On May 1, 2023, the Governor of Indiana signed Indiana SB5, which is a comprehensive state privacy law that requires certain businesses to have a Privacy Policy that has specific disclosures, provides privacy rights to residents of Indiana and requires businesses to meet specific requirements to protect privacy. This new law will go into effect on July 1, 2026 and businesses that need to comply with this law should start their preparations now to ensure that they are compliant by the effective date.
In this Compliance Guide, we will discuss the following important aspects of Indiana SB5:
- Who needs to comply with Indiana SB5;
- How the law defines personal data;
- The privacy rights provided to residents of Indiana;
- The Privacy Policy requirements of Indiana SB5;
- The penalties for failure to comply; and
- How Termageddon can help you update your Privacy Policy to help ensure compliance.
Table of Contents
Who needs to comply with Indiana SB5?
Indiana SB5 was enacted to protect the privacy of residents of Indiana, and, due to the nature of the Internet, it can apply to you even if your business is not located in Indiana. Indiana SB5 applies to any person that does business in Indiana or that produces products or services that are targeted to residents of Indiana and that during a year:
- Controls or processes the personal data of at least 100,000 residents of Indiana; or
- Controls or processes the personal data of at least 25,000 residents of Indiana and derives more than 50% of gross revenue from the sale of personal data.
The law does specifically exempt nonprofit organizations, higher education institutions, financial institutions and public utilities.
How does Indiana SB5 define personal data?
Since Indiana SB5 applies to businesses that collect the personal data of residents of Indiana, it is important to determine how the law defines personal data so that you can determine whether it applies to you. The law defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” The following items are not considered personal data under this law – de-identified data, aggregate data or publicly available information. Due to the broad definition of personal data, data such as names, emails, phone numbers, addresses and IP addresses are likely to be considered “personal data” under this law.
What privacy rights are provided to residents of Indiana?
Indiana SB5 protects the privacy of residents of Indiana by providing them with the following privacy rights:
- The right to confirm whether a business is processing the consumer’s personal data and to access such data;
- The right to correct inaccuracies in the consumer’s personal data;
- The right to delete the personal data provided by the consumer to the business;
- The right to obtain a copy of or a summary of the consumer’s personal data in a portable and readily usable format that allows the consumer to transmit the data to another company;
- The right to opt out of the processing of the consumer’s personal data for the purposes of:
- Targeted advertising;
- The sale of personal data; or
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- The right to appeal a decision made regarding a privacy rights request.
Upon receiving a request to exercise privacy rights, businesses will have 45 days to respond to such a request, which can be extended by an additional 45 days if needed.
Indiana SB5 Privacy Policy requirements
Businesses that need to comply with Indiana SB5 will be required to display a comprehensive Privacy Policy that includes the following disclosures:
- The categories of personal data processed;
- The purpose for processing the personal data;
- How consumers can exercise their consumer rights, including how a consumer may appeal a decision with regard to a privacy rights request;
- The categories of personal data that is shared with third parties, if any;
- The categories of third pirates, if any, with whom the data is shared;
- The fact that personal data is used for targeted advertising or is sold and how a consumer may opt out of such use or sale.
Businesses will also need to provide a clear and conspicuous link to the Privacy Policy on their websites. Finally, businesses will also need to keep an eye out for any regulations for this privacy law, which often add to the above required disclosures.
Penalties for failure to comply with Indiana SB5
Indiana SB5 will be enforced by the Indiana Attorney General, who can initiate an action and fine businesses up to $7,500 per violation, which can mean per website visitor whose privacy rights were infringed upon. In addition, the Attorney General may also recover expenses incurred in investigating and preparing the case, leading to additional costs for the violation.
Termageddon’s plan for Indiana SB5
While this new law will go into effect on July 1, 2026, we will be keeping track of any amendments to the law, including accompanying regulations. We will also make updates to clients’ policies prior to the effective date of this new law. If you do not currently have a Privacy Policy or do not have a strategy to keep it up to date with privacy law changes, make sure to check out the Termageddon Privacy Policy generator.
