This month, Indiana passed its own privacy bill, Senate Bill 5 (“SB 5”) for consumer data protection. SB 5 is now awaiting signature from Indiana Governor Eric Holcomb. Once signed into law, Indiana will be the seventh state in the nation to enact a comprehensive privacy law. With a later effective date of January 1, 2026, SB 5 maintains the status-quo and largely follows the six other states with privacy laws (California, Colorado, Connecticut, Iowa, Utah, and Virginia). Following is a high level overview of the key provisions of SB 5.
To Which Entities Does SB 5 Apply?
SB 5 will apply to businesses (“controllers”) that:
- control or process personal data of at least 100,000 consumers that are Indiana residents; or
- control or process personal data of at least 25,000 consumers that are Indiana residents and derive more than 50% of gross revenue from the sale of personal data.
SB 5 provides exemptions for entities and certain data including, but not limited to:
- the state or any political subdivisions of the state;
- financial institutions or data subject to the Gramm-Leach-Bliley Act;
- entities subject to HIPAA;
- non-profit organizations;
- institutions of higher education;
- personal data subject to the Driver’s Privacy Protection Act; and
- personal data subject to the Family Educational Rights and Privacy Act.
What are the Consumer Rights?
Under SB 5, Indiana consumers will have the right to ask the following of controllers:
- confirm the processing of their personal data;
- correct any inaccuracies in their personal data;
- delete their personal data;
- obtain either a copy or summary of their personal data from the controller; and
- opt out of the processing of their personal data for:
- targeted advertising;sale; or
Controllers must respond to consumer requests within 45 days of the request and without undue delay. When reasonably necessary, controllers can extend the period to respond once, with an additional 45 days, as long as they inform the consumer of the extension and reasoning behind it.
What Are the Obligations of Controllers?
SB 5 imposes responsibilities on controllers that include, but are not limited to:
- limiting the collection of personal data only to what is adequate, relevant, and reasonably necessary for the reason the data is processed;
- creating and maintaining reasonable administrative, technical, and physical data security practices to ensure personal data is protected;
- obtaining consumer consent to process sensitive data;
- providing consumers with a clear and reasonably accessible privacy notice; and
- clearly and conspicuously disclosing whether the controller is engaged in selling personal data to third parties or using personal data for targeted advertising while also providing the opt out manner for such activity.
Requirement of Data Protection Impact Assessments:
Controllers must also conduct and document data protection impact assessments (“DPIA”) for certain processing activities. The DPIA requirement will apply to all applicable processing activity that was created after December 31, 2025, and is not retroactive to such activity created before the effective date of SB 5, January 1, 2026.
Controllers are required to undertake and document DPIAs when processing personal data in any of the following manners:
- processing for purposes of targeted advertising;
- selling personal data
- using personal data for profiling and if that profiling causes a consumer a reasonable risk of:
- unfair or unlawful disparate impact;
- financial, physical, or reputation injury,
- physical or other type of intrusion upon the solitude, private affairs, or concern of the consumer that is offensive to a reasonable person; or
- substantial injury.
- processing of sensitive data; or
- any processing of personal data that presents a heightened risk to consumers.
These DPIAs must weigh the benefits of processing for the controller, consumer, stakeholders, and the public against any potential risks the processing may have on consumer rights. DPIA’s are confidential and private from the public. However, the Indiana Attorney General (“AG”) may request a relevant DPIA in the course of an investigation.
Enforcement of SB 5:
Once enacted, the Indiana AG has exclusive enforcement power of SB 5. The AG has the power to seek injunctions against any violations of the law and issue civil penalties of up to $7,500 per violation along with reasonable expenses, including attorney’s fees, incurred. Alleged violators of the SB 5 are given 30 days written notice to cure and if they do cure, must provide a written statement to the AG that:
- the alleged violation was cured; and
- states the actions taken to ensure no future violations will occur.
In the wake of another state privacy law, developing, implementing, and maintaining strong processes and systems for data privacy and security is vital for businesses. As the privacy legal landscape continues to evolve, Taft’s Privacy and Data Security Practice is ready to assist. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.