Introduced Version
HOUSE BILL No. 1261
_____
DIGEST OF INTRODUCED BILL
Citations Affected: IC 4-6-9-9; IC 24-15.
Synopsis: Consumer privacy. Requires businesses to disclose certain
information to consumers. Outlines different requests a consumer may
make with businesses regarding the consumer's personal information.
Assigns enforcement of consumer privacy law to the Indiana division
of consumer protection. Exempts certain government entities and
certain types of information. Provides certain business exceptions.
Effective: July 1, 2022.
Hamilton
January 10, 2022, read first time and referred to Committee on Commerce, Small Business
and Economic Development.
2022 IN 1261—LS 7000/DI 148 Introduced
Second Regular Session of the 122nd General Assembly (2022)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in this style type. Also, the
word NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts
between statutes enacted by the 2021 Regular Session of the General Assembly.
HOUSE BILL No. 1261
A BILL FOR AN ACT to amend the Indiana Code concerning trade
regulation.
Be it enacted by the General Assembly of the State of Indiana:
1 SECTION 1. IC 4-6-9-9 IS ADDED TO THE INDIANA CODE AS
2 A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1,
3 2022]: Sec. 9. (a) The division shall enforce the consumer privacy
4 article (IC 24-15).
5 (b) The division shall adopt rules under IC 4-22-2 to carry out
6 IC 24-15.
7 SECTION 2. IC 24-15 IS ADDED TO THE INDIANA CODE AS
8 A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1,
9 2022]:
10 ARTICLE 15. CONSUMER PRIVACY
11 Chapter 1. Applicability
12 Sec. 1. This article applies to a person that does one (1) or more
13 of the following:
14 (1) Conducts business in Indiana.
15 (2) Produces products or services that are marketed to
16 Indiana residents.
17 (3) Controls or processes personal data of either of the
2022 IN 1261—LS 7000/DI 148 2
1 following:
2 (A) At least one hundred thousand (100,000) consumers
3 during a calendar year.
4 (B) At least twenty-five thousand (25,000) consumers
5 during a calendar year and derives more than fifty percent
6 (50%) of gross revenue from the sale of personal data.
7 Sec. 2. The consumer rights and the business duties in this
8 article must not adversely affect the rights and freedoms of other
9 individuals.
10 Sec. 3. This article does not require a business, service provider,
11 or contractor to:
12 (1) Reidentify or otherwise link information that, in the
13 ordinary course of business, is not maintained in a manner
14 that would cause the information to be considered personal
15 information.
16 (2) Retain any personal information about a consumer if the
17 personal information would not be retained in the ordinary
18 course of business.
19 (3) Maintain information in an identifiable, linkable, or
20 associable form, or collect, obtain, retain, or access any data
21 or technology, as a means of linking or associating a verifiable
22 consumer request with personal information.
23 Chapter 2. Exemptions
24 Sec. 1. This article does not apply to the following:
25 (1) The executive, judicial, or legislative branch of state
26 government, or any political subdivision.
27 (2) A unit (as defined in IC 36-1-2-23).
28 (3) The county office of any of the following:
29 (A) Auditor.
30 (B) Treasurer.
31 (C) Recorder.
32 (D) Surveyor.
33 (F) Coroner.
34 (G) Assessor.
35 (4) The county sheriff's department.
36 (5) A health care provider or a covered entity governed by
37 federal privacy law, to the extent the provider or covered
38 entity complies with the federal privacy law.
39 Sec. 2. (a) This article does not apply to any of the following
40 information:
41 (1) Medical information or health records protected under
42 IC 4-6-14.
2022 IN 1261—LS 7000/DI 148 3
1 (2) Personal information collected as part of a clinical trial or
2 other biomedical research study if:
3 (A) the information is not sold or shared; and
4 (B) it is inconsistent that participants be informed of that
5 use and provide consent.
6 (3) Personal information that is collected, processed, sold, or
7 disclosed subject to the following:
8 (A) The federal Gramm-Leach-Bliley Act (P.L. 106-102),
9 and implementing regulations.
10 (B) The federal Farm Credit Act of 1971 (as amended in 12
11 U.S.C. 2001-2279cc and implementing regulations, 12 CFR
12 600, et seq.).
13 (C) The federal Driver's Privacy Protection Act of 1994 (18
14 U.S.C. Sec. 2721 et seq.).
15 (4) Personal information collected by a business about the
16 following individuals, including emergency contact
17 information, that is used solely in the context of the
18 individual's role, or former role, with the business:
19 (A) A job applicant.
20 (B) An employee.
21 (C) An owner.
22 (D) A director.
23 (E) An officer.
