The first movement on the U.S. state privacy law front in 2022 has arrived in an unlikely place. The number of people pegging Indiana as a state best positioned to pass comprehensive privacy legislation this year was likely few to none, but state lawmakers are showing they are keen to legislate on privacy.
Indiana's Senate Commerce & Technology Committee voted 10-0 to move Senate Bill 358 after just one hearing. Clearing the committee opens up a somewhat clear legislative path the rest of the way through the Senate. Barring objected amendments, SB 358 needs just two floor votes to move out of chamber.
The big switch
The committee action on Indiana's SB 358 comes after introduction of a strike-all amendment as the committee hearing began. State Sen. Liz Brown, R-Ind., was candid about her amendment, which effectively moved the bill from the EU General Data Protection Act's framework to mirroring provisions found in Virginia's Consumer Data Protection Act. Three lawmakers openly disclosed prior to their "yes" votes that they hadn't read the new bill text and therefore did not understand the updated provisions they were voting to advance.
Brown indicated the change to a "much simpler" model came "after talking to all the interested and involved parties" and concluding the original provisions were "slightly more onerous."
"Some of the institutions we regulate in this country may not have been regulated in the EU already, so the bill pulled in a lot of groups that are already under regulations here," Brown said. The amended bill now includes exemptions for state government and companies regulated under certain federal laws, including the Gramm-Leach Bliley Act and the Health Insurance Portability and Accountability Act. "It was not a matter of less protection but more that they were already regulated in a different space so we don't need to double down. And this would not have been just redundant. It would've added things that may have actually broken our existing laws."
The amended bill would cover entities processing data on 100,000 consumers or those that collect on 25,000 individuals while deriving more than 25% of their annual revenue from data sales. Besides the exemptions, notable provisions Brown highlighted to committee included the definition of "child" covering minors 13 and under, the ability to use de-identified data as defined under the bill, and no retroactivity for violations that occurred before the bill's Jan. 1, 2024, effective date. A previously-included private right of action was removed while a permanent right to cure remains intact. Brown also touted the bill's data subject rights, but explicitly noted the right to correction is limited to once a year per entity to avoid "being used as a harassment tool" against companies.
"I do think this strikes the perfect balance with what we were starting out with and where we are today. We want Indiana to be both consumer friendly and business friendly." Brown said. "If you're not familiar, Virginia has a lot of tech companies in it. For this to pass in that state should give you an assurance that it is consumer friendly. … If a business is going to be regulated, at the very least they need certainty. They know how the Virginia model works so they will just continue what they are doing in the state of Virginia here instead of us implementing a whole other set of rules and information."
Stakeholder backing
The input Brown alluded to in her opening remarks was further solidified by the testimony she was able to round up from Scott Barnhart, chief counsel and director of consumer protection for the Indiana attorney general’s office, and Indiana Chamber of Commerce Vice President of Economic Development and Technology Adam Berry.
The backing of the attorney general is notable given the office has exclusive enforcement powers under the SB 358, which will also include a consumer privacy fund made up of the fines handed down by the attorney general. Barnhart said the bill addresses a "protection and codification the attorney general has been concerned about for years," noting the office's recent legal action against Google over its location data practices. Barnhart added the Data Privacy & Identity Theft Unit "has the structure in place to address" the workload SB 358 would bring.
Berry's comments fell in line with Brown's description of perceived hardships that would've come from the original bill. The chamber's membership stands at approximately 5,000 companies and Berry said the number of members concerned with SB 358's original text was more than he had seen on any proposed legislation in years.
"Just by the nature of our economies and by our laws, trying to model a U.S. law after GDPR is trying to put a square peg into a round hole," Berry said, adding the Virginia model is the "the gold standard" in that it balances consumer rights while "not inhibiting or putting onerous burdens on businesses" like the GDPR's consumer-focused framework does.
Photo by Steven Van Elk on Unsplash