Law: Consumer Data Protection Act (CDPA)

Regulator: The Indiana Attorney General (AG)

Summary: The Indiana Governor signed Senate Bill 5 on consumer data protection on 1 May 2023, thereby enacting the CDPA, which will enter into effect on 1 January 2026. The CDPA introduces obligations for data controllers and processors, including transparency obligations, such as the requirement to provide privacy notices, data security obligations, as well as a requirement to conduct and document Data Protection Impact Assessments ('DPIAs') in specific circumstances. Additionally, the CDPA contains provisions that govern controller/processor relationships as well as data subject rights to confirm whether or not the controller is processing the consumer's personal data, the rights of access, deletion, correction, and the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling. Furthermore, the CDPA provides the AG with enforcement powers, but does not provide a private right of action.

In regard to data breaches, §24-4.9-1 et seq. of the Indiana Code, database owners must notify Indiana residents and the AG in case of a data breach, as well as nationwide consumer reporting agencies, when the breach involves the information of more than 1,000 residents. In addition, the Indiana Wiretap Act, under §35-33.5-5-4 of the Indiana Code, prohibits intercepting or recording a telephone or electronic communication without the consent of at least one party. Finally, a Class C infraction is committed under §24-4-14 of Indiana Code when a person disposes unencrypted or unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering it illegible.