24 (F) A medical staff member.
25 (G) An independent contractor.
26 Sec. 3. This article does not apply to an activity involving
27 personal information that bears on a consumer's credit worthiness,
28 credit standing, credit capacity, character, general reputation,
29 personal characteristics, or mode of living:
30 (1) by a consumer reporting agency;
31 (2) by a furnisher of information, who provides information
32 for use in a consumer report; or
33 (3) by a user of a consumer report;
34 to the extent that the activity involving the information is subject
35 to regulation under the Fair Credit Reporting Act (15 U.S.C. 1681
36 et seq.), and the information is not collected, maintained, used,
37 communicated, disclosed, or sold except as authorized by the Fair
38 Credit Reporting Act.
39 Sec. 4. The duties imposed on businesses in IC 24-15-4,
40 IC 24-15-5, and IC 24-15-6 do not apply to household data.
41 Chapter 3. Definitions
42 Sec. 1. The definitions in this chapter apply throughout this
2022 IN 1261—LS 7000/DI 148 4
1 article.
2 Sec. 2. "Aggregate consumer information" means information:
3 (1) that relates to a group or category of consumers;
4 (2) from which individual consumer identities have been
5 removed; and
6 (3) that is not linked or reasonably linkable to any consumer
7 or household, including via a device.
8 The term does not include one (1) or more individual consumer
9 records that have been deidentified.
10 Sec. 3. (a) "Biometric information" means an individual's
11 physiological, biological, or behavioral characteristic used, or
12 intended to be used, to establish the individual's identity.
13 (b) The term includes:
14 (1) a retina or iris scan;
15 (2) a fingerprint;
16 (3) a voiceprint;
17 (4) a handprint;
18 (5) a faceprint;
19 (6) a keystroke pattern;
20 (7) a gait pattern; and
21 (8) sleep, health, or exercise data;
22 from which identifying information about an individual can be
23 extracted.
24 Sec. 4. (a) "Business" means a person that:
25 (1) collects, or on behalf of which is collected, consumers'
26 personal information;
27 (2) determines the purpose and means of processing a
28 consumer's personal information;
29 (3) provides goods or services in Indiana; and
30 (4) satisfies at least one (1) of the following:
31 (A) As of January 1 of the calendar year, had annual gross
32 revenues in excess of twenty-five million dollars
33 ($25,000,000) in the preceding calendar year.
34 (B) Alone or combined, annually buys, sells, or shares the
35 personal information of at least one hundred thousand
36 (100,000) consumers, households, or devices.
37 (C) Derives at least fifty percent (50%) of the person's
38 annual revenues from selling or sharing personal
39 information.
40 (b) The term includes a person that is not described in
41 subsection (a) and voluntarily certifies to the consumer protection
42 division that the person is in compliance with and agrees to be
2022 IN 1261—LS 7000/DI 148 5
1 bound by this article.
2 Sec. 5. "Business controller information" means the name of the
3 owner, director, officer, or management employee of a business
4 and the contact information, including a business title, for the
5 owner, director, officer, or management employee.
6 Sec. 6. (a) "Business purpose" means the use of personal
7 information for:
8 (1) the business's operational purposes;
9 (2) other notified purposes;
10 (3) the service provider or contractor's operational purposes
11 if the use of personal information is reasonably necessary and
12 proportionate to achieve the operational purpose for which
13 the personal information was collected or processed; or
14 (4) another operational purpose that is compatible with the
15 context in which the personal information was collected.
16 (b) The term includes the following:
17 (1) Auditing related to counting ad impressions of unique
18 visitors.
19 (2) Helping to ensure security and integrity to the extent the
20 use of the consumer's personal information is reasonably
21 necessary and proportionate for these purposes.
22 (3) Debugging to identify and repair errors that impair
23 existing intended functionality.
24 (4) Undertaking internal research for technological
25 development and demonstration.
26 (5) Undertaking activities to verify or maintain the quality or
27 safety of a service or device that is owned, manufactured,
28 manufactured for, or controlled by the business, and to
29 improve, upgrade, or enhance the service or device that is
30 owned by, manufactured by, manufactured for, or controlled
31 by the business.
32 Sec. 7. "Collects", "collected", or "collection" means:
33 (1) buying;
34 (2) renting;
35 (3) gathering;
36 (4) obtaining;
37 (5) receiving; or
38 (6) accessing;
39 any personal information about a consumer, including by
40 observing a consumer's behavior.
41 Sec. 8. "Commercial credit reporting agency"means any person
42 who, for monetary fees or dues or on a cooperative nonprofit basis,
2022 IN 1261—LS 7000/DI 148 6
1 provides commercial credit reports to third parties.
2 Sec. 9. "Commercial purposes" means to advance a person's
3 economic interests, such as by inducing another person to enable
4 a commercial transaction.
5 Sec. 10. (a) "Consent" means a freely given affirmative act that
6 indicates:
7 (1) a consumer;
8 (2) a consumer's legal guardian;
9 (3) a person who has power of attorney for the consumer; or
10 (4) a person acting as a conservator for a consumer;
11 agrees to having the consumer's personal information processed
12 for a particular purpose.
13 (b) The following do not constitute consent:
14 (1) Accepting a general terms of use that contains descriptions
15 of personal information processing along with other unrelated
16 information.
17 (2) Hovering over, muting, pausing, or closing a given piece of
18 content.
19 (3) Agreement obtained through use of dark patterns.
20 Sec. 11. "Consumer" means an Indiana resident acting only in
21 an individual or household context. The term does not include an
22 individual acting in a commercial or employment context.
23 Sec. 12. "Consumer report" and "consumer reporting agency"
24 have the same meaning as set forth in the Fair Credit Reporting
25 Act (15 U.S.C. 1681 et seq.).
26 Sec. 13. "Contractor" means a person to whom the business
27 makes available a consumer's personal information for a business
28 purpose, under a written contract with the business.
29 Sec. 14. "Controller" means the person that, alone or jointly
30 with others, determines the purpose and means for processing
31 personal data.
32 Sec. 15. "Covered entity" has the meaning ascribed to that term
33 in the federal Health Insurance Portability Act (HIPAA) (P.L.
34 104-191).
35 Sec. 16. "Dark pattern" means a user interface designed to trick
36 the consumer. This term includes tricking a consumer into:
37 (1) buying additional items; or
38 (2) publicly sharing more information than the consumer
39 intended to.
40 Sec. 17. "Deidentified information" means data that cannot
41 reasonably be linked to a particular consumer.
42 Sec. 18. "Device" means any physical object that is capable of
2022 IN 1261—LS 7000/DI 148 7
1 connecting directly or indirectly to the Internet or to another
2 device.
3 Sec. 19. "Director" has the same meaning set forth in
4 IC 23-1-37-2.
5 Sec. 20. "Educational assessment" means a quiz, test, or other
6 assessment, whether standardized or nonstandardized, that is used
7 to do the following:
8 (1) Evaluate students in, or for entry to the following:
9 (A) A school corporation, charter school, or nonpublic
10 school with one (1) or more employees providing
11 instruction for students in kindergarten through grade 12.
12 (B) A postsecondary educational institution that is
13 accredited by an accrediting agency recognized by the
14 United States Department of Education.
15 (C) A vocational program.
16 (D) A postgraduate program that is accredited by an
17 accrediting agency recognized by the United States
18 Department of Education.
19 (2) Determine competency and eligibility to receive
20 certification or licensure from a government agency or
21 government certification body.
22 Sec. 21. "Household" means multiple consumers who cohabitate
23 with one another at the same residential address and share use of
24 common devices or services.
25 Sec. 22. (a) "Intentionally interact" means to deliberately:
26 (1) interact with a person; or
27 (2) disclose personal information;
28 including visiting the person's Internet web site or purchasing a
29 good or service from the person.
30 (b) The term does not include:
31 (1) hovering over;
32 (2) muting;
33 (3) pausing; or
34 (4) closing;
35 a given piece of content.
36 Sec. 23. "Management employee" means an individual whose
37 name and contact information is:
38 (1) reported to or collected by a commercial credit reporting
39 agency as the primary manager of a business; and
40 (2) used solely within the context of the individual's role as the
41 primary manager of the business.
42 Sec. 24. "Ownership information" means the registered owner's
2022 IN 1261—LS 7000/DI 148 8
1 name and contact information.
2 Sec. 25. (a) "Officer" means an individual elected or appointed
3 by the board of directors of a business to manage the daily
4 operations of the business.
5 (b) The term includes the following:
6 (1) A chief executive officer.
7 (2) A president.
8 (3) A secretary.
9 (4) A treasurer.
10 Sec. 26. "Person" means an individual or a legal entity.
11 Sec. 27. (a) "Personal information" means information that:
12 (1) identifies;
13 (2) relates to;
14 (3) describes;
15 (4) is reasonably capable of being associated with; or
16 (5) could reasonably be linked with;
17 a particular consumer or household.
18 (b) The term includes the following:
19 (1) Identifiers, including:
20 (A) a real name;
21 (B) an alias;
22 (C) a postal address;
23 (D) a unique personal identifier;
24 (E) an online identifier;
25 (F) an Internet protocol address;
26 (G) an electronic mail address;
27 (H) an account name;
28 (I) a Social Security number;
29 (J) a driver's license number; or
30 (K) a passport number.
31 (2) Characteristics of protected classifications under state or
32 federal law.
33 (3) Commercial information, including:
34 (A) records of personal property;
35 (B) products or services;
36 (i) purchased;
37 (ii) obtained; or
38 (iii) considered; or
39 (C) other purchasing tendencies or consuming histories.
40 (4) Biometric information.
41 (5) Internet or other electronic network activity information,
42 including:
2022 IN 1261—LS 7000/DI 148 9
1 (A) browsing history;
2 (B) search history; or
3 (C) information regarding a consumer's interaction with:
4 (i) an Internet web site;
5 (ii) an application; or
6 (iii) an advertisement.
7 (6) Geolocation data.
8 (7) Audio, electronic, visual, thermal, olfactory, or similar
9 information.
10 (8) Professional or employment related information.
11 (9) Education information, defined as not publicly available
12 personally identifiable information under the Family
13 Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34
14 CFR Part 99).
15 (10) Inferences drawn from any of the information identified
16 in this subsection to create a profile reflecting the consumer's:
17 (A) preferences;
18 (B) characteristics;
19 (C) psychological trends;
20 (D) predispositions;
21 (E) behavior;
22 (F) attitudes;
23 (G) intelligence;
24 (H) abilities; and
25 (I) aptitudes.
26 (11) Sensitive personal information.
27 (c) The term does not include:
28 (1) publicly available information;
29 (2) consumer information that is deidentified; or
30 (3) aggregate consumer information.
31 For purposes of this subsection and section 34 of this chapter,
32 "publicly available" means information that is lawfully made
33 available from federal, state, or local government records. The
34 term does not mean biometric information collected by a business
35 about a consumer without the consumer's knowledge.
36 Sec. 28. "Precise geolocation" means data:
37 (1) that is derived from a device; and
38 (2) that is used, or intended to be used, to locate a consumer
39 within a geographic area that is equal to or less than the area
40 of a circle with a radius of one thousand eight hundred and
41 fifty (1,850) feet, except as prescribed by regulations.
42 Sec. 29. "Probabilistic identifier" means the identification of a:
2022 IN 1261—LS 7000/DI 148 10
1 (1) consumer; or
2 (2) device;
3 that is more probable than not based on personal information.
4 Sec. 30. "Processing" means an operation that is performed on
5 personal data, whether or not by automated means.
6 Sec. 31. "Research" means scientific and systematic study and
7 observation, including:
8 (1) basic research or applied research:
9 (A) that is designed to contribute to scientific knowledge in
10 the public interest; and
11 (B) that adheres to all other applicable ethics and privacy
12 laws; or
13 (2) studies conducted in the public interest in the area of
14 public health.
15 Sec. 32. "Security and integrity" means the ability of the
16 following:
17 (1) Networks or information systems to detect security
18 incidents that compromise the:
19 (A) availability;
20 (B) authenticity;
21 (C) integrity; and
22 (D) confidentiality;
23 of stored or transmitted personal information.
24 (2) Businesses to:
25 (A) detect security incidents;
26 (B) resist malicious, deceptive, fraudulent, or illegal
27 actions; and
28 (C) help prosecute those responsible for those actions.
29 (3) Businesses to ensure the physical safety of natural persons.
30 Sec. 33. (a) "Sell", "selling", "sale", or "sold", means any
31 attempt to dispose of a consumer's personal information for
32 monetary or other valuable consideration.
33 (b) "Sell", "selling", "sale", or "sold" does not include when:
34 (1) a consumer:
35 (A) uses or directs the business to intentionally disclose
36 personal information; or
37 (B) uses the business to intentionally interact with a third
38 party;
39 (2) the business uses or shares an identifier to alert persons
40 that the consumer has opted out of the sale of the consumer's
41 personal information;
42 (3) the business uses or shares an identifier to alert persons
2022 IN 1261—LS 7000/DI 148 11
1 that the consumer has limited the use of the consumer's
2 sensitive personal information; or
3 (4) the business transfers to a third party the personal
4 information of a consumer as an asset that is part of a merger,
5 acquisition, bankruptcy, or other transaction in which the
6 third party assumes control of all or part of the business.
7 Sec. 34. (a) "Sensitive personal information" means:
8 (1) personal information that reveals:
9 (A) a consumer's Social Security, driver's license, state
10 identification card, or passport number;
11 (B) a consumer's:
12 (i) account login;
13 (ii) financial account;
14 (iii) debit card; or
15 (iv) credit card number;
16 with any required security or access code, password, or
17 credentials allowing access to an account;
18 (C) a consumer's precise geolocation;
19 (D) a consumer's racial or ethnic origin, religious or
20 philosophical beliefs, or union membership;
21 (E) the contents of a consumer's mail, electronic mail, and
22 text messages, unless the business is the intended recipient
23 of the communication; or
24 (F) a consumer's genetic data;
25 (2) biometric information processed to uniquely identifying a
26 consumer;
27 (3) personal information concerning a consumer's health; or
28 (4) personal information concerning a consumer's sex life or
29 sexual orientation.
30 (b) The term does not include information that is publicly
31 available.
32 Sec. 35. "Service" or "services" means work, labor, and
33 services, including services furnished in connection with the sale or
34 repair of goods.
35 Sec. 36. “Service provider" means a person that processes
36 information on behalf of a business and to which the business
37 discloses a consumer's personal information for a business purpose
38 under a written contract.
39 Sec. 37. (a) "Share," "shared," or "sharing" means
40 communicating a consumer's personal information by the business
41 to a third party for cross context behavioral advertising, whether
42 or not for monetary or other valuable consideration. This also
2022 IN 1261—LS 7000/DI 148 12
1 includes transactions for the benefit of a business in which no
2 money is exchanged.
3 Sec. 38. "Third party" means a person who is not any of the
4 following:
5 (1) The business with whom the consumer intentionally
6 interacts.
7 (2) A service provider to the business.
8 (3) A contractor.
9 Sec. 39. "Vehicle information" means the vehicle identification
10 number, make, model, year, and odometer reading.
11 Sec. 40. "Verifiable consumer request" means a request that the
12 business can verify, using commercially reasonable methods, to be
13 the consumer about whom the business has collected personal
14 information.
15 Sec. 41. "Verifiable consumer requestor" means the following
16 persons who may submit a verifiable consumer request:
17 (1) The consumer.
18 (2) The consumer on behalf of the consumer's minor child.
19 (3) The consumer's agent.
20 (4) A person who has the power of attorney for the consumer.
21 (5) A conservator for the consumer.
22 Chapter 4. Right to Access
23 Sec. 1. (a) Except as provided in section 3 of this chapter, upon
24 receipt of a verifiable consumer request about a consumer from a
25 verifiable consumer requestor, a business shall disclose the
26 following:
27 (1) The categories of personal information the business has
28 collected about the consumer.
29 (2) The consumer's right to request the specific pieces of
30 personal information the business has collected about the
31 consumer.
32 (3) The categories of sources described in subdivisions (1) and
33 (2) from which the personal information is collected.
34 (4) The business's purpose for collecting, selling, or sharing
35 personal information.
36 (5) The categories of third parties to whom the business
37 discloses personal information.
38 (b) A verifiable consumer requestor shall submit a verifiable
39 consumer request through one (1) of the following:
40 (1) A business's mailing address.
41 (2) A business's electronic mail address.
42 (3) A business's Internet web page.
2022 IN 1261—LS 7000/DI 148 13
1 (4) A business's toll free telephone number.
2 (5) Another method of contact for a business that is approved
3 by the consumer protection division.
4 (c) A business is not obligated to provide information to a
5 verifiable consumer requestor who submits a request if the
6 business cannot verify that the verifiable consumer requestor
7 making the request is either:
8 (1) the consumer about whom the business has collected
9 information; or
10 (2) a person authorized by the consumer to act on the
11 consumer's behalf.
12 Sec. 2. (a) A business that sells or shares a consumer's personal
13 information, or that discloses a consumer's personal information
14 for a business purpose, shall disclose, upon receipt of a verifiable
15 consumer request:
16 (1) the categories of personal information that the business
17 sold or shared about the consumer, including the categories of
18 third parties to whom the personal information was sold or
19 shared; and
20 (2) the categories of personal information that the business
21 disclosed for a business purpose, including the categories of
22 persons to whom the personal information was disclosed for
23 a business purpose.
24 (b) If a business has not sold or shared a consumer's personal
25 information, the business shall disclose that fact upon receipt of a
26 verifiable consumer request from a verifiable consumer requestor.
27 (c) A third party shall not sell personal information about a
28 consumer that has been sold to, or shared with, the third party by
29 a business unless the consumer has received explicit notice and is
30 provided an opportunity to opt out.
31 (d) If a third party materially alters the manner in which the
32 third party uses or shares the consumer's personal information in
33 a manner that is materially inconsistent with the promises made at
34 the time of collection, the third party shall give the consumer prior
35 notice of the new or changed practice.
36 Sec. 3. (a) A business is not required to disclose an educational
37 assessment, or a consumer's specific responses to the educational
38 assessment, if consumer access would provide an advantage to:
39 (1) the verifiable consumer requestor who submitted the
40 verifiable consumer request; or
41 (2) another individual.
42 (b) A business that refuses a verified consumer requestor's
2022 IN 1261—LS 7000/DI 148 14
1 verified consumer request under this section shall notify the
2 verified consumer requestor that the business is acting under
3 subsection (a).
4 Chapter 5. Right to Delete
5 Sec. 1. (a) A business that collects personal information about a
6 consumer shall inform the consumer of the consumer's right to
7 request the deletion of the consumer's personal information.
8 (b) Except as otherwise provided, a business that receives a
9 verifiable consumer request about a consumer from a verifiable
10 consumer requestor to delete the consumer's personal information
11 shall:
12 (1) delete the consumer's personal information from the
13 business's records;
14 (2) notify the business's service providers or contractors to
15 delete the consumer's personal information from their
16 records; and
17 (3) notify all third parties to whom the business has sold or
18 shared the personal information to delete the consumer's
19 personal information unless notifying all third parties is
20 impossible.
21 (c) Except as otherwise provided, a business may maintain a
22 confidential record of deletion requests:
23 (1) to prevent the consumer's personal information from
24 being sold;
25 (2) to ensure compliance with laws; and
26 (3) for other purposes permitted under this article.
27 Sec. 2. A service provider or contractor shall cooperate with a
28 business in responding to a verifiable consumer request and, at the
29 direction of the business, shall:
30 (1) delete or enable the business to delete the requested
31 personal information;
32 (2) notify any of the service provider's or contractor's own
33 service providers or contractors to delete personal
34 information about the consumer collected, used, processed, or
35 retained by the service provider or the contractor; and
36 (3) notify all service providers, contractors, or third parties
37 who may have accessed personal information from or through
38 the service provider to delete the consumer's personal
39 information, unless notifying all service providers,
40 contractors, or third parties is impossible.
41 Sec. 3. A service provider or contractor is not required to
42 comply with a deletion request submitted by a verifiable consumer
2022 IN 1261—LS 7000/DI 148 15
1 requestor directly to the service provider or contractor to the
2 extent that the service provider or contractor has collected, used,
3 processed, or retained the consumer's personal information in the
4 service provider's or contractor's role as a service provider or
5 contractor to the business.
6 Sec. 4. A business, service provider, or contractor acting under
7 a contract with another business, service provider, or contractor
8 is not required to delete the consumer's personal information
9 under this chapter if it is reasonably necessary to maintain the
10 consumer's personal information to do the following:
11 (1) Complete the transaction for which the personal
12 information was collected.
13 (2) Fulfill the terms of a written warranty or product recall
14 conducted under federal law.
15 (3) Provide a good or service requested by the consumer or
16 reasonably anticipated by the consumer within the context of
17 a business's ongoing business relationship with the consumer.
18 (4) Help to ensure security and integrity to the extent the use
19 of the consumer's personal information is reasonably
20 necessary to ensure security and integrity.
21 (5) Identify and repair errors that impair existing intended
22 functionality.
23 (6) Exercise free speech, ensure the right of another consumer
24 to exercise that consumer's right of free speech, or exercise
25 another right provided for by law.
26 (7) Engage in public or peer reviewed research that conforms
27 or adheres to all other applicable ethics and privacy laws, if
28 the consumer has provided informed consent, and the
29 business's deletion of the information is likely to:
30 (A) render impossible; or
31 (B) seriously impair;
32 the ability to complete the research.
33 (8) Enable solely internal uses that are:
34 (A) reasonably aligned with the expectations of the
35 consumer based on the consumer's relationship with the
36 business; and
37 (B) compatible with the context in which the consumer
38 provided the information.
39 (9) Comply with a legal obligation.
40 Sec. 5. (a) Law enforcement agencies may direct a business not
41 to delete a consumer's personal information if the law enforcement
42 agency:
2022 IN 1261—LS 7000/DI 148 16
1 (1) is actively investigating the consumer; and
2 (2) has an active case number for the investigation.
3 (b) Upon receiving a request under subsection (a), a business
4 must not delete the consumer's personal information for at least
5 ninety (90) days to allow the law enforcement agency to obtain a
6 court issued subpoena, order, or warrant for the consumer's
7 personal information.
8 (c) For good cause and only to the extent necessary for
9 investigatory purposes, a law enforcement agency may direct the
10 business not to delete the consumer's personal information for an
11 additional ninety (90) day period.
12 (d) Except as provided in subsection (e), a business that has
13 received direction from law enforcement under this section shall
14 not use the consumer's personal information for any purpose other
15 than retaining it to produce to law enforcement in response to a
16 court issued subpoena, order, or warrant.
17 (e) If a verified consumer requestor's deletion request is subject
18 to an exemption from deletion under this article, a business that
19 has received direction from law enforcement under this section
20 may continue to use the consumer's personal information for
21 purposes of the exemption.
22 (f) A business that refuses a verified consumer requestor's
23 verified consumer request under this section shall notify the
24 verified consumer requestor that:
25 (1) it is acting under this section; and
26 (2) the particular subsection that it is relying on to refuse the
27 verified consumer requestor's verified request.
28 Chapter 6. Right to Correct
29 Sec. 1. A business that receives a verifiable consumer request to
30 correct inaccurate personal information shall use commercially
31 reasonable efforts to correct the inaccurate personal information
32 as directed by the consumer.
33 Chapter 7. Right to Opt Out of Sale or Sharing
34 Sec. 1. At any time, a consumer is entitled to opt out of sale or
35 sharing by prohibiting a business from selling or sharing the
36 consumer's personal information.
37 Sec. 2. (a) A business that sells or shares a consumer's personal
38 information with a third party shall provide notice to the consumer
39 that:
40 (1) the consumer's personal information may be sold or
41 shared; and
42 (2) the consumer has the right to opt out of sale or sharing of
2022 IN 1261—LS 7000/DI 148 17
1 their personal information.
2 (b) Except as provided in subsection (c), a business must not sell
3 or share a consumer's personal information if the business has
4 actual knowledge that the consumer is less than sixteen (16) years
5 of age.
6 (c) A business may sell or share a consumer's personal
7 information knowing that the consumer is less than sixteen (16)
8 years of age if:
9 (1) the consumer, if the consumer is at least thirteen (13) years
10 of age but less than sixteen (16) years of age; or
11 (2) the consumer's parent or guardian, if the consumer is less
12 than thirteen (13) years of age;
13 has affirmatively authorized the sale or sharing of the consumer's
14 personal information.
15 (d) A business that willfully disregards the consumer's age shall
16 be deemed to have had actual knowledge of the consumer's age.
17 (e) A business that receives direction from a consumer not to sell
18 or share the consumer's personal information shall not sell or
19 share the consumer's personal information, unless the consumer
20 subsequently provides consent.
21 Chapter 8. Right to Restrict
22 Sec. 1. At any time, a consumer may limit a business's use of the
23 consumer's sensitive personal information:
24 (1) to that which is necessary to perform the services or
25 provide the goods reasonably expected by an average
26 consumer who requests those goods or services;
27 (2) to perform the services in IC 24-15-3-6(b)(2),
28 IC 24-15-3-6(b)(4), and IC 24-15-3-6(b)(5); and
29 (3) as otherwise authorized under this article.
30 Chapter 9. Business Exceptions
31 Sec. 1. A business's duties under this article do not restrict the
32 business's ability to do the following:
33 (1) Comply with federal, state, or local laws.
34 (2) Comply with a court order or subpoena to provide
35 information.
36 (3) Comply with a civil, criminal, or regulatory inquiry,
37 investigation, subpoena, or summons by federal, state, or local
38 authorities.
39 (4) Cooperate with law enforcement agencies concerning
40 conduct or activity that the business, service provider, or
41 third party reasonably and in good faith believes may violate
42 federal, state, or local law.
2022 IN 1261—LS 7000/DI 148 18
1 (5) Cooperate with a government agency request for
2 emergency access to a consumer's personal information if a
3 natural person is at risk or danger of death or serious physical
4 injury if:
5 (A) the request is approved by a high ranking agency
6 officer for emergency access to a consumer's personal
7 information;
8 (B) the request is based on the agency's good faith
9 determination that it has a lawful basis to access the
10 information on a nonemergency basis; or
11 (C) the agency agrees to petition a court for an appropriate
12 order within three (3) days and to destroy the information
13 if that order is not granted.
14 (6) Exercise or defend legal claims.
15 (7) Collect, use, retain, sell, share, or disclose a consumer's
16 personal information that is:
17 (A) deidentified; or
18 (B) aggregate consumer information.
19 (8) Collect, sell, or share a consumer's personal information
20 if every aspect of that commercial conduct takes place wholly
21 outside of Indiana.
22 Sec. 2. A business's duties under this article shall not:
23 (1) apply where compliance by the business would violate an
24 evidentiary privilege under state law; and
25 (2) prevent a business from providing the personal
26 information of a consumer to a person covered by an
27 evidentiary privilege under state law as part of a privileged
28 communication.
