Skip to main content
main content, press tab to continue
Article | FINEX Observer

Midwest continues charge toward enhanced data protection

Indiana becomes seventh state to pass a consumer data protection law

By Jason Krauss | May 8, 2023

On the heels of Iowa’s new consumer data privacy legislation, Indiana becomes the seventh state to pass a comprehensive consumer data protection law.
Cyber Risk Management

On the heels of Iowa’s new consumer data privacy legislation signed into law on March 28, Indiana became the seventh state to pass a comprehensive consumer data protection law. An amended version of Senate Bill 5 (SB 5) passed in the Indiana House of Representatives 98-0 on April 11. On April 13, the Indiana Senate concurred on the House amendments. The bill was signed into law by Indiana Governor Eric Holcomb on May 1.

Who does the new law apply to?

The Indiana bill only applies to individuals in their capacity as consumers and not as employees or job applicants and exempts not-for-profits, college and universities, government entities and their providers, public utilities and affiliated service companies, and licensed riverboat casino owners operating facial recognition programs approved by the Indiana gaming commission. The law, similar to the Virginia Consumer Data Protection Act, is more business friendly than the California, Colorado and Connecticut laws, but also more consumer-friendly than the Utah or Iowa laws.

A business must comply with the new law if it conducts business in Indiana or targets Indiana residents, and, during a calendar year:

  1. Controls or processes the personal data of at least 100,000 Indiana consumers; or
  2. Derives more than 50% of its gross revenue from selling personal data of at least 25,000 Indiana consumers

What consumer rights does SB 5 provide?

The new data protection rights afforded to Indiana consumers by SB 5 include the following:

  • Right to know. Indiana consumers will be able to request confirmation on whether a business is processing their personal data, what data is processed, and how the processing is taking place. Businesses will be required to post a privacy notice detailing this information for consumers.
  • Right to access. Indiana consumers will be allowed to view their personal data upon request. SB 5 allows businesses to choose whether to send copies of raw data to consumers or to provide a representative summary of the data collection. Indiana consumers can submit requests to exercise these rights once a year.
  • Right to correct. In addition, if an Indiana consumer believes a company possesses inaccurate personal data, the consumer can request correction of this data. This right only extends to personal data that was previously provided by the consumer to the data controller, which is narrower in scope when compared to California, Colorado, Connecticut and Virginia, all of which extend this consumer right to all data in possession of the controller.
  • Right to delete. Indiana consumers will be able to request deletion of personal data obtained by the business.
  • Right to opt-out. Indiana consumers will have the ability to opt-out of the processing of their data for targeting advertising, the sale of their data, or profiling, similar to California, Colorado and Connecticut. Businesses will have 45 days to respond to such requests.

Unlike other consumer data protection laws, such as the California Privacy Rights Act (CPRA), SB 5 does not offer a private right of action for consumers and no privacy board or other supervisory authority is created by the law. Instead, enforcement of the law falls exclusively to the Indiana attorney general. If a business is found to be in violation of the law, the attorney general can enforce fines of up to $7,500 per violation. Further, if a business is notified by the attorney general that they are violating the act, they will be provided 30 days to remedy the alleged violation before the attorney general initiates an official action. Such a cure period can be key for businesses to avoid fines and other actions.

What should you do?

Similar to advice provided when other similar state data protection legislation was passed, companies should review their privacy policies and procedures now to prepare for the legislation’s January 1, 2026 effective date. Companies likewise should work with their brokers to ensure that their cyber insurance policy provides coverage for the defense of privacy regulatory claims and related awards and fines stemming from the Indiana law and other similar state laws.


Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).


FINEX NA Cyber Thought & Product Coverage Leader

Contact us