Indiana is the second U.S. state to pass a comprehensive consumer privacy law in 2023. In this article, we’ll go over the unique provisions of the seventh U.S. state privacy law, what your business needs to know and do to comply, and how Ethyca can help.
Indiana follows Iowa as the second state privacy law to pass its state legislature in 2023.
SB 5 or Indiana’s Consumer Data Protection bill will go into effect on January 1, 2026, giving businesses more than two years to get ready for it.
Enhancing your business’ privacy program for California’s CPRA, Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, Utah’s UCPA, and Iowa’s ICDPA in the meantime will give your business a great head start.
Until then, here’s what your business needs to know about Indiana’s privacy law and how to prepare for 2026.
Indiana’s privacy law applies to a “controller,” or a business entity that conducts business in Indiana or targets its products or services to Indiana consumers, and:
Like ICDPA, Indiana’s privacy law does not use a revenue threshold to determine who’s subject to it. Confirm that your business fulfills the criteria above to determine if it needs to comply with Indiana’s privacy law.
Businesses subject to Indiana’s privacy law need to know what consumer rights and consent rights Indiana residents have, as well as the consequences of privacy violations. This sections will go over these requirements in more detail.
Like with all other state privacy laws, Indiana residents can exercise certain consumer rights including:
Similar to Iowa’s privacy law, Indiana consumers do not have a private right of action. Unlike Iowa, however, Indiana residents do have the ability to correct their data.
Indiana residents are also given specific opt-out and opt-in rights.
In terms of opting out, Indiana consumers have the right to opt out of the processing of personal data for:
Indiana clearly states what kinds of data processing consumers can opt out of, whereas Iowa is more vague about targeted advertising and doesn’t mention profiling at all. Both states do not require businesses to implement a universal opt-out mechanism for consent.
In terms of opt-in rights, Indiana consumers have the right to opt into the processing of “sensitive data,” which includes:
The Attorney General of Indiana has sole authority over enforcing Indiana’s consumer data protection law.
Businesses must respond to consumers’ rights and consent requests within 45 days and can extend for an additional 45 days. Controllers also have a 30-day cure period to fix violations and can face a civil penalty of $7,500 per violation.
Now that you know what consumer and consent rights Indiana residents have, as well as the consequences for violations, let’s go over the additional business obligations your business needs to fulfill.
Chapter 4 of Indiana’s privacy law titled “Data Controller Responsibilities,” emphasizes the need for transparency in privacy practices.
Businesses must publish easily accessible privacy notices on their websites detailing:
The Attorney General may publish sample privacy notices on its website for reference. Work with your legal team to create a privacy notice that includes all of the required information before January 1, 2026.
Businesses must also enter data processing contracts between processors or entities that “process personal data on behalf of a controller.”
These contracts must establish the terms of how the processor processes personal data for the controller, as well as the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors.
If your business works with processors or subcontractors that process data on your behalf, be sure to enter a legally binding data processing contract with each of them.
Indiana’s privacy law requires businesses to perform data protection impact assessments (DPIAs). DPIAs require businesses to carefully assess the risks of activities that involve processing data.
Companies operating in Indiana must weigh the business benefits against the potential risks to consumers on the following activities:
The Attorney General can request a DPIA to determine whether a company is compliant or not. To make sure you’re ready for Indiana’s regulators, conduct and document DPIAs for the above processing activities.
A unique provision of Indiana’s privacy law is its explicit instructions for processing de-identified and pseudonymous data. This is the first U.S. state privacy law to specify steps for processing these types of data categories.
Businesses that process de-identified and pseudonymous data must:
If your business processes de-identified and pseudonymous data, make sure the required controls and safeguards are put in place by January 1, 2026.
Keeping track of all of the new U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy to comply with all privacy regulations, no matter what state or jurisdiction, through the Fides privacy intelligence platform.
With Fides, your business will be able to automate business obligations for all state privacy laws.
Read on to learn how.
All privacy regulations require businesses to fulfill users’ subject requests, or data subject requests (DSRs). Unfortunately, this process is often costly, labor-intensive, and causes lots of friction between legal and engineering teams.
The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end. With Fides, users can submit their requests through a Privacy Center on your website and verify their identity via SMS or email.
After requests are submitted, you can approve or deny them in an easy-to-use Admin UI. Users will receive an email containing a link to the data they requested in a machine-readable format or a confirmation that all of their data has been corrected or erased.
Fides will also maintain a log of the requests your business has processed. That way, you can prove to regulators your business’ privacy practices are compliant.
Different privacy regulations require different opt-in and opt-out requirements your business must follow. With Fides, your business can easily manage users’ consent preferences for any privacy law.
Fides will help you you to set multiple opt-out links on your website footer, customize a Privacy Center for consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with multiple privacy laws at the same time.
Users will be able to submit their consent preferences via the same Privacy Center they would use to submit DSRs. With the same Admin UI, your business will be able to easily process and record users’ consent preferences as proof of compliance.
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. After connecting with all systems Fides will be able to produce an automated data map of where data resides and flows throughout your organization.
Unlike tracking data through manual spreadsheets that are immediately out of date, Fides’ automated data map will give you a real-time, accurate inventory of all the data in your systems, i.e. what the data is, where it flows, and where it’s stored.
In fact, connecting to all of your systems is how Fides can automate data subject requests and consent management in the first place. The Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.
Iowa and Indiana are the first couple of privacy laws to pass in 2023, but more are constantly on the way. Your business will need to look ahead and prepare for all of the coming privacy regulations passing through state legislatures.
Thankfully, you don’t have to do it alone. Ethyca is here to help your business fulfill its privacy obligations every step of the way. If you have any questions about new or current privacy laws, schedule a free 15-minute call with one of our privacy advisors right now.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo