On May 1, 2023, Indiana became the seventh U.S. state to enact comprehensive data privacy legislation with the signing of the Indiana Consumer Data Protection Act (INCDPA) by Governor Eric Holcomb. Set to take effect on January 1, 2026, this law aims to protect the personal information of Indiana residents.
In this article, we provide a brief overview of what businesses need to know about the INCDPA, its background, key provisions, insights, and how to ensure compliance.
What Is the INCDPA?
The Indiana Consumer Data Protection Act (INCDPA) is designed to safeguard the privacy of Indiana residents. It establishes the rights of consumers concerning the collection, processing, and use of their personal data by businesses. Additionally, it details the obligations businesses must fulfill and the penalties for non-compliance. By aligning with similar laws in other states, the INCDPA aims to create a cohesive framework for data privacy across the United States.
For more detailed information, you can view and/or download the full-text provision PDF here.
Key Definitions
Understanding the INCDPA starts with familiarizing oneself with its key terms. Here are some crucial definitions:
- a. Biometric Data: Biological characteristics, such as fingerprints and retina scans, generated by automated measurements. This excludes photos, audio recordings, and information used for healthcare under HIPAA.
- b. Consumer: An Indiana resident acting for personal, family, or household purposes. This excludes individuals in a commercial or employment context.
- c. Consent: A clear, affirmative act indicating a consumer’s agreement to process their personal data.
- d. Data Controller: An entity that determines the purpose and means of processing personal data, either alone or jointly with others.
- e. Data Processor: An entity that processes personal data on behalf of a controller.
- f. Personal Data: Information linked to an identified or identifiable individual, excluding de-identified or publicly available data.
- g. Sensitive Data: Data revealing racial or ethnic origin, health information, genetic or biometric data, and information from children under 13.
Scope & Applicability
The INCDPA applies to businesses operating in Indiana or targeting Indiana residents, provided they meet certain criteria. Specifically, it applies to entities that:
-
- a. Control or process the personal data of at least 100,000 Indiana residents, or
- b. Control or process the personal data of at least 25,000 Indiana residents and derive over 50% of their revenue from the sale of personal data.
Exemptions:
Several entities are exempt from the INCDPA, including:
-
- a. Indiana state government and third parties acting on its behalf.
- b. Financial institutions and affiliates under the federal Gramm-Leach-Bliley Act (GLBA).
- c. Entities governed by the Health Insurance Portability and Accountability Act (HIPAA).
- d. Nonprofit organizations.
- e. Institutions of higher education.
- f. Public utilities or service companies.
Key Requirements for Businesses
- Obligations for Data Controllers
Data controllers have several responsibilities under the INCDPA, including:
- i. Data Collection Limitation: Collecting only data that is adequate, relevant, and reasonably necessary for the disclosed purposes.
- ii. Purpose Limitation: Not processing personal data for purposes beyond what is disclosed unless consumer consent is obtained.
- iii. Data Security: Implementing reasonable technical, administrative, and physical data security practices to protect data integrity and confidentiality.
- iv. Non-Discrimination: Avoiding data processing that violates anti-discrimination laws.
- v. Consent for Sensitive Data: Obtaining explicit consent before processing sensitive personal data.
- Data Protection Impact Assessments (DPIAs)
Controllers must perform Data Protection Impact Assessments (DPIAs) for high-risk processing activities, such as:
-
- Targeted advertising.
- Selling personal data.
- Profiling that presents foreseeable risks.
- Processing sensitive data.
- Any activities posing a heightened risk of harm to consumers.
- DPIAs should assess risks and benefits, considering the impact on consumers, the business, and other stakeholders. These assessments help ensure that businesses take appropriate measures to protect consumer data.
- Processor Obligations
Data processors are required to assist controllers in fulfilling their duties. This includes:
- i. Responding to Data Subject Requests: Helping controllers handle consumer requests related to their data rights.
- ii. Ensuring Data Security: Aiding controllers in maintaining data security and conducting DPIAs.
- iii. Data Breach Notifications: Assisting with notifications in the event of data breaches.
Contracts between controllers and processors must include clauses ensuring confidentiality, data deletion or return upon request, and cooperation with compliance assessments.
Consumer Rights
The INCDPA grants Indiana residents several rights over their personal data, including the right to:
-
- Confirm whether a controller is processing their data.
- Correct inaccuracies in their data.
- Request data deletion.
- Obtain copies of their data.
- Opt-out of data processing for targeted advertising, the sale of data, or profiling.
