Indiana 2022 Regular Session

Indiana House Bill HB1261 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1
2	2	Introduced Version
3	3	HOUSE BILL No. 1261
4	4	_____
5	5	DIGEST OF INTRODUCED BILL
6	6	Citations Affected: IC 4-6-9-9; IC 24-15.
7	7	Synopsis: Consumer privacy. Requires businesses to disclose certain
8	8	information to consumers. Outlines different requests a consumer may
9	9	make with businesses regarding the consumer's personal information.
10	10	Assigns enforcement of consumer privacy law to the Indiana division
11	11	of consumer protection. Exempts certain government entities and
12	12	certain types of information. Provides certain business exceptions.
13	13	Effective: July 1, 2022.
14	14	Hamilton
15	15	January 10, 2022, read first time and referred to Committee on Commerce, Small Business
16	16	and Economic Development.
17	17	2022 IN 1261—LS 7000/DI 148 Introduced
18	18	Second Regular Session of the 122nd General Assembly (2022)
19	19	PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
20	20	Constitution) is being amended, the text of the existing provision will appear in this style type,
21	21	additions will appear in this style type, and deletions will appear in this style type.
22	22	Additions: Whenever a new statutory provision is being enacted (or a new constitutional
23	23	provision adopted), the text of the new provision will appear in this style type. Also, the
24	24	word NEW will appear in that style type in the introductory clause of each SECTION that adds
25	25	a new provision to the Indiana Code or the Indiana Constitution.
26	26	Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts
27	27	between statutes enacted by the 2021 Regular Session of the General Assembly.
28	28	HOUSE BILL No. 1261
29	29	A BILL FOR AN ACT to amend the Indiana Code concerning trade
30	30	regulation.
31	31	Be it enacted by the General Assembly of the State of Indiana:
32	32	1 SECTION 1. IC 4-6-9-9 IS ADDED TO THE INDIANA CODE AS
33	33	2 A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1,
34	34	3 2022]: Sec. 9. (a) The division shall enforce the consumer privacy
35	35	4 article (IC 24-15).
36	36	5 (b) The division shall adopt rules under IC 4-22-2 to carry out
37	37	6 IC 24-15.
38	38	7 SECTION 2. IC 24-15 IS ADDED TO THE INDIANA CODE AS
39	39	8 A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1,
40	40	9 2022]:
41	41	10 ARTICLE 15. CONSUMER PRIVACY
42	42	11 Chapter 1. Applicability
43	43	12 Sec. 1. This article applies to a person that does one (1) or more
44	44	13 of the following:
45	45	14 (1) Conducts business in Indiana.
46	46	15 (2) Produces products or services that are marketed to
47	47	16 Indiana residents.
48	48	17 (3) Controls or processes personal data of either of the
49	49	2022 IN 1261—LS 7000/DI 148 2
50	50	1 following:
51	51	2 (A) At least one hundred thousand (100,000) consumers
52	52	3 during a calendar year.
53	53	4 (B) At least twenty-five thousand (25,000) consumers
54	54	5 during a calendar year and derives more than fifty percent
55	55	6 (50%) of gross revenue from the sale of personal data.
56	56	7 Sec. 2. The consumer rights and the business duties in this
57	57	8 article must not adversely affect the rights and freedoms of other
58	58	9 individuals.
59	59	10 Sec. 3. This article does not require a business, service provider,
60	60	11 or contractor to:
61	61	12 (1) Reidentify or otherwise link information that, in the
62	62	13 ordinary course of business, is not maintained in a manner
63	63	14 that would cause the information to be considered personal
64	64	15 information.
65	65	16 (2) Retain any personal information about a consumer if the
66	66	17 personal information would not be retained in the ordinary
67	67	18 course of business.
68	68	19 (3) Maintain information in an identifiable, linkable, or
69	69	20 associable form, or collect, obtain, retain, or access any data
70	70	21 or technology, as a means of linking or associating a verifiable
71	71	22 consumer request with personal information.
72	72	23 Chapter 2. Exemptions
73	73	24 Sec. 1. This article does not apply to the following:
74	74	25 (1) The executive, judicial, or legislative branch of state
75	75	26 government, or any political subdivision.
76	76	27 (2) A unit (as defined in IC 36-1-2-23).
77	77	28 (3) The county office of any of the following:
78	78	29 (A) Auditor.
79	79	30 (B) Treasurer.
80	80	31 (C) Recorder.
81	81	32 (D) Surveyor.
82	82	33 (F) Coroner.
83	83	34 (G) Assessor.
84	84	35 (4) The county sheriff's department.
85	85	36 (5) A health care provider or a covered entity governed by
86	86	37 federal privacy law, to the extent the provider or covered
87	87	38 entity complies with the federal privacy law.
88	88	39 Sec. 2. (a) This article does not apply to any of the following
89	89	40 information:
90	90	41 (1) Medical information or health records protected under
91	91	42 IC 4-6-14.
92	92	2022 IN 1261—LS 7000/DI 148 3
93	93	1 (2) Personal information collected as part of a clinical trial or
94	94	2 other biomedical research study if:
95	95	3 (A) the information is not sold or shared; and
96	96	4 (B) it is inconsistent that participants be informed of that
97	97	5 use and provide consent.
98	98	6 (3) Personal information that is collected, processed, sold, or
99	99	7 disclosed subject to the following:
100	100	8 (A) The federal Gramm-Leach-Bliley Act (P.L. 106-102),
101	101	9 and implementing regulations.
102	102	10 (B) The federal Farm Credit Act of 1971 (as amended in 12
103	103	11 U.S.C. 2001-2279cc and implementing regulations, 12 CFR
104	104	12 600, et seq.).
105	105	13 (C) The federal Driver's Privacy Protection Act of 1994 (18
106	106	14 U.S.C. Sec. 2721 et seq.).
107	107	15 (4) Personal information collected by a business about the
108	108	16 following individuals, including emergency contact
109	109	17 information, that is used solely in the context of the
110	110	18 individual's role, or former role, with the business:
111	111	19 (A) A job applicant.
112	112	20 (B) An employee.
113	113	21 (C) An owner.
114	114	22 (D) A director.
115	115	23 (E) An officer.
116	116	24 (F) A medical staff member.
117	117	25 (G) An independent contractor.
118	118	26 Sec. 3. This article does not apply to an activity involving
119	119	27 personal information that bears on a consumer's credit worthiness,
120	120	28 credit standing, credit capacity, character, general reputation,
121	121	29 personal characteristics, or mode of living:
122	122	30 (1) by a consumer reporting agency;
123	123	31 (2) by a furnisher of information, who provides information
124	124	32 for use in a consumer report; or
125	125	33 (3) by a user of a consumer report;
126	126	34 to the extent that the activity involving the information is subject
127	127	35 to regulation under the Fair Credit Reporting Act (15 U.S.C. 1681
128	128	36 et seq.), and the information is not collected, maintained, used,
129	129	37 communicated, disclosed, or sold except as authorized by the Fair
130	130	38 Credit Reporting Act.
131	131	39 Sec. 4. The duties imposed on businesses in IC 24-15-4,
132	132	40 IC 24-15-5, and IC 24-15-6 do not apply to household data.
133	133	41 Chapter 3. Definitions
134	134	42 Sec. 1. The definitions in this chapter apply throughout this
135	135	2022 IN 1261—LS 7000/DI 148 4
136	136	1 article.
137	137	2 Sec. 2. "Aggregate consumer information" means information:
138	138	3 (1) that relates to a group or category of consumers;
139	139	4 (2) from which individual consumer identities have been
140	140	5 removed; and
141	141	6 (3) that is not linked or reasonably linkable to any consumer
142	142	7 or household, including via a device.
143	143	8 The term does not include one (1) or more individual consumer
144	144	9 records that have been deidentified.
145	145	10 Sec. 3. (a) "Biometric information" means an individual's
146	146	11 physiological, biological, or behavioral characteristic used, or
147	147	12 intended to be used, to establish the individual's identity.
148	148	13 (b) The term includes:
149	149	14 (1) a retina or iris scan;
150	150	15 (2) a fingerprint;
151	151	16 (3) a voiceprint;
152	152	17 (4) a handprint;
153	153	18 (5) a faceprint;
154	154	19 (6) a keystroke pattern;
155	155	20 (7) a gait pattern; and
156	156	21 (8) sleep, health, or exercise data;
157	157	22 from which identifying information about an individual can be
158	158	23 extracted.
159	159	24 Sec. 4. (a) "Business" means a person that:
160	160	25 (1) collects, or on behalf of which is collected, consumers'
161	161	26 personal information;
162	162	27 (2) determines the purpose and means of processing a
163	163	28 consumer's personal information;
164	164	29 (3) provides goods or services in Indiana; and
165	165	30 (4) satisfies at least one (1) of the following:
166	166	31 (A) As of January 1 of the calendar year, had annual gross
167	167	32 revenues in excess of twenty-five million dollars
168	168	33 ($25,000,000) in the preceding calendar year.
169	169	34 (B) Alone or combined, annually buys, sells, or shares the
170	170	35 personal information of at least one hundred thousand
171	171	36 (100,000) consumers, households, or devices.
172	172	37 (C) Derives at least fifty percent (50%) of the person's
173	173	38 annual revenues from selling or sharing personal
174	174	39 information.
175	175	40 (b) The term includes a person that is not described in
176	176	41 subsection (a) and voluntarily certifies to the consumer protection
177	177	42 division that the person is in compliance with and agrees to be
178	178	2022 IN 1261—LS 7000/DI 148 5
179	179	1 bound by this article.
180	180	2 Sec. 5. "Business controller information" means the name of the
181	181	3 owner, director, officer, or management employee of a business
182	182	4 and the contact information, including a business title, for the
183	183	5 owner, director, officer, or management employee.
184	184	6 Sec. 6. (a) "Business purpose" means the use of personal
185	185	7 information for:
186	186	8 (1) the business's operational purposes;
187	187	9 (2) other notified purposes;
188	188	10 (3) the service provider or contractor's operational purposes
189	189	11 if the use of personal information is reasonably necessary and
190	190	12 proportionate to achieve the operational purpose for which
191	191	13 the personal information was collected or processed; or
192	192	14 (4) another operational purpose that is compatible with the
193	193	15 context in which the personal information was collected.
194	194	16 (b) The term includes the following:
195	195	17 (1) Auditing related to counting ad impressions of unique
196	196	18 visitors.
197	197	19 (2) Helping to ensure security and integrity to the extent the
198	198	20 use of the consumer's personal information is reasonably
199	199	21 necessary and proportionate for these purposes.
200	200	22 (3) Debugging to identify and repair errors that impair
201	201	23 existing intended functionality.
202	202	24 (4) Undertaking internal research for technological
203	203	25 development and demonstration.
204	204	26 (5) Undertaking activities to verify or maintain the quality or
205	205	27 safety of a service or device that is owned, manufactured,
206	206	28 manufactured for, or controlled by the business, and to
207	207	29 improve, upgrade, or enhance the service or device that is
208	208	30 owned by, manufactured by, manufactured for, or controlled
209	209	31 by the business.
210	210	32 Sec. 7. "Collects", "collected", or "collection" means:
211	211	33 (1) buying;
212	212	34 (2) renting;
213	213	35 (3) gathering;
214	214	36 (4) obtaining;
215	215	37 (5) receiving; or
216	216	38 (6) accessing;
217	217	39 any personal information about a consumer, including by
218	218	40 observing a consumer's behavior.
219	219	41 Sec. 8. "Commercial credit reporting agency"means any person
220	220	42 who, for monetary fees or dues or on a cooperative nonprofit basis,
221	221	2022 IN 1261—LS 7000/DI 148 6
222	222	1 provides commercial credit reports to third parties.
223	223	2 Sec. 9. "Commercial purposes" means to advance a person's
224	224	3 economic interests, such as by inducing another person to enable
225	225	4 a commercial transaction.
226	226	5 Sec. 10. (a) "Consent" means a freely given affirmative act that
227	227	6 indicates:
228	228	7 (1) a consumer;
229	229	8 (2) a consumer's legal guardian;
230	230	9 (3) a person who has power of attorney for the consumer; or
231	231	10 (4) a person acting as a conservator for a consumer;
232	232	11 agrees to having the consumer's personal information processed
233	233	12 for a particular purpose.
234	234	13 (b) The following do not constitute consent:
235	235	14 (1) Accepting a general terms of use that contains descriptions
236	236	15 of personal information processing along with other unrelated
237	237	16 information.
238	238	17 (2) Hovering over, muting, pausing, or closing a given piece of
239	239	18 content.
240	240	19 (3) Agreement obtained through use of dark patterns.
241	241	20 Sec. 11. "Consumer" means an Indiana resident acting only in
242	242	21 an individual or household context. The term does not include an
243	243	22 individual acting in a commercial or employment context.
244	244	23 Sec. 12. "Consumer report" and "consumer reporting agency"
245	245	24 have the same meaning as set forth in the Fair Credit Reporting
246	246	25 Act (15 U.S.C. 1681 et seq.).
247	247	26 Sec. 13. "Contractor" means a person to whom the business
248	248	27 makes available a consumer's personal information for a business
249	249	28 purpose, under a written contract with the business.
250	250	29 Sec. 14. "Controller" means the person that, alone or jointly
251	251	30 with others, determines the purpose and means for processing
252	252	31 personal data.
253	253	32 Sec. 15. "Covered entity" has the meaning ascribed to that term
254	254	33 in the federal Health Insurance Portability Act (HIPAA) (P.L.
255	255	34 104-191).
256	256	35 Sec. 16. "Dark pattern" means a user interface designed to trick
257	257	36 the consumer. This term includes tricking a consumer into:
258	258	37 (1) buying additional items; or
259	259	38 (2) publicly sharing more information than the consumer
260	260	39 intended to.
261	261	40 Sec. 17. "Deidentified information" means data that cannot
262	262	41 reasonably be linked to a particular consumer.
263	263	42 Sec. 18. "Device" means any physical object that is capable of
264	264	2022 IN 1261—LS 7000/DI 148 7
265	265	1 connecting directly or indirectly to the Internet or to another
266	266	2 device.
267	267	3 Sec. 19. "Director" has the same meaning set forth in
268	268	4 IC 23-1-37-2.
269	269	5 Sec. 20. "Educational assessment" means a quiz, test, or other
270	270	6 assessment, whether standardized or nonstandardized, that is used
271	271	7 to do the following:
272	272	8 (1) Evaluate students in, or for entry to the following:
273	273	9 (A) A school corporation, charter school, or nonpublic
274	274	10 school with one (1) or more employees providing
275	275	11 instruction for students in kindergarten through grade 12.
276	276	12 (B) A postsecondary educational institution that is
277	277	13 accredited by an accrediting agency recognized by the
278	278	14 United States Department of Education.
279	279	15 (C) A vocational program.
280	280	16 (D) A postgraduate program that is accredited by an
281	281	17 accrediting agency recognized by the United States
282	282	18 Department of Education.
283	283	19 (2) Determine competency and eligibility to receive
284	284	20 certification or licensure from a government agency or
285	285	21 government certification body.
286	286	22 Sec. 21. "Household" means multiple consumers who cohabitate
287	287	23 with one another at the same residential address and share use of
288	288	24 common devices or services.
289	289	25 Sec. 22. (a) "Intentionally interact" means to deliberately:
290	290	26 (1) interact with a person; or
291	291	27 (2) disclose personal information;
292	292	28 including visiting the person's Internet web site or purchasing a
293	293	29 good or service from the person.
294	294	30 (b) The term does not include:
295	295	31 (1) hovering over;
296	296	32 (2) muting;
297	297	33 (3) pausing; or
298	298	34 (4) closing;
299	299	35 a given piece of content.
300	300	36 Sec. 23. "Management employee" means an individual whose
301	301	37 name and contact information is:
302	302	38 (1) reported to or collected by a commercial credit reporting
303	303	39 agency as the primary manager of a business; and
304	304	40 (2) used solely within the context of the individual's role as the
305	305	41 primary manager of the business.
306	306	42 Sec. 24. "Ownership information" means the registered owner's
307	307	2022 IN 1261—LS 7000/DI 148 8
308	308	1 name and contact information.
309	309	2 Sec. 25. (a) "Officer" means an individual elected or appointed
310	310	3 by the board of directors of a business to manage the daily
311	311	4 operations of the business.
312	312	5 (b) The term includes the following:
313	313	6 (1) A chief executive officer.
314	314	7 (2) A president.
315	315	8 (3) A secretary.
316	316	9 (4) A treasurer.
317	317	10 Sec. 26. "Person" means an individual or a legal entity.
318	318	11 Sec. 27. (a) "Personal information" means information that:
319	319	12 (1) identifies;
320	320	13 (2) relates to;
321	321	14 (3) describes;
322	322	15 (4) is reasonably capable of being associated with; or
323	323	16 (5) could reasonably be linked with;
324	324	17 a particular consumer or household.
325	325	18 (b) The term includes the following:
326	326	19 (1) Identifiers, including:
327	327	20 (A) a real name;
328	328	21 (B) an alias;
329	329	22 (C) a postal address;
330	330	23 (D) a unique personal identifier;
331	331	24 (E) an online identifier;
332	332	25 (F) an Internet protocol address;
333	333	26 (G) an electronic mail address;
334	334	27 (H) an account name;
335	335	28 (I) a Social Security number;
336	336	29 (J) a driver's license number; or
337	337	30 (K) a passport number.
338	338	31 (2) Characteristics of protected classifications under state or
339	339	32 federal law.
340	340	33 (3) Commercial information, including:
341	341	34 (A) records of personal property;
342	342	35 (B) products or services;
343	343	36 (i) purchased;
344	344	37 (ii) obtained; or
345	345	38 (iii) considered; or
346	346	39 (C) other purchasing tendencies or consuming histories.
347	347	40 (4) Biometric information.
348	348	41 (5) Internet or other electronic network activity information,
349	349	42 including:
350	350	2022 IN 1261—LS 7000/DI 148 9
351	351	1 (A) browsing history;
352	352	2 (B) search history; or
353	353	3 (C) information regarding a consumer's interaction with:
354	354	4 (i) an Internet web site;
355	355	5 (ii) an application; or
356	356	6 (iii) an advertisement.
357	357	7 (6) Geolocation data.
358	358	8 (7) Audio, electronic, visual, thermal, olfactory, or similar
359	359	9 information.
360	360	10 (8) Professional or employment related information.
361	361	11 (9) Education information, defined as not publicly available
362	362	12 personally identifiable information under the Family
363	363	13 Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34
364	364	14 CFR Part 99).
365	365	15 (10) Inferences drawn from any of the information identified
366	366	16 in this subsection to create a profile reflecting the consumer's:
367	367	17 (A) preferences;
368	368	18 (B) characteristics;
369	369	19 (C) psychological trends;
370	370	20 (D) predispositions;
371	371	21 (E) behavior;
372	372	22 (F) attitudes;
373	373	23 (G) intelligence;
374	374	24 (H) abilities; and
375	375	25 (I) aptitudes.
376	376	26 (11) Sensitive personal information.
377	377	27 (c) The term does not include:
378	378	28 (1) publicly available information;
379	379	29 (2) consumer information that is deidentified; or
380	380	30 (3) aggregate consumer information.
381	381	31 For purposes of this subsection and section 34 of this chapter,
382	382	32 "publicly available" means information that is lawfully made
383	383	33 available from federal, state, or local government records. The
384	384	34 term does not mean biometric information collected by a business
385	385	35 about a consumer without the consumer's knowledge.
386	386	36 Sec. 28. "Precise geolocation" means data:
387	387	37 (1) that is derived from a device; and
388	388	38 (2) that is used, or intended to be used, to locate a consumer
389	389	39 within a geographic area that is equal to or less than the area
390	390	40 of a circle with a radius of one thousand eight hundred and
391	391	41 fifty (1,850) feet, except as prescribed by regulations.
392	392	42 Sec. 29. "Probabilistic identifier" means the identification of a:
393	393	2022 IN 1261—LS 7000/DI 148 10
394	394	1 (1) consumer; or
395	395	2 (2) device;
396	396	3 that is more probable than not based on personal information.
397	397	4 Sec. 30. "Processing" means an operation that is performed on
398	398	5 personal data, whether or not by automated means.
399	399	6 Sec. 31. "Research" means scientific and systematic study and
400	400	7 observation, including:
401	401	8 (1) basic research or applied research:
402	402	9 (A) that is designed to contribute to scientific knowledge in
403	403	10 the public interest; and
404	404	11 (B) that adheres to all other applicable ethics and privacy
405	405	12 laws; or
406	406	13 (2) studies conducted in the public interest in the area of
407	407	14 public health.
408	408	15 Sec. 32. "Security and integrity" means the ability of the
409	409	16 following:
410	410	17 (1) Networks or information systems to detect security
411	411	18 incidents that compromise the:
412	412	19 (A) availability;
413	413	20 (B) authenticity;
414	414	21 (C) integrity; and
415	415	22 (D) confidentiality;
416	416	23 of stored or transmitted personal information.
417	417	24 (2) Businesses to:
418	418	25 (A) detect security incidents;
419	419	26 (B) resist malicious, deceptive, fraudulent, or illegal
420	420	27 actions; and
421	421	28 (C) help prosecute those responsible for those actions.
422	422	29 (3) Businesses to ensure the physical safety of natural persons.
423	423	30 Sec. 33. (a) "Sell", "selling", "sale", or "sold", means any
424	424	31 attempt to dispose of a consumer's personal information for
425	425	32 monetary or other valuable consideration.
426	426	33 (b) "Sell", "selling", "sale", or "sold" does not include when:
427	427	34 (1) a consumer:
428	428	35 (A) uses or directs the business to intentionally disclose
429	429	36 personal information; or
430	430	37 (B) uses the business to intentionally interact with a third
431	431	38 party;
432	432	39 (2) the business uses or shares an identifier to alert persons
433	433	40 that the consumer has opted out of the sale of the consumer's
434	434	41 personal information;
435	435	42 (3) the business uses or shares an identifier to alert persons
436	436	2022 IN 1261—LS 7000/DI 148 11
437	437	1 that the consumer has limited the use of the consumer's
438	438	2 sensitive personal information; or
439	439	3 (4) the business transfers to a third party the personal
440	440	4 information of a consumer as an asset that is part of a merger,
441	441	5 acquisition, bankruptcy, or other transaction in which the
442	442	6 third party assumes control of all or part of the business.
443	443	7 Sec. 34. (a) "Sensitive personal information" means:
444	444	8 (1) personal information that reveals:
445	445	9 (A) a consumer's Social Security, driver's license, state
446	446	10 identification card, or passport number;
447	447	11 (B) a consumer's:
448	448	12 (i) account login;
449	449	13 (ii) financial account;
450	450	14 (iii) debit card; or
451	451	15 (iv) credit card number;
452	452	16 with any required security or access code, password, or
453	453	17 credentials allowing access to an account;
454	454	18 (C) a consumer's precise geolocation;
455	455	19 (D) a consumer's racial or ethnic origin, religious or
456	456	20 philosophical beliefs, or union membership;
457	457	21 (E) the contents of a consumer's mail, electronic mail, and
458	458	22 text messages, unless the business is the intended recipient
459	459	23 of the communication; or
460	460	24 (F) a consumer's genetic data;
461	461	25 (2) biometric information processed to uniquely identifying a
462	462	26 consumer;
463	463	27 (3) personal information concerning a consumer's health; or
464	464	28 (4) personal information concerning a consumer's sex life or
465	465	29 sexual orientation.
466	466	30 (b) The term does not include information that is publicly
467	467	31 available.
468	468	32 Sec. 35. "Service" or "services" means work, labor, and
469	469	33 services, including services furnished in connection with the sale or
470	470	34 repair of goods.
471	471	35 Sec. 36. “Service provider" means a person that processes
472	472	36 information on behalf of a business and to which the business
473	473	37 discloses a consumer's personal information for a business purpose
474	474	38 under a written contract.
475	475	39 Sec. 37. (a) "Share," "shared," or "sharing" means
476	476	40 communicating a consumer's personal information by the business
477	477	41 to a third party for cross context behavioral advertising, whether
478	478	42 or not for monetary or other valuable consideration. This also
479	479	2022 IN 1261—LS 7000/DI 148 12
480	480	1 includes transactions for the benefit of a business in which no
481	481	2 money is exchanged.
482	482	3 Sec. 38. "Third party" means a person who is not any of the
483	483	4 following:
484	484	5 (1) The business with whom the consumer intentionally
485	485	6 interacts.
486	486	7 (2) A service provider to the business.
487	487	8 (3) A contractor.
488	488	9 Sec. 39. "Vehicle information" means the vehicle identification
489	489	10 number, make, model, year, and odometer reading.
490	490	11 Sec. 40. "Verifiable consumer request" means a request that the
491	491	12 business can verify, using commercially reasonable methods, to be
492	492	13 the consumer about whom the business has collected personal
493	493	14 information.
494	494	15 Sec. 41. "Verifiable consumer requestor" means the following
495	495	16 persons who may submit a verifiable consumer request:
496	496	17 (1) The consumer.
497	497	18 (2) The consumer on behalf of the consumer's minor child.
498	498	19 (3) The consumer's agent.
499	499	20 (4) A person who has the power of attorney for the consumer.
500	500	21 (5) A conservator for the consumer.
501	501	22 Chapter 4. Right to Access
502	502	23 Sec. 1. (a) Except as provided in section 3 of this chapter, upon
503	503	24 receipt of a verifiable consumer request about a consumer from a
504	504	25 verifiable consumer requestor, a business shall disclose the
505	505	26 following:
506	506	27 (1) The categories of personal information the business has
507	507	28 collected about the consumer.
508	508	29 (2) The consumer's right to request the specific pieces of
509	509	30 personal information the business has collected about the
510	510	31 consumer.
511	511	32 (3) The categories of sources described in subdivisions (1) and
512	512	33 (2) from which the personal information is collected.
513	513	34 (4) The business's purpose for collecting, selling, or sharing
514	514	35 personal information.
515	515	36 (5) The categories of third parties to whom the business
516	516	37 discloses personal information.
517	517	38 (b) A verifiable consumer requestor shall submit a verifiable
518	518	39 consumer request through one (1) of the following:
519	519	40 (1) A business's mailing address.
520	520	41 (2) A business's electronic mail address.
521	521	42 (3) A business's Internet web page.
522	522	2022 IN 1261—LS 7000/DI 148 13
523	523	1 (4) A business's toll free telephone number.
524	524	2 (5) Another method of contact for a business that is approved
525	525	3 by the consumer protection division.
526	526	4 (c) A business is not obligated to provide information to a
527	527	5 verifiable consumer requestor who submits a request if the
528	528	6 business cannot verify that the verifiable consumer requestor
529	529	7 making the request is either:
530	530	8 (1) the consumer about whom the business has collected
531	531	9 information; or
532	532	10 (2) a person authorized by the consumer to act on the
533	533	11 consumer's behalf.
534	534	12 Sec. 2. (a) A business that sells or shares a consumer's personal
535	535	13 information, or that discloses a consumer's personal information
536	536	14 for a business purpose, shall disclose, upon receipt of a verifiable
537	537	15 consumer request:
538	538	16 (1) the categories of personal information that the business
539	539	17 sold or shared about the consumer, including the categories of
540	540	18 third parties to whom the personal information was sold or
541	541	19 shared; and
542	542	20 (2) the categories of personal information that the business
543	543	21 disclosed for a business purpose, including the categories of
544	544	22 persons to whom the personal information was disclosed for
545	545	23 a business purpose.
546	546	24 (b) If a business has not sold or shared a consumer's personal
547	547	25 information, the business shall disclose that fact upon receipt of a
548	548	26 verifiable consumer request from a verifiable consumer requestor.
549	549	27 (c) A third party shall not sell personal information about a
550	550	28 consumer that has been sold to, or shared with, the third party by
551	551	29 a business unless the consumer has received explicit notice and is
552	552	30 provided an opportunity to opt out.
553	553	31 (d) If a third party materially alters the manner in which the
554	554	32 third party uses or shares the consumer's personal information in
555	555	33 a manner that is materially inconsistent with the promises made at
556	556	34 the time of collection, the third party shall give the consumer prior
557	557	35 notice of the new or changed practice.
558	558	36 Sec. 3. (a) A business is not required to disclose an educational
559	559	37 assessment, or a consumer's specific responses to the educational
560	560	38 assessment, if consumer access would provide an advantage to:
561	561	39 (1) the verifiable consumer requestor who submitted the
562	562	40 verifiable consumer request; or
563	563	41 (2) another individual.
564	564	42 (b) A business that refuses a verified consumer requestor's
565	565	2022 IN 1261—LS 7000/DI 148 14
566	566	1 verified consumer request under this section shall notify the
567	567	2 verified consumer requestor that the business is acting under
568	568	3 subsection (a).
569	569	4 Chapter 5. Right to Delete
570	570	5 Sec. 1. (a) A business that collects personal information about a
571	571	6 consumer shall inform the consumer of the consumer's right to
572	572	7 request the deletion of the consumer's personal information.
573	573	8 (b) Except as otherwise provided, a business that receives a
574	574	9 verifiable consumer request about a consumer from a verifiable
575	575	10 consumer requestor to delete the consumer's personal information
576	576	11 shall:
577	577	12 (1) delete the consumer's personal information from the
578	578	13 business's records;
579	579	14 (2) notify the business's service providers or contractors to
580	580	15 delete the consumer's personal information from their
581	581	16 records; and
582	582	17 (3) notify all third parties to whom the business has sold or
583	583	18 shared the personal information to delete the consumer's
584	584	19 personal information unless notifying all third parties is
585	585	20 impossible.
586	586	21 (c) Except as otherwise provided, a business may maintain a
587	587	22 confidential record of deletion requests:
588	588	23 (1) to prevent the consumer's personal information from
589	589	24 being sold;
590	590	25 (2) to ensure compliance with laws; and
591	591	26 (3) for other purposes permitted under this article.
592	592	27 Sec. 2. A service provider or contractor shall cooperate with a
593	593	28 business in responding to a verifiable consumer request and, at the
594	594	29 direction of the business, shall:
595	595	30 (1) delete or enable the business to delete the requested
596	596	31 personal information;
597	597	32 (2) notify any of the service provider's or contractor's own
598	598	33 service providers or contractors to delete personal
599	599	34 information about the consumer collected, used, processed, or
600	600	35 retained by the service provider or the contractor; and
601	601	36 (3) notify all service providers, contractors, or third parties
602	602	37 who may have accessed personal information from or through
603	603	38 the service provider to delete the consumer's personal
604	604	39 information, unless notifying all service providers,
605	605	40 contractors, or third parties is impossible.
606	606	41 Sec. 3. A service provider or contractor is not required to
607	607	42 comply with a deletion request submitted by a verifiable consumer
608	608	2022 IN 1261—LS 7000/DI 148 15
609	609	1 requestor directly to the service provider or contractor to the
610	610	2 extent that the service provider or contractor has collected, used,
611	611	3 processed, or retained the consumer's personal information in the
612	612	4 service provider's or contractor's role as a service provider or
613	613	5 contractor to the business.
614	614	6 Sec. 4. A business, service provider, or contractor acting under
615	615	7 a contract with another business, service provider, or contractor
616	616	8 is not required to delete the consumer's personal information
617	617	9 under this chapter if it is reasonably necessary to maintain the
618	618	10 consumer's personal information to do the following:
619	619	11 (1) Complete the transaction for which the personal
620	620	12 information was collected.
621	621	13 (2) Fulfill the terms of a written warranty or product recall
622	622	14 conducted under federal law.
623	623	15 (3) Provide a good or service requested by the consumer or
624	624	16 reasonably anticipated by the consumer within the context of
625	625	17 a business's ongoing business relationship with the consumer.
626	626	18 (4) Help to ensure security and integrity to the extent the use
627	627	19 of the consumer's personal information is reasonably
628	628	20 necessary to ensure security and integrity.
629	629	21 (5) Identify and repair errors that impair existing intended
630	630	22 functionality.
631	631	23 (6) Exercise free speech, ensure the right of another consumer
632	632	24 to exercise that consumer's right of free speech, or exercise
633	633	25 another right provided for by law.
634	634	26 (7) Engage in public or peer reviewed research that conforms
635	635	27 or adheres to all other applicable ethics and privacy laws, if
636	636	28 the consumer has provided informed consent, and the
637	637	29 business's deletion of the information is likely to:
638	638	30 (A) render impossible; or
639	639	31 (B) seriously impair;
640	640	32 the ability to complete the research.
641	641	33 (8) Enable solely internal uses that are:
642	642	34 (A) reasonably aligned with the expectations of the
643	643	35 consumer based on the consumer's relationship with the
644	644	36 business; and
645	645	37 (B) compatible with the context in which the consumer
646	646	38 provided the information.
647	647	39 (9) Comply with a legal obligation.
648	648	40 Sec. 5. (a) Law enforcement agencies may direct a business not
649	649	41 to delete a consumer's personal information if the law enforcement
650	650	42 agency:
651	651	2022 IN 1261—LS 7000/DI 148 16
652	652	1 (1) is actively investigating the consumer; and
653	653	2 (2) has an active case number for the investigation.
654	654	3 (b) Upon receiving a request under subsection (a), a business
655	655	4 must not delete the consumer's personal information for at least
656	656	5 ninety (90) days to allow the law enforcement agency to obtain a
657	657	6 court issued subpoena, order, or warrant for the consumer's
658	658	7 personal information.
