Indiana 2022 2022 Regular Session

Indiana Senate Bill SB0358 Introduced / Bill

Filed 01/27/2022

                     
Introduced Version
SENATE BILL No. 358
_____
DIGEST OF INTRODUCED BILL
Citations Affected:  IC 24-15; IC 24-16.
Synopsis:  Personal information and social media policies. Establishes
a new article in the Indiana Code concerning the security and privacy
of personal information. Sets forth the following within the new article:
(1) General duties of businesses that collect personal information about
Indiana consumers. (2) The rights of Indiana consumers to do the
following: (A) Request information about the personal information
businesses collect about them. (B) Delete personal information
collected about them by businesses. (C) Request that a business correct
inaccurate personal information about them. (D) Request that a
business that sells personal information to disclose the types of
information sold and to whom it was sold. (E) Opt out of the sale or
sharing of personal information (or opt into such sale or sharing in the
case of a consumer less than 16 years of age). Prohibits a business from
discriminating against a consumer for exercising any of these rights.
Provides that the consumer protection division of the office of the
attorney general is responsible for the administration and enforcement
of these provisions. Requires the attorney general to adopt rules to
implement these provisions. Provides that a violation of these
provisions is a deceptive consumer act that is actionable under the
deceptive consumer sales act by a consumer or the attorney general.
Establishes a new article in the Indiana Code concerning the disclosure
of certain administrative procedures used by social media services.
Includes within this new article the requirement that an owner or
operator of a social media service publish on the social media service's
Internet web site the procedures, standards, policies, algorithms, or
other mechanisms used by the owner or operator for: (1) determining
(Continued next page)
Effective:  July 1, 2022.
Brown L
January 12, 2022, read first time and referred to Committee on Commerce and Technology.
2022	IN 358—LS 7186/DI 101 Digest Continued
how content is selected for dissemination to users of the service; (2)
evaluating user-created content for compliance with the service's terms
of service; (3) imposing penalties on users for violating the service's
terms of service; and (4) facilitating an appeal by a user of: (A) a
finding that the user has violated the service's terms of service; or (B)
a penalty imposed on the user for such a violation. Provides that a
violation of this requirement is actionable by the attorney general as a
deceptive consumer sales act.
2022	IN 358—LS 7186/DI 1012022	IN 358—LS 7186/DI 101 Introduced
Second Regular Session of the 122nd General Assembly (2022)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in this style type, and deletions will appear in this style type.
  Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in  this  style  type. Also, the
word NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
  Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts
between statutes enacted by the 2021 Regular Session of the General Assembly.
SENATE BILL No. 358
A BILL FOR AN ACT to amend the Indiana Code concerning trade
regulation.
Be it enacted by the General Assembly of the State of Indiana:
1 SECTION 1. IC 24-15 IS ADDED TO THE INDIANA CODE AS
2 A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1,
3 2022]:
4 ARTICLE 15. SECURITY AND PRIVACY OF PERSONAL
5 INFORMATION
6 Chapter 1. Applicability
7 Sec. 1. This article applies to a business that:
8 (1) collects consumers' personal information, or on whose
9 behalf consumers' personal information is collected;
10 (2) alone, or jointly with others, determines the purposes and
11 means of the processing of consumers' personal information;
12 (3) does business in Indiana; and
13 (4) satisfies one (1) or more of the following thresholds:
14 (A) Has annual gross revenues in excess of twenty-five
15 million dollars ($25,000,000).
2022	IN 358—LS 7186/DI 101 2
1 (B) Alone, or jointly with others, annually:
2 (i) buys;
3 (ii) receives for the business's commercial purposes;
4 (iii) sells; or
5 (iv) shares for commercial purposes;
6 the personal information of at least fifty thousand (50,000)
7 consumers, households, or devices.
8 (C) Derives fifty percent (50%) or more of its annual
9 revenues from selling consumers' personal information.
10 Chapter 2. Definitions
11 Sec. 1. The definitions in this chapter apply throughout this
12 article.