Consumers also have the right to appeal a controller’s decision regarding their data requests. These rights empower consumers to have more control over their personal information and how it is used.
Compliance Tips
To comply with the INCDPA, businesses should take several proactive steps:
- Update Privacy Policies
Businesses must update their privacy policies to include:
- The categories of personal data collected.
- The purposes for data processing.
- How consumers can exercise their rights and appeal decisions.
- The categories of data shared with third parties, if any.
- Implement Consent Banners
Businesses should use consent management platforms to provide opt-out options for:
- Targeted advertising.
- Sale of personal data.
- Collection and processing of sensitive data.
- Conduct Data Protection Impact Assessments (DPIAs)
Perform DPIAs for high-risk data processing activities to identify and mitigate potential risks to consumer privacy.
- Use Compliant Contracts
Ensure contracts with third-party processors include necessary clauses to meet INCDPA requirements. These should cover confidentiality, data return or deletion, and cooperation with compliance assessments.
- Provide Consumer Data Request Mechanisms
Businesses must offer clear mechanisms for consumers to submit data requests, such as Data Subject Access Request (DSAR) forms on websites or mobile apps.
Enforcement & Penalties
The Indiana Attorney General enforces the INCDPA. Upon identifying a violation, the Attorney General will provide a 30-day notice to the offending business, detailing the issues. The business then has 30 days to address the violations and certify compliance. Failure to do so can result in:
- i. Fines of up to $7,500 per violation.
- ii. Injunctions to prevent further violations.
- iii. Recovery of expenses incurred during investigations, including attorney fees.
Actual Provision:
For more information, you can view and/or download the full-text provision PDF here.
Indiana’s Data Privacy Landscape
While the INCDPA is Indiana’s first comprehensive data privacy law, other privacy-related provisions exist in the state’s legal framework. For instance, the Indiana Constitution guarantees the right to be secure against unreasonable searches and seizures. Additionally, the Indiana Code mandates notification of data breaches, ensuring affected residents are informed of unauthorized data access.
INCDPA Preparation Tips
To prepare for the INCDPA, it is advisable that businesses should:
-
- Update Privacy Policies: Ensure policies are clear, accessible, and comprehensive.
- Implement Consent Management: Use platforms to manage consumer consent effectively.
- Conduct DPIAs: Regularly assess the impact of data processing activities.
- Establish Contracts: Use Data Processing Agreements (DPAs) with third-party processors.
- Provide DSAR Forms: Enable consumers to submit and track data requests easily.
Frequently Asked Questions (FAQs)
- What is the Indiana Consumer Data Protection Act (INCDPA)?
The INCDPA is a data privacy law designed to protect the personal information of Indiana residents. It outlines the rights of consumers regarding their data and sets forth the obligations of businesses in collecting, processing, and using this data.
- When does the INCDPA take effect?
The INCDPA will take effect on January 1, 2026.
- Who must comply with the INCDPA?
The INCDPA applies to businesses that control or process the personal data of at least 100,000 Indiana residents, or control or process the personal data of at least 25,000 Indiana residents and derive over 50% of their revenue from the sale of personal data.
- What are the key rights granted to consumers under the INCDPA?
Consumers have the right to confirm whether their data is being processed, correct inaccuracies, request deletion, obtain copies of their data, and opt out of data processing for targeted advertising, data sales, or profiling.
- What are the primary obligations for businesses under the INCDPA?
Businesses must limit data collection to what is necessary, obtain consumer consent for processing sensitive data, implement reasonable data security measures, and avoid discriminatory data processing practices.
Wrapping Up
The Indiana Consumer Data Protection Act (INCDPA) represents a step in the right direction for data privacy laws in the United States. As Indiana joins other states in implementing comprehensive data protection regulations, businesses must prepare to meet the new requirements. With a compliance deadline of January 1, 2026, there’s enough time to adapt and adjust, but proactive measures are quite crucial.
To have a smooth transition, businesses should update their privacy policies, manage consumer consent effectively, perform Data Protection Impact Assessments (DPIAs), and establish robust contracts with third-party processors. Staying informed about the evolving landscape of data privacy laws will be key to maintaining compliance and protecting consumer data. By taking these steps now, businesses can navigate the complexities of the INCDPA, protect consumer data, and avoid potential penalties.
To help you create compliant legal documents that are tailored to your specific needs, consider utilizing GetTerms for additional support, resources, & more. For more information, you can visit our website here. We offer a simple solution, ensuring you meet legal standards while maintaining user confidence in your data handling practices. Create an account and get started in 5 minutes.