In this Compliance Guide, we will discuss the following important aspects of Indiana SB5:
- Who needs to comply with Indiana SB5;
- How the law defines personal data;
- The privacy rights provided to residents of Indiana;
- The penalties for failure to comply; and
Who needs to comply with Indiana SB5?
Indiana SB5 was enacted to protect the privacy of residents of Indiana, and, due to the nature of the Internet, it can apply to you even if your business is not located in Indiana. Indiana SB5 applies to any person that does business in Indiana or that produces products or services that are targeted to residents of Indiana and that during a year:
- Controls or processes the personal data of at least 100,000 residents of Indiana; or
- Controls or processes the personal data of at least 25,000 residents of Indiana and derives more than 50% of gross revenue from the sale of personal data.
The law does specifically exempt nonprofit organizations, higher education institutions, financial institutions and public utilities.
How does Indiana SB5 define personal data?
Since Indiana SB5 applies to businesses that collect the personal data of residents of Indiana, it is important to determine how the law defines personal data so that you can determine whether it applies to you. The law defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” The following items are not considered personal data under this law – de-identified data, aggregate data or publicly available information. Due to the broad definition of personal data, data such as names, emails, phone numbers, addresses and IP addresses are likely to be considered “personal data” under this law.
What privacy rights are provided to residents of Indiana?
Indiana SB5 protects the privacy of residents of Indiana by providing them with the following privacy rights:
- The right to confirm whether a business is processing the consumer’s personal data and to access such data;
- The right to correct inaccuracies in the consumer’s personal data;
- The right to delete the personal data provided by the consumer to the business;
- The right to obtain a copy of or a summary of the consumer’s personal data in a portable and readily usable format that allows the consumer to transmit the data to another company;
- The right to opt out of the processing of the consumer’s personal data for the purposes of:
- Targeted advertising;
- The sale of personal data; or
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- The right to appeal a decision made regarding a privacy rights request.
Upon receiving a request to exercise privacy rights, businesses will have 45 days to respond to such a request, which can be extended by an additional 45 days if needed.
- The categories of personal data processed;
- The purpose for processing the personal data;
- How consumers can exercise their consumer rights, including how a consumer may appeal a decision with regard to a privacy rights request;
- The categories of personal data that is shared with third parties, if any;
- The categories of third pirates, if any, with whom the data is shared;
- The fact that personal data is used for targeted advertising or is sold and how a consumer may opt out of such use or sale.
Penalties for failure to comply with Indiana SB5
Indiana SB5 will be enforced by the Indiana Attorney General, who can initiate an action and fine businesses up to $7,500 per violation, which can mean per website visitor whose privacy rights were infringed upon. In addition, the Attorney General may also recover expenses incurred in investigating and preparing the case, leading to additional costs for the violation.