13 Sec. 2. (a) "Biometric information" means data:
14 (1) that concerns an individual's physiological, biological, or
15 behavioral characteristics, including an individual's
16 deoxyribonucleic acid (DNA); and
17 (2) that can be used, singly or in combination with each other
18 or with other identifying data, to establish individual identity.
19 (b) The term includes the following:
20 (1) A fingerprint.
21 (2) Images of the iris or retina.
22 (3) A voice print.
23 (4) Keystroke patterns or rhythms.
24 (5) Gait patterns or rhythms.
25 (6) Sleep, health, or exercise data that contain identifying
26 information.
27 Sec. 3. (a) "Business" means any of the following that exists to
28 make a profit:
29 (1) A sole proprietorship.
30 (2) An organization.
31 (3) An association.
32 (4) A corporation.
33 (5) A partnership.
34 (6) A joint venture.
35 (7) A limited partnership.
36 (8) A limited liability partnership.
37 (9) A limited liability company.
38 (b) The term includes any wholly owned subsidiary, majority
39 owned subsidiary, parent company, or affiliate of an entity or
40 association that exists to make a profit.
41 Sec. 4. (a) "Business purpose", with respect to the use of
42 personal information, means a use that:
2022	IN 358—LS 7186/DI 101 3
1 (1) is for a business's or a service provider's operational
2 purposes; and
3 (2) is reasonably necessary and proportionate to achieve:
4 (A) the operational purpose for which the personal
5 information was collected or processed; or
6 (B) another operational purpose that is compatible with
7 the context in which the personal information was
8 collected. 
9 (b) The term includes the following:
10 (1) Auditing related to a current interaction with a consumer
11 or to concurrent transactions, including:
12 (A) counting ad impressions to unique visitors; and
13 (B) verifying positioning and quality of ad impressions.
14 (2) Detecting security incidents, protecting against malicious,
15 deceptive, fraudulent, or illegal activity, and prosecuting those
16 responsible for that activity.
17 (3) Debugging to identify and repair errors that impair the
18 intended functionality of a system.
19 (4) Short term, transient use of personal information, which
20 use:
21 (A) does not disclose the personal information to a third
22 party;
23 (B) is not used to build a profile about the consumer; and
24 (C) does not otherwise alter the consumer's experience
25 outside the current interaction;
26 including the contextual customization of ads shown as part
27 of the same interaction.
28 (5) Performing services on behalf of the business or service
29 provider, including:
30 (A) maintaining or servicing accounts;
31 (B) providing customer service;
32 (C) processing or fulfilling orders and transactions;
33 (D) verifying customer information;
34 (E) processing payments;
35 (F) providing financing;
36 (G) providing advertising or marketing services;
37 (H) providing analytic services; or
38 (I) providing similar services on behalf of the business or
39 service provider.
40 (6) Undertaking internal research for technological
41 development and demonstration.
42 (7) Undertaking activities to:
2022	IN 358—LS 7186/DI 101 4
1 (A) verify or maintain the quality or safety of a service or
2 device that is owned by, manufactured by, manufactured
3 for, or controlled by the business; and
4 (B) improve, upgrade, or enhance the service or device.
5 Sec. 5. (a) "Collect", with respect to the personal information of
6 a consumer, means to buy, rent, gather, obtain, receive, or access
7 the personal information by any means.
8 (b) The term includes receiving information:
9 (1) from the consumer, either actively or passively; and
10 (2) by observing the consumer's behavior.
11 Sec. 6. "Consumer" means an individual whose principal
12 residence is in Indiana.
13 Sec. 7. (a) "Personal information" means any information that
14 identifies, relates to, describes, locates, is reasonably capable of
15 being associated with, or could reasonably be linked with, a
16 particular individual.
17 (b) The term includes the following concerning an individual:
18 (1) First and last name, or first initial and last name.
19 (2) Address.
20 (3) Telephone number.
21 (4) Social security number.
22 (5) Driver's license number, state identification number, or
23 passport number.
