State legislatures continue to take privacy matters into their own hands while talks of a federal privacy law linger.  Indiana is set to become the seventh state to enact a comprehensive privacy law when Senate Bill No. 5 is signed by Governor Eric Holcomb.  The law goes into effect on January 1, 2026 – more than two and a half years after it is signed – a significantly longer period of time between signing and effective date when compared with other comprehensive state privacy laws.

Application

The Indiana privacy law applies to entities that conduct business in Indiana or produce products or services that are targeted to residents of Indiana and during a calendar year:  (1) control or process the personal data of 100,000 consumers (who are Indiana residents) or (2) control or process personal data of at least 25,000 consumers (who are Indiana residents) and more than 50% of gross revenue from the sale of personal data.

As with other comprehensive state privacy laws, certain entities (e.g. state agencies, nonprofit organizations, entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”), entities covered by the Gramm-Leach-Bliley Act (“GLBA”), etc.) and certain data (e.g. protected health information under HIPAA, research data, etc.) is exempt.  Further, the Indiana privacy law does not apply to data processed or maintained in the course of applying to or being employed by a business.

Comparison to Other State Privacy Laws

The Indiana privacy law mirrors other comprehensive state privacy laws, but most closely resembles the Virginia Consumer Data Protection Act, which went into effect at the beginning of this year. It provides a right to opt-out of the sale of personal data and a right to opt-out of targeted advertising as well as a right to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.  Like other comprehensive state privacy laws, the Indiana law requires consent to process sensitive personal data and the completion of data protection impact assessments for new processing activities (involving targeted advertising, sale of personal data, profiling that involves heightened risks to consumers, sensitive personal data) created or generated after December 31, 2025.

Notice Requirements

Businesses must provide consumers with a “reasonably accessible, clear, and meaningful privacy notice”.  The privacy notice must include:  (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (4) the categories of personal data that the controller shares with third parties, if any, and (5) the categories of third parties, if any, with whom the controller shares personal data.  Controllers must also “clearly and conspicuously” disclose any sale of personal data to a third party for the purposes of targeted advertising.

Consumer Rights

Under the Indiana privacy law, a consumer has the following rights:

• Right to confirm processing of personal data;
• Right to access personal data;
• Right to correct inaccuracies;
• Right to delete personal data provided by or obtained about the consumer;
• Right to portability; and
• (as described above) Right to opt-out of processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Businesses must also create a process by which consumers can appeal any refusal to act on a consumer right.  There is no private right of action under the Indiana privacy law and businesses have a 30-day cure period for any alleged violations of the law.

Preparing for Effective Date

As with the Iowa privacy law passed just last month, businesses operating in Indiana have some time to ensure compliance requirements are implemented and will likely already have many of the requirements in place. Businesses that must meet all of the individual state privacy laws should continue to refine their processes for updating privacy policies, handling data subject requests, and updating data processing agreements.

Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.