There's growing evidence that passing a comprehensive privacy law at the state level is a multiyear endeavor. There are anomalies among existing laws on the books, but most legislatures take two years or more to pass a bill.
Indiana is the latest example of how the process plays out, as it's on the verge of adding to the pile of comprehensive state privacy laws. The Indiana House took a unanimous 98-0 vote to grant final passage to Senate Bill 5 on consumer data protection a year after the bill stalled in the same chamber.
The Indiana Senate, which already voted 49-0 to approve SB 5 on 9 Feb., will vote on concurrence, a perceived formality before the bill heads to Gov. Eric Holcomb, R-Ind., for a final signature. Holcomb has seven days upon transmission to act on the bill, with a definitive veto the only way it will not become a law.
Coverage thresholds under SB 5 include entities that control or process personal data on 100,000 consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. The bill includes required data protection impact assessments, requirements for processing deidentified or pseudonymous data, user opt outs for targeted advertising and data sales, and a 30-day cure provision. SB 5 will take effect 1 Jan. 2026.
In addition to unanimous votes on chamber floors, there was not a single vote against SB 5 in either of its committee stops.
"I have people on one side saying this isn't pro-business enough and then the other side saying we need to lock everything down," Sen. Liz Brown, R-Ind., said during the Indiana Senate Committee on Commerce and Technology 26 Jan. meeting. The hearing served as the bill's formal reintroduction to the legislature by Brown, SB 5's chief sponsor this year and last.
"We want to make sure we are putting safeguards in place so we have protections about our data, but at the same time have it be manageable," Brown added. "It's not useful to any of us if we cannot transact with businesses on a daily basis because none of the businesses can comply due to how we've made things so prohibitive and expensive."
Falling in line
Much like laws passed in Iowa and Utah, Indiana's bill doesn't present much in the way of burdensome or unprecedented provisions for businesses already in, or working toward, compliance with other state privacy statutes. The bill takes after the Virginia Consumer Data Protection Act, which sets up a majority of covered entities to be in compliance from the day the bill is slated to take effect.
"It's not a matter of companies being prepared with there being a bit of a history here. … If anything, it's a little bit of a relief to get something that is like one of the previous laws as opposed to coming out of left field," Barnes & Thornburg Partner Brian McGinnis said. "For Indiana-based businesses, this is good and a step in the right direction. There are certainly much worse models out there that could've been adopted by the state."
The alignment with Virginia and the addition of a seventh state privacy law may have more impact on what can or can't be done at the federal level, according to ACT | The App Association State Public Policy Counsel Caleb Williamson.
"One can’t help but think about the inevitable preemption battle that will arise in the event of a federal preemptive comprehensive privacy bill," Williamson said. U.S. Congress already found itself in a tussle with California over the American Data Privacy and Protection Act's proposed preemption of the California Consumer Privacy Act. "But we cannot fault states for wanting to codify both consumer rights over their data and business’ duty to consumers over the data collected in the absence of federal action."
McGinnis, who is based out of Indianapolis, mentioned how Brown's original bill at the start of the 2022 legislative session was modeled after the EU General Data Protection Regulation and the CCPA. This year and last, Brown discussed how she did not want the bill to be a "barrier for entry" for small and medium-sized enterprises, or even for large businesses that only just started working in the data economy.
"There was a lot of conversation with the business community, from what I understand, to make sure this is something they were comfortable with," McGinnis said, "There are companies that are still out there playing that 'head in the sand' approach. Now that you're in a state with these laws, those arguments are tougher and tougher to make on a daily basis."
Road ahead
The 2026 effective date for Indiana's bill may prove to be an interesting twist in compliance. There's approximately three years until the bill takes force, leaving two legislative sessions for the bill to potentially undergo further changes.
Legislative changes are inevitable while adapting to growing technology, but amendments made in the lead up to a law being in place could be similar to hardships companies are observing while they await privacy rulemaking results for laws in California and Colorado.
"The time until it goes live is more welcomed than not … but I do think it's a burden and a little worrisome to some clients," McGinnis said. "More generally, clients are used to laws being interpreted and used in different ways. In an area like this, where wholly new laws are coming so fast and furious, it is difficult and continues to be a moving target they don't want."
The cure provision in Indiana's bill will help any issues with businesses' compliance shifts. Brown's initial two-year sunset on the business cure passed the House committee and would've teed up more strict enforcement, but the sunset was removed on the House floor.
McGinnis indicated attorney general enforcement of the bill will be robust, given the office has previously been "more aggressive in privacy-related areas," including data breach notification.
A late addition to SB 5 includes attorney general guidance being encouraged instead of required, leaving questions as to whether SMEs or other newly covered businesses will be equipped with essential compliance intel.
"We recognize that this is a hidden toll of a state patchwork and an unintended consequence for SMEs," Williamson said. "We ought to trust that attorneys general will not divert or target individual SMEs, but will equally apply the law, which in this case establishes a notice and cure period. Hopefully affording an added layer of protection to an SME newly covered with little to no guidance."