659	659	8 (c) For good cause and only to the extent necessary for
660	660	9 investigatory purposes, a law enforcement agency may direct the
661	661	10 business not to delete the consumer's personal information for an
662	662	11 additional ninety (90) day period.
663	663	12 (d) Except as provided in subsection (e), a business that has
664	664	13 received direction from law enforcement under this section shall
665	665	14 not use the consumer's personal information for any purpose other
666	666	15 than retaining it to produce to law enforcement in response to a
667	667	16 court issued subpoena, order, or warrant.
668	668	17 (e) If a verified consumer requestor's deletion request is subject
669	669	18 to an exemption from deletion under this article, a business that
670	670	19 has received direction from law enforcement under this section
671	671	20 may continue to use the consumer's personal information for
672	672	21 purposes of the exemption.
673	673	22 (f) A business that refuses a verified consumer requestor's
674	674	23 verified consumer request under this section shall notify the
675	675	24 verified consumer requestor that:
676	676	25 (1) it is acting under this section; and
677	677	26 (2) the particular subsection that it is relying on to refuse the
678	678	27 verified consumer requestor's verified request.
679	679	28 Chapter 6. Right to Correct
680	680	29 Sec. 1. A business that receives a verifiable consumer request to
681	681	30 correct inaccurate personal information shall use commercially
682	682	31 reasonable efforts to correct the inaccurate personal information
683	683	32 as directed by the consumer.
684	684	33 Chapter 7. Right to Opt Out of Sale or Sharing
685	685	34 Sec. 1. At any time, a consumer is entitled to opt out of sale or
686	686	35 sharing by prohibiting a business from selling or sharing the
687	687	36 consumer's personal information.
688	688	37 Sec. 2. (a) A business that sells or shares a consumer's personal
689	689	38 information with a third party shall provide notice to the consumer
690	690	39 that:
691	691	40 (1) the consumer's personal information may be sold or
692	692	41 shared; and
693	693	42 (2) the consumer has the right to opt out of sale or sharing of
694	694	2022 IN 1261—LS 7000/DI 148 17
695	695	1 their personal information.
696	696	2 (b) Except as provided in subsection (c), a business must not sell
697	697	3 or share a consumer's personal information if the business has
698	698	4 actual knowledge that the consumer is less than sixteen (16) years
699	699	5 of age.
700	700	6 (c) A business may sell or share a consumer's personal
701	701	7 information knowing that the consumer is less than sixteen (16)
702	702	8 years of age if:
703	703	9 (1) the consumer, if the consumer is at least thirteen (13) years
704	704	10 of age but less than sixteen (16) years of age; or
705	705	11 (2) the consumer's parent or guardian, if the consumer is less
706	706	12 than thirteen (13) years of age;
707	707	13 has affirmatively authorized the sale or sharing of the consumer's
708	708	14 personal information.
709	709	15 (d) A business that willfully disregards the consumer's age shall
710	710	16 be deemed to have had actual knowledge of the consumer's age.
711	711	17 (e) A business that receives direction from a consumer not to sell
712	712	18 or share the consumer's personal information shall not sell or
713	713	19 share the consumer's personal information, unless the consumer
714	714	20 subsequently provides consent.
715	715	21 Chapter 8. Right to Restrict
716	716	22 Sec. 1. At any time, a consumer may limit a business's use of the
717	717	23 consumer's sensitive personal information:
718	718	24 (1) to that which is necessary to perform the services or
719	719	25 provide the goods reasonably expected by an average
720	720	26 consumer who requests those goods or services;
721	721	27 (2) to perform the services in IC 24-15-3-6(b)(2),
722	722	28 IC 24-15-3-6(b)(4), and IC 24-15-3-6(b)(5); and
723	723	29 (3) as otherwise authorized under this article.
724	724	30 Chapter 9. Business Exceptions
725	725	31 Sec. 1. A business's duties under this article do not restrict the
726	726	32 business's ability to do the following:
727	727	33 (1) Comply with federal, state, or local laws.
728	728	34 (2) Comply with a court order or subpoena to provide
729	729	35 information.
730	730	36 (3) Comply with a civil, criminal, or regulatory inquiry,
731	731	37 investigation, subpoena, or summons by federal, state, or local
732	732	38 authorities.
733	733	39 (4) Cooperate with law enforcement agencies concerning
734	734	40 conduct or activity that the business, service provider, or
735	735	41 third party reasonably and in good faith believes may violate
736	736	42 federal, state, or local law.
737	737	2022 IN 1261—LS 7000/DI 148 18
738	738	1 (5) Cooperate with a government agency request for
739	739	2 emergency access to a consumer's personal information if a
740	740	3 natural person is at risk or danger of death or serious physical
741	741	4 injury if:
742	742	5 (A) the request is approved by a high ranking agency
743	743	6 officer for emergency access to a consumer's personal
744	744	7 information;
745	745	8 (B) the request is based on the agency's good faith
746	746	9 determination that it has a lawful basis to access the
747	747	10 information on a nonemergency basis; or
748	748	11 (C) the agency agrees to petition a court for an appropriate
749	749	12 order within three (3) days and to destroy the information
750	750	13 if that order is not granted.
751	751	14 (6) Exercise or defend legal claims.
752	752	15 (7) Collect, use, retain, sell, share, or disclose a consumer's
753	753	16 personal information that is:
754	754	17 (A) deidentified; or
755	755	18 (B) aggregate consumer information.
756	756	19 (8) Collect, sell, or share a consumer's personal information
757	757	20 if every aspect of that commercial conduct takes place wholly
758	758	21 outside of Indiana.
759	759	22 Sec. 2. A business's duties under this article shall not:
760	760	23 (1) apply where compliance by the business would violate an
761	761	24 evidentiary privilege under state law; and
762	762	25 (2) prevent a business from providing the personal
763	763	26 information of a consumer to a person covered by an
764	764	27 evidentiary privilege under state law as part of a privileged
765	765	28 communication.
