While it remains unclear whether the United States will enact federal data privacy legislation anytime in the near future, states are continuing to do their due diligence when it comes to making their own laws designed to better protect consumers and their data.
Indiana, following in the footsteps of California, Virginia, and Colorado, appears to be laying the groundwork for its own CPRA, VCDPA or CPA in 2023.
Politicians in the state, both on the House side and the Senate side, are seeking to rein in what type of data companies can and can't collect from consumers and ensure they're keeping track of everything they're collecting. Two bills related to consumer data protection, designed to emulate laws from those states, have begun making their way through the state house just over the last two weeks.
On the Senate side, Senate Bill 5, introduced this month, would require companies to obtain a consumer's consent before processing sensitive data including their race, mental or physical health diagnosis, genetic data or geolocation data. If passed, residents would be able to identify and correct inaccuracies in any personally identifiable information possessed by organizations, opt out of its processing, or ask for it to be deleted.
A similar version of the bill (SB 358) was passed by the state Senate there last year, but never made it out of the House. This year the bill, retooled by Senator Liz Brown to more closely resemble the Virginia Consumer Data Protection Act (VCDPA), has already gotten the green light from the Senate Commerce and Technology Committee, which voted 11-0 to move forward to the full Senate.
Similar to Virginia's law, there would be conditions in place around which organizations would have to comply with the bill. For example, organizations would need to process data on 100,000 consumers per year or 25,000 consumers if the company derives more than 50% of its gross revenues from the sale of personal data. Organizations already bound by other regulations, like those in the financial and banking industry – the Gramm-Leach-Bliley Act, for example - along with those in healthcare, like HIPAA, wouldn't have to comply with it either.
Like the VCDPA and the CPA (Colorado Privacy Act), SB5 would require data controllers to undergo periodic data protection impact assessments, something that would essentially flag whenever data is processed by organizations that presents a high degree of risk to a consumer.
While the bill still has several hurdles to clear, if passed, it would come with a January 1, 2026 go-live date, something that would give companies a few years to ensure they’re processing data securely and in line with the bill’s requirements.
On the House side, similar legislation to amend the state's code around consumer data protection, Bill ('HB') 1554, was also introduced this month. If passed, the law would go into effect sooner - on January 1, 2024 - and impose new rules for data brokers and ultimately lead to the creation of a 'Do Not Sell List.'
HB 1554 would also establish:
- The rights of a consumer with respect to personal data
- The roles and responsibilities of controllers in relation to consumers' personal data
- Requirements for data protection impact assessments required by controllers
- Requirements for processing de-identified or pseudonymous data;
- The establishment, maintenance, and publication by the Attorney General's ('AG') consumer protection division of a quarterly listing of electronic mail addresses of consumers who request that their personal data not be sold; and
- Requirements for data brokers in relation to consumers' personal information to provide notification of security breaches and register annually with the AG.
Like much data privacy legislation of late, businesses not based in the state it originated, in this case Indiana, could still be held accountable for some of the bill's requirements, namely if it does business - produces products or services - that are purchased or used by the state's residents.
If they aren't already, organizations will want to ensure that they have a way to safely handle and protect any sensitive personal information they process and that the appropriate safeguards are in place, even if the United States doesn't pass its own customer data privacy law any time soon.
Companies will have to continue to do their homework to ensure they're ready to comply with the patchwork of consumer data protection legislation, like Indiana's, that continues to pop up across the country.
