Listen
to
this
post
On
April
13,
2023,
the
Indiana
Senate
concurred
to
the
Indiana
House’s
amendments
of
Senate
Bill
5
(“SB
5”)
a
day
after
the
House
returned
the
bill
to
the
Senate
with
amendments,
and
a
couple
days
after
the
Indiana
House
unanimously
voted
to
approve
SB
5.
SB
5
now
will
head
to
Governor
Eric
Holcomb
for
a
final
signature,
where
he
will
have
seven
days
upon
transmission
to
sign
SB
5
into
law
or
veto
it.
This
could
make
Indiana
the
seventh
U.S.
state
to
enact
comprehensive
privacy
legislation.
Applicability
SB
5
would
apply
to
a
person
that
conducts
business
in
Indiana
or
produces
products
or
services
that
are
targeted
to
residents
of
Indiana
and
that
during
a
calendar
year:
(1)
controls
or
processes
personal
data
of
at
least
one
hundred
thousand
(100,000)
consumers
who
are
Indiana
residents;
or
(2)
controls
or
processes
personal
data
of
at
least
twenty-five
thousand
(25,000)
consumers
who
are
Indiana
residents
and
derive
more
than
fifty
percent
(50%)
of
gross
revenue
from
the
sale
of
personal
data.
SB
5’s
protections
would
apply
to
residents
of
Indiana
who
act
for
a
personal,
family
or
household
purpose,
with
express
exemption
for
individuals
acting
in
a
commercial
or
employment
context.
The
bill
also
contains
a
number
of
exemptions,
including
exceptions
for
financial
institutions,
affiliates,
and
data
subject
to
Title
V
of
the
Gramm-Leach-Bliley
Act,
covered
entities
and
business
associates
under
the
Health
Insurance
Portability
and
Accountability
Act
of
1996,
nonprofit
organizations
and
institutions
of
higher
education.
Controller
Obligations
Similar
to
the
other
comprehensive
state
privacy
laws,
SB
5
would
require
controllers
to
limit
the
collection
of
personal
data
to
what
is
adequate,
relevant
and
reasonably
necessary
in
relation
to
the
purposes
for
which
such
data
is
processed,
as
disclosed
to
the
consumer.
In
addition,
controllers
will
need
consumer’s
consent
to
process
sensitive
data
or
to
process
personal
data
for
purposes
that
are
neither
reasonably
necessary
for
nor
compatible
with
the
disclosed
purposes
for
which
the
personal
data
is
processed.
SB
5
also
requires
controllers
to
establish,
implement
and
maintain
reasonable
administrative,
technical
and
physical
data
security
practices
to
protect
the
confidentiality,
integrity
and
accessibility
of
personal
data.
Controllers
will
need
to
provide
consumers
with
a
reasonably
accessible,
clear,
and
meaningful
privacy
notice
that
includes:
(1)
the
categories
of
personal
data
processed
by
the
controller;
(2)
the
purpose
for
processing
personal
data;
(3)
how
consumers
may
exercise
their
consumer
rights
under
the
law,
including
how
a
consumer
may
appeal
a
controller’s
decision
with
regard
to
the
consumer’s
request;
(4)
the
categories
of
personal
data
that
the
controller
shares
with
third
parties,
if
any;
and
(5)
the
categories
of
third
parties,
if
any,
with
whom
the
controller
shares
personal
data.
SB
5
also
will
require
controllers
to
conduct
and
document
a
data
protection
impact
assessment
for
each
of
the
following
processing
activities
involving
personal
data:
(1)
the
processing
of
personal
data
for
purposes
of
targeted
advertising;
(2)
the
sale
of
personal
data;
(3)
the
processing
of
personal
data
for
purposes
of
profiling,
if
such
profiling
presents
certain
reasonably
foreseeable
risks;
(4)
the
processing
of
sensitive
data;
and
(5)
any
processing
activities
involving
personal
data
that
present
a
heightened
risk
of
harm
to
consumers.
Consumer
Rights
SB
5
provides
consumers
with
the
following
rights:
(1)
to
confirm
whether
or
not
a
controller
is
processing
the
consumer’s
personal
data
and
to
access
such
personal
data;
(2)
to
correct
inaccuracies
in
the
consumer’s
personal
data
that
the
consumer
previously
provided
to
a
controller;
(3)
to
delete
personal
data
provided
by
or
obtained
about
a
consumer;
(4)
to
obtain
either
a
copy
of
or
a
representative
summary
of
the
consumer’s
personal
data
that
the
consumer
previously
provided
to
the
controller
in
a
portable
and
readily
usable
format
that
allows
the
consumer
to
transmit
the
data
or
summary
to
another
controller
without
hindrance;
and
(5)
to
opt
out
of
the
processing
of
the
consumer’s
personal
data
for
purposes
of
(A)
targeted
advertising,
(B)
the
sale
of
personal
data,
or
(C)
profiling
in
furtherance
of
decisions
that
produce
legal
or
similarly
significant
effects
concerning
the
consumer.
Controllers
would
have
45
days
to
respond
to
consumer
rights
requests,
with
a
potential
45-day
extension
in
certain
circumstances.
Enforcement
SB
5
does
not
contain
a
private
right
of
action
and
would
be
enforced
exclusively
by
the
Indiana
Attorney
General.
The
bill
provides
a
30-day
cure
period
for
violations
where
a
company
must
(1)
cure
a
potential
violation,
and
(2)
provide
the
Attorney
General
with
express
written
statement
that
the
alleged
violation
has
been
cured
and
actions
will
be
taken
to
ensure
no
further
violations
will
occur.
In
the
case
a
violation
is
not
cured,
the
Attorney
General
may
initiate
an
action
and
may
seek
an
injunction
to
restrain
any
violations
of
the
law
and
a
civil
penalty
up
to
$7,500
for
each
violation
under
the
law.
Effective
Date
If
passed
as
law,
SB
5
will
take
effect
on
January
1,
2026.
About Author