766	766	29 Sec. 3. (a) A business may, depending on the complexity of the
767	767	30 verifiable consumer request and number of other verifiable
768	768	31 consumer requests, extend its response time period by up to ninety
769	769	32 (90) days total when necessary. The business shall inform the
770	770	33 verifiable consumer requestor of any such extension within
771	771	34 forty-five (45) days of receipt of the verified consumer request,
772	772	35 together with the reasons for the delay.
773	773	36 (b) If the business chooses not to take action on the verifiable
774	774	37 consumer requestor's verifiable consumer request, the business
775	775	38 shall immediately notify the verifiable consumer requestor of the
776	776	39 reasons for not taking action and any rights the verifiable
777	777	40 consumer requestor may have to appeal the decision to the
778	778	41 business. The notice under this subdivision must occur within the
779	779	42 permitted response time period.
780	780	2022 IN 1261—LS 7000/DI 148 19
781	781	1 (c) If a verifiable consumer requestor's verifiable consumer
782	782	2 request is manifestly unfounded or excessive, a business may
783	783	3 either:
784	784	4 (1) charge a reasonable fee, taking into account the
785	785	5 administrative costs of providing the information or
786	786	6 communication or taking the action requested; or
787	787	7 (2) refuse to act on the request and notify the verifiable
788	788	8 consumer requestor of the reason for refusing the verifiable
789	789	9 consumer request.
790	790	10 The business bears the burden of proving that a verified consumer
791	791	11 request is manifestly unfounded or excessive.
792	792	12 Sec. 4. (a) A business that discloses a consumer's personal
793	793	13 information to a service provider or contractor is not liable if:
794	794	14 (1) the service provider or contractor uses the consumer's
795	795	15 personal information in violation of this article; and
796	796	16 (2) at the time of disclosing the personal information, the
797	797	17 business does not have:
798	798	18 (A) actual knowledge; or
799	799	19 (B) reason to believe;
800	800	20 that the service provider or contractor intends to commit such
801	801	21 a violation.
802	802	22 (b) A service provider or contractor is not liable for a business
803	803	23 that it provides services to if the business violates this article.
804	804	24 (c) A business that discloses a consumer's personal information
805	805	25 to a third party under a written contract is not liable if:
806	806	26 (1) the third party uses it in violation of this article; and
807	807	27 (2) at the time of disclosing the personal information, the
808	808	28 business does not have:
809	809	29 (A) actual knowledge; or
810	810	30 (B) reason to believe;
811	811	31 that the third party intends to commit the violation.
812	812	32 Sec. 5. (a) A verifiable consumer request for:
813	813	33 (1) access to specific pieces of personal information, under
814	814	34 IC 24-15-4-1;
815	815	35 (2) deletion of a consumer's personal information, under
816	816	36 IC 24-15-5-2; or
817	817	37 (3) correction of inaccurate personal information, under
818	818	38 IC 24-15-6-1;
819	819	39 does not extend to personal information about the consumer that
820	820	40 belongs to, or that the business maintains on behalf of, another
821	821	41 individual.
822	822	42 (b) A business:
823	823	2022 IN 1261—LS 7000/DI 148 20
824	824	1 (1) may rely on representations made in a verifiable consumer
825	825	2 request;
826	826	3 (2) is under no legal requirement to seek out other persons
827	827	4 that may have rights to personal information; and
828	828	5 (3) is under no legal obligation to take any action under this
829	829	6 article in the event of a dispute between or among persons
830	830	7 claiming rights to personal information in the business's
831	831	8 possession.
832	832	9 Sec. 6. The right to deletion (IC 24-15-5) and the right to opt out
833	833	10 of sale or sharing (IC 24-15-7) shall not apply to the following:
834	834	11 (1) A business's use, disclosure, or sale of particular pieces of
835	835	12 a consumer's personal information if the consumer has
836	836	13 consented to the business's use, disclosure, or sale of that
837	837	14 information to produce a physical item, including a school
838	838	15 yearbook containing the consumer's photograph if:
839	839	16 (A) the business has incurred significant expense in
840	840	17 reliance on the consumer's consent;
841	841	18 (B) compliance with the consumer's request to opt out of
842	842	19 the sale of the consumer's personal information or to delete
843	843	20 the consumer's personal information would not be
844	844	21 commercially reasonable; and
845	845	22 (C) the business complies with the consumer's request as
846	846	23 soon as it is commercially reasonable to do so.
847	847	24 (2) A commercial credit reporting agency's collection,
848	848	25 processing, sale, or disclosure of business controller
849	849	26 information to the extent the commercial credit reporting
850	850	27 agency uses the business controller information solely to:
851	851	28 (A) identify the relationship of a consumer to a business
852	852	29 that the consumer owns; or
853	853	30 (B) contact the consumer only in the consumer's role as the
854	854	31 owner, director, officer, or management employee of the
855	855	32 business.
856	856	33 (3) Vehicle information or ownership information retained or
857	857	34 shared between:
858	858	35 (A) a new motor vehicle dealer (as defined in
859	859	36 IC 9-32-2-18.3); and
860	860	37 (B) the vehicle's manufacturer (as defined in IC 9-13-2-97);
861	861	38 for a vehicle repair covered by a vehicle warranty or a recall
862	862	39 conducted under 49 U.S.C. 30118-30120 if the information is
863	863	40 not used for any other purpose.
864	864	41 Chapter 10. Enforcement
865	865	42 Sec. 1. The division of consumer protection, created under
866	866	2022 IN 1261—LS 7000/DI 148 21
867	867	1 IC 4-6-9, shall enforce this article.
868	868	2022 IN 1261—LS 7000/DI 148