24 (6) Account number, credit card number, or debit card
25 number, in combination with a security code, password, or
26 access code that would permit access to the individual's
27 account.
28 (7) A user name, unique identifier, or electronic mail address,
29 in combination with a password, access code, or security
30 question and answer that would permit access to an online
31 account.
32 (8) A digital photograph or image of the individual.
33 (9) Biometric information.
34 (10) Geolocation data.
35 (11) Internet or other electronic network activity information,
36 including browsing history, search history, and information
37 regarding the individual's interaction with an Internet web
38 site, application, or advertisement.
39 (12) Commercial information, including:
40 (A) records of products or services purchased, obtained, or
41 considered; or
42 (B) other purchasing or consuming histories or tendencies.
2022	IN 358—LS 7186/DI 101 5
1 (13) Professional or employment related information.
2 (14) Medical or disability information.
3 (c) The term does not include the following:
4 (1) The last four (4) digits of an individual's Social Security
5 number.
6 (2) Publicly available information that is lawfully made
7 available from federal, state, or local government records.
8 (3) Consumer information that is de-identified, so that the
9 information cannot reasonably identify, relate to, describe, be
10 capable of being associated with, or be linked, directly or
11 indirectly, to a particular consumer.
12 (4) Aggregate consumer information:
13 (A) that relates to a group or category of consumers;
14 (B) from which individual consumer identities have been
15 removed; and
16 (C) that is not linked or reasonably linkable to any
17 particular consumer.
18 Sec. 8. "Sensitive personal information" means any of the
19 following personal information concerning an individual:
20 (1) Social security number.
21 (2) Digital photograph or image.
22 (3) Medical or disability information.
23 (4) Biometric information.
24 (5) Precise geolocation data.
25 Sec. 9. "Service provider" means a for-profit enterprise:
26 (1) that processes information on behalf of a business; and
27 (2) to which the business discloses a consumer's personal
28 information:
29 (A) for a business purpose; and
30 (B) under a written contract that prohibits the enterprise
31 receiving the information from retaining, using, or
32 disclosing the personal information for any purpose,
33 including any commercial purpose, other than for the
34 specific purpose of performing the services specified in the
35 contract.
36 Sec. 10. "Verifiable consumer request" means a request:
37 (1) that is made to a business by:
38 (A) a consumer;
39 (B) a consumer on behalf of the consumer's minor child; or
40 (C) an individual authorized by a consumer to act on the
41 consumer's behalf;
42 (2) that pertains to the consumer or the consumer's minor
2022	IN 358—LS 7186/DI 101 6
1 child, as applicable; and
2 (3) with respect to which the business to whom the request is
3 made can reasonably verify:
4 (A) has been made by a person described in subdivision
5 (1)(A) through (1)(C); and 
6 (B) pertains to the consumer or the consumer's minor
7 child, as applicable. 
8 Chapter 3. General Duties of Businesses that Collect Personal
9 Information
10 Sec. 1. (a) A business that controls the collection of a consumer's
11 personal information shall, at or before the point of collection,
12 inform the consumer of the following:
13 (1) The categories of personal information to be collected.
14 (2) The purposes for which the categories of personal
15 information are to be collected or used.
16 (3) Whether the personal information collected will be sold or
17 shared.
18 (4) If the business collects sensitive personal information:
19 (A) the categories of sensitive personal information to be
20 collected;
21 (B) the purposes for which the categories of sensitive
22 personal information are to be collected or used; and
23 (C) whether the sensitive personal information collected
24 will be sold or shared.
25 (5) Either:
26 (A) the length of time; or
27 (B) the criteria to be used for determining the length of
28 time;
29 the business intends to retain each category of personal
30 information, including sensitive personal information,
31 collected.
32 (b) A business shall not:
33 (1) collect additional categories of personal information or
34 sensitive personal information; or
35 (2) use any personal information or sensitive personal
36 information collected for additional purposes that are
37 incompatible with the disclosed purposes for which the
38 personal information or sensitive personal information was
39 collected;
40 without providing the consumer with notice consistent with this
41 section.
