for Indiana consumers.
“We want people to be able to sue private companies to obtain meaningful relief,” Blair said.
Striking a balance
John McCauley, a partner in Dentons Bingham Greenebaum’s Indianapolis office and chair of the firm’s Privacy and Security Team, called SEA 5 an “excellent” piece of legislation, describing it as comprehensive and striking the right balance between protecting the rights of consumers and businesses.
McCauley said a lot of his firm’s clients do business in other states with consumer data protection laws, like California and Virginia.
“So people have been working toward the goals of the Indiana statute for quite a while,” he said.
Additionally, many of the firm’s clients also operate in Europe and are familiar with the EU’s data privacy law, McCauley added.
He said that if a company has been paying attention over the last few years to the trend for new data protection laws, it shouldn’t be a big compliance lift for them to comply with Indiana’s SEA 5.
Under the new law, Indiana businesses will soon be required to conduct annual data protection impact assessments. McCauley said those assessments will be used to review a company’s data policies and look at risks to the privacy of personal data.
Bose, of Ice Miller, said his sense of privacy is that it means different things to different people. If someone were to take 10 people off the street and ask them what privacy means to them, he said, they would probably get 10 different answers.
Bose also said he expects there will be more statewide discussions about data privacy in the years ahead.
“Our privacy law is a good start,” Bose said. “From there, we really have to see what Indiana consumers really want in terms of privacy.”•
Please enable JavaScript to view this content.