Learn about the Indiana Consumer Data Protection Act (ICDPA), its applicability to businesses operating in Indiana, exemptions, sensitive data, consumer rights, data protection assessments, and potential penalties. Ensure compliance to avoid fines of up to $7,500 per violation. Get all the details here.
Secure Privacy Team
·6 min read
Share:
RELATED CONTENT
Continue Reading
Explore more privacy compliance insights and best practices
By enacting the Indiana Consumer Data Protection Act, Indiana became the seventh US state to pass a law dedicated to protecting consumer data privacy.
If you operate in Indiana, it may create obligations for you, and you need to learn more about it.
What is the Indiana Consumer Data Protection Act (ICDPA)?
The Indiana Consumer Data Protection Act (ICDPA) protects the consumer data privacy of Indiana residents. It closely follows the provisions present in other US state laws regulating the same matter.
It was signed into law on May 1, 2023, but it won’t be enforced until January 1, 2026. You have enough time to learn about it and prepare for compliance.
Does the ICDPA apply to your business?
The ICDPA applies to your business if you operate in Indiana or target Indiana customers, and either:
Control or process personal data of at least 100,000 Indiana residents, or
Control or process personal data of at least 25,000 Indiana residents and derive over 50% of its gross revenue from the sale of personal data.
These criteria are similar to what we have seen in other US states’ laws. It won’t apply to many businesses.
However, keep in mind that processing IP addresses with Google Analytics or browsing behavior with Meta Pixel can easily allow you to control the data of more than 100,000 consumers and slide you into the applicability requirements.
Are some businesses or data exempt from ICDPA?
ICDPA exempts from its scope the same types of organizations and data that you’ll find in other privacy laws around the US, which include:
Government entities
Non-profits
HIPAA and HITECH-covered entities
Higher education entities
Utility companies
Financial institutions subject to the GLBA
The list of exempted data is long and includes, but is not limited to:
Data protected by industry-specific laws such as HIPAA, GLBA, FCRA, and others
Employment information
Research data for the public interest
What is ICDPA personal data?
ICDPA defines personal data as any information that identifies a person.
That includes a wide variety of data. Aside from obvious data categories, such as personal names, email addresses, and government-issued numbers, personal data also involves health history, fitness app data, purchase behavior, and other data that could point out an individual.
What is ICDPA sensitive data?
CDPA explicitly lists the categories of personal information considered sensitive. They include:
Data revealing an individual’s racial origin, ethnic origin, sexual orientation, citizenship or immigration status, or health diagnosis
Precise geolocation data
Child’s data
Biometric data for the purpose of identifying a person
Sensitive data must not be processed without obtaining explicit consent from the user.
What are the general duties of controllers and processors under the ICDPA?
Every controller that needs to comply with this law must:
Ensure data security by implementing adequate technical and organizational measures
Process the data only for the purposes it has been collected
Ensure that the categories of collected data are adequate for processing purposes
Obtain consent for the processing of sensitive data
Conduct data protection assessments if required
Provide consumers with a privacy notice
Honor consumer requests
Enter into data processing contracts with processors
Processors, on the other hand, are obliged to protect the data in their own work and help the controller to do the same. In particular, it means obligations to:
Implement adequate data security measures
Process data only based on the contract with the controller
Assist the controller in compliance with the law
What is a data processing contract?
The data processing contract regulates the relationship between the controller and the processor. You need to have one to make your processing legal. Without such a contract, you violate the ICDPA.
Your contract must include provisions on:
The identity of both parties
Categories of personal data to be processed
The nature and purposes of processing
The duration of processing
Rights and duties of both parties
Requirement for the processor to prove compliance to the controller, upon request
Requirement for deletion of data upon the controller’s request
Confidentiality
Hiring subcontractors
What is a privacy notice according to the ICDPA?
Your ICDPA privacy notice is actually your privacy policy. It is the document where you provide transparency about your privacy practices to consumers.
Your notice must contain at least:
Processing purposes
Categories of processed data
The categories of data you sell, if applicable
The categories of third parties to whom you sell data, if applicable
Consumer rights and how to exercise them
Although not required by the law, you can always add more information to increase transparency.
Is it necessary to obtain consumer consent for data processing?
Yes, explicit consumer consent is required for processing sensitive personal data. The consent should be freely given, specific, informed, and unambiguous.
In cases where you collect information from a known child for processing, you can follow the parental consent standards outlined in COPPA (Children's Online Privacy Protection Act).
Are we required to honor universal opt-out mechanisms?
The ICDPA does not explicitly address universal opt-out mechanisms, so there is no obligation to adhere to them. However, it is important to provide consumers with the ability to opt-out using the designated methods you have established with the privacy policy.
What is a Data Protection Assessment?
A Data Protection Assessment is a procedure in which the controller evaluates the potential risks associated with processing the personal data of consumers. This assessment helps identify the risks involved in your processing activities and determines the necessary measures to mitigate those risks.
It is not required by all businesses, but it is good practice. If you are not sure whether you need to conduct one, it is better to opt for it.
The law explicitly states that businesses must conduct and document a Data Protection Assessment in the following scenarios:
Sale of personal data
Processing of sensitive data
Processing data for targeted advertising
Processing of data for profiling
Any other processing that presents an elevated risk to consumers.
What are the ICDPA consumer rights and requests?
Consumers have the ability to exercise these rights by submitting requests to your organization, and it is essential for you to comply with these requests to avoid potential penalties.
Consumers have the right to:
Know about the processing
Access data
Have their data deleted
Data portability
Correction of data
Opt-out of the sale of data, targeted advertising, or profiling
Opt-in for the processing of sensitive data
You must respond to the request within 45 days. You can take an additional 45 days for complex requests, but keep in mind that it will rarely be justified.
How is ICDPA enforced, and what are the penalties?
Indiana has not established a data protection agency like California. It follows the trend of all the other US states that have given power to the Attorney General to enforce the law.
The Attorney General has the power to investigate violations and issue businesses a notice with a 30-day cure period.
If you don't remedy the violation within 30 days, you may be fined up to $7,500 per violation.
Sign up to our newsletter
and get the latest news on data privacy
