On May 2, 2023, Indiana became the seventh state in the US to have a complete state privacy law when Governor Eric Holcomb signed Senate Bill 5, or the Indiana Consumer Data Protection Act (ICDPA), into law. Several recent state legislation, including those in Virginia, Utah, and Iowa, are quite similar to the bill.
This move was long overdue, as privacy concerns have been a hot topic for years. However, this law won’t take effect until January 1, 2026, more than two and a half years after it was signed.
It’s important to note that while federal laws protect certain types of data, such as health records and financial information, no overarching national privacy standard exists. Thus, states have taken it upon themselves to implement regulations to protect consumer data.
The Indiana Consumer Data Protection Act (ICDPA) & Personal Data
The new Indiana data privacy law applies to businesses with annual gross revenue of $500k or more in Indiana, or those who process the personal data of at least 100k consumers in Indiana annually.Â
It requires these businesses to:Â
- Designate a person responsible for compliance with this act
- Conduct regular risk assessments regarding data processing activitiesÂ
- Implement security measures reasonably designed to protect consumer data from unauthorized access or disclosure
Furthermore, under the ICDPA, consumers now have the right to know what types of personal data companies collect about them and how it’s used. They can request that businesses delete or correct information, and opt out of having their data sold or shared with third-party entities. This gives consumers greater power over their digital footprint and enhances transparency on how companies handle customer information.
Indiana Data Privacy Laws & HIPAA
The passage of ICDPA makes Indiana one of only seven states nationwide to have passed comprehensive privacy legislation. This accomplishment follows years of advocacy by consumer protection organizations demanding stronger protections for individual privacy rights. However, it’s important to note that certain industries, such as healthcare, already had regulations in place prior to Indiana enacting its law.
For instance, healthcare providers are governed by HIPAA, enacted long before any other state-level privacy laws were even considered. HIPAA stands for Health Insurance Portability and Accountability Act, which sets national standards for protecting sensitive protected health information (PHI) from being disclosed without the patient’s permission.
HIPAA provides patients with rights such as:
- Medical records access
- Requesting corrections of records
- Controlling how PHI is used or disclosed
- Protection of their data
Indiana’s new privacy law sets standards for how businesses handle consumer data not covered by HIPAA. While some may argue that laws like HIPAA already exist to protect consumer privacy in certain industries, it’s important to note that these regulations don’t cover all scenarios where personal data can be compromised. The ICDPA fills gaps left by other laws and sets a new standard for comprehensive data protection across various industries.
Overall, Indiana has taken a proactive approach to addressing the issue of data privacy with the passage of this landmark legislation. While more work needs to be done on both the state and federal levels, the ICDPA represents an important step toward creating a safer and more secure online environment for everyone.