29 Sec. 3. (a) A business may, depending on the complexity of the
30 verifiable consumer request and number of other verifiable
31 consumer requests, extend its response time period by up to ninety
32 (90) days total when necessary. The business shall inform the
33 verifiable consumer requestor of any such extension within
34 forty-five (45) days of receipt of the verified consumer request,
35 together with the reasons for the delay.
36 (b) If the business chooses not to take action on the verifiable
37 consumer requestor's verifiable consumer request, the business
38 shall immediately notify the verifiable consumer requestor of the
39 reasons for not taking action and any rights the verifiable
40 consumer requestor may have to appeal the decision to the
41 business. The notice under this subdivision must occur within the
42 permitted response time period.
2022 IN 1261—LS 7000/DI 148 19
1 (c) If a verifiable consumer requestor's verifiable consumer
2 request is manifestly unfounded or excessive, a business may
3 either:
4 (1) charge a reasonable fee, taking into account the
5 administrative costs of providing the information or
6 communication or taking the action requested; or
7 (2) refuse to act on the request and notify the verifiable
8 consumer requestor of the reason for refusing the verifiable
9 consumer request.
10 The business bears the burden of proving that a verified consumer
11 request is manifestly unfounded or excessive.
12 Sec. 4. (a) A business that discloses a consumer's personal
13 information to a service provider or contractor is not liable if:
14 (1) the service provider or contractor uses the consumer's
15 personal information in violation of this article; and
16 (2) at the time of disclosing the personal information, the
17 business does not have:
18 (A) actual knowledge; or
19 (B) reason to believe;
20 that the service provider or contractor intends to commit such
21 a violation.
22 (b) A service provider or contractor is not liable for a business
23 that it provides services to if the business violates this article.
24 (c) A business that discloses a consumer's personal information
25 to a third party under a written contract is not liable if:
26 (1) the third party uses it in violation of this article; and
27 (2) at the time of disclosing the personal information, the
28 business does not have:
29 (A) actual knowledge; or
30 (B) reason to believe;
31 that the third party intends to commit the violation.
32 Sec. 5. (a) A verifiable consumer request for:
33 (1) access to specific pieces of personal information, under
34 IC 24-15-4-1;
35 (2) deletion of a consumer's personal information, under
36 IC 24-15-5-2; or
37 (3) correction of inaccurate personal information, under
38 IC 24-15-6-1;
39 does not extend to personal information about the consumer that
40 belongs to, or that the business maintains on behalf of, another
41 individual.
42 (b) A business:
2022 IN 1261—LS 7000/DI 148 20
1 (1) may rely on representations made in a verifiable consumer
2 request;
3 (2) is under no legal requirement to seek out other persons
4 that may have rights to personal information; and
5 (3) is under no legal obligation to take any action under this
6 article in the event of a dispute between or among persons
7 claiming rights to personal information in the business's
8 possession.
9 Sec. 6. The right to deletion (IC 24-15-5) and the right to opt out
10 of sale or sharing (IC 24-15-7) shall not apply to the following:
11 (1) A business's use, disclosure, or sale of particular pieces of
12 a consumer's personal information if the consumer has
13 consented to the business's use, disclosure, or sale of that
14 information to produce a physical item, including a school
15 yearbook containing the consumer's photograph if:
16 (A) the business has incurred significant expense in
17 reliance on the consumer's consent;
18 (B) compliance with the consumer's request to opt out of
19 the sale of the consumer's personal information or to delete
20 the consumer's personal information would not be
21 commercially reasonable; and
22 (C) the business complies with the consumer's request as
23 soon as it is commercially reasonable to do so.
24 (2) A commercial credit reporting agency's collection,
25 processing, sale, or disclosure of business controller
26 information to the extent the commercial credit reporting
27 agency uses the business controller information solely to:
28 (A) identify the relationship of a consumer to a business
29 that the consumer owns; or
30 (B) contact the consumer only in the consumer's role as the
31 owner, director, officer, or management employee of the
32 business.
33 (3) Vehicle information or ownership information retained or
34 shared between:
35 (A) a new motor vehicle dealer (as defined in
36 IC 9-32-2-18.3); and
37 (B) the vehicle's manufacturer (as defined in IC 9-13-2-97);
38 for a vehicle repair covered by a vehicle warranty or a recall
39 conducted under 49 U.S.C. 30118-30120 if the information is
40 not used for any other purpose.
41 Chapter 10. Enforcement
42 Sec. 1. The division of consumer protection, created under
2022 IN 1261—LS 7000/DI 148 21
1 IC 4-6-9, shall enforce this article.
2022 IN 1261—LS 7000/DI 148