Law: Consumer Data Protection Act (CDPA)

Regulator: The Indiana Attorney General (AG)

Summary: The Indiana Governor signed Senate Bill 5 on consumer data protection on May 1, 2023, thereby enacting the Consumer Data Protection Act (CDPA). The CDPA will enter into effect on January 1, 2026, and introduces obligations for data controllers and processors, including transparency obligations, such as the requirement to provide privacy notices, data security obligations, and a requirement to conduct and document Data Protection Impact Assessments (DPIAs) in specific circumstances. Additionally, the CDPA contains provisions that govern controller/processor relationships as well as data subject rights to confirm whether or not the controller is processing the consumer's personal data, the rights of access, deletion, correction, and the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling. Furthermore, the CDPA provides the Indiana Attorney General (AG) with enforcement powers but does not provide a private right of action.

In regard to data breaches, §24-4.9-1 et seq. of the Indiana Code sets out that database owners must notify Indiana residents and the AG in case of a data breach, as well as nationwide consumer reporting agencies when the breach involves the information of more than 1,000 residents. In addition, §35-33.5-5-4 of the Indiana Code prohibits intercepting or recording a telephone or electronic communication without the consent of at least one party. Finally, a Class C infraction is committed under §24-4-14 of the Indiana Code when a person disposes of unencrypted or unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering it illegible.

You can follow legislative developments in the US through the USA State Law Tracker.