Indiana becomes seventh state to pass a consumer data protection law
On the heels of Iowa’s new consumer data privacy legislation signed into law on March 28, Indiana became the seventh state to pass a comprehensive consumer data protection law. An amended version of Senate Bill 5 (SB 5) passed in the Indiana House of Representatives 98-0 on April 11. On April 13, the Indiana Senate concurred on the House amendments. The bill was signed into law by Indiana Governor Eric Holcomb on May 1.
Who does the new law apply to?
The Indiana bill only applies to individuals in their capacity as consumers and not as employees or job applicants and exempts not-for-profits, college and universities, government entities and their providers, public utilities and affiliated service companies, and licensed riverboat casino owners operating facial recognition programs approved by the Indiana gaming commission. The law, similar to the Virginia Consumer Data Protection Act, is more business friendly than the California, Colorado and Connecticut laws, but also more consumer-friendly than the Utah or Iowa laws.
A business must comply with the new law if it conducts business in Indiana or targets Indiana residents, and, during a calendar year:
What consumer rights does SB 5 provide?
The new data protection rights afforded to Indiana consumers by SB 5 include the following:
Unlike other consumer data protection laws, such as the California Privacy Rights Act (CPRA), SB 5 does not offer a private right of action for consumers and no privacy board or other supervisory authority is created by the law. Instead, enforcement of the law falls exclusively to the Indiana attorney general. If a business is found to be in violation of the law, the attorney general can enforce fines of up to $7,500 per violation. Further, if a business is notified by the attorney general that they are violating the act, they will be provided 30 days to remedy the alleged violation before the attorney general initiates an official action. Such a cure period can be key for businesses to avoid fines and other actions.
What should you do?
Similar to advice provided when other similar state data protection legislation was passed, companies should review their privacy policies and procedures now to prepare for the legislation’s January 1, 2026 effective date. Companies likewise should work with their brokers to ensure that their cyber insurance policy provides coverage for the defense of privacy regulatory claims and related awards and fines stemming from the Indiana law and other similar state laws.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