42 (c) A business shall not retain a consumer's personal
2022	IN 358—LS 7186/DI 101 7
1 information or sensitive personal information for each disclosed
2 purpose for which the information was collected for longer than is
3 reasonably necessary for that disclosed purpose.
4 (d) This subsection applies to a business that, acting as third
5 party, controls the collection of personal information about a
6 consumer. A business to which this subsection applies satisfies the
7 requirements set forth in subsection (a) if the business provides the
8 required information prominently and conspicuously on the
9 homepage of its Internet web site. In addition, if a business to
10 which this subsection applies controls the collection of personal
11 information about a consumer on its premises, including in a
12 vehicle, the business shall, at or before the point of collection,
13 inform the consumer of the information set forth in subsection
14 (a)(1) through (a)(3) and, if applicable, subsection (a)(4), in a clear
15 and conspicuous manner at the location.
16 Sec. 2. A business's collection, use, retention, and sharing of a
17 consumer's personal information:
18 (1) shall be reasonably necessary and proportionate to
19 achieve:
20 (A) the purposes for which the personal information was
21 collected or processed; or
22 (B) another disclosed purpose that is compatible with the
23 context in which the personal information was collected;
24 and
25 (2) shall not be further processed in a manner that is
26 incompatible with the purposes described in subdivision (1).
27 Sec. 3. (a) This section applies to a business that collects a
28 consumer's personal information and that:
29 (1) sells the personal information to, or shares it with, a third
30 party; or
31 (2) discloses the personal information to a service provider or
32 contractor;
33 for a business purpose.
34 (b) A business to which this section applies shall enter into a
35 written agreement with the third party, service provider, or
36 contractor described in subsection (a). The written agreement
37 required by this subsection must include language that does the
38 following:
39 (1) Specifies that the personal information is being sold or
40 disclosed by the business only for limited and specified
41 purposes.
42 (2) Obligates the third party, service provider, or contractor
2022	IN 358—LS 7186/DI 101 8
1 to:
2 (A) comply with all applicable requirements under this
3 article; and
4 (B) provide the same level of privacy protection as the
5 business is required to provide under this article.
6 (3) Grants the business the right to take reasonable and
7 appropriate steps to ensure that the third party, service
8 provider, or contractor uses the personal information in a
9 manner consistent with the business's obligations under this
10 article, including the right to take reasonable and appropriate
11 steps, upon notice, to stop and remediate the unauthorized use
12 of personal information.
13 (4) Requires the third party, service provider, or contractor
14 to notify the business if the third party, service provider, or
15 contractor determines that it can no longer meet its
16 obligations under this title.
17 Sec. 4. A business that collects a consumer's personal
18 information shall implement reasonable security procedures and
19 practices, appropriate to the nature of the personal information, to
20 protect the personal information from unauthorized or illegal
21 access, destruction, use, modification, or disclosure.
22 Sec. 5. Nothing in this chapter shall be construed to require a
23 business to disclose trade secrets or other confidential or
24 proprietary information that is exempt from disclosure under state
25 or federal law.
26 Chapter 4. Right of Consumer to Request Personal Information
27 Collected
28 Sec. 1. (a) A consumer is entitled to request that a business that
29 collects the consumer's personal information disclose to that
30 consumer:
31 (1) the categories; and
32 (2) specific pieces;
33 of personal information the business has collected.
34 (b) A business shall provide the information specified in
35 subsection (a) to a consumer only upon receipt of a verifiable
36 consumer request for that information. A business that receives a
37 verifiable consumer request under this section shall promptly take
38 steps to disclose and deliver, free of charge to the consumer, the
39 information described in subsection (a). The information may be
40 delivered by United States mail or electronically. If provided
41 electronically, the information shall be in a:
42 (1) portable; and
2022	IN 358—LS 7186/DI 101 9
1 (2) to the extent technically feasible, readily useable format;
2 that allows the consumer to transmit the information to another
3 entity without hindrance.
4 (c) A business may provide information to a consumer under
5 this section at any time. However, a business is not required to
6 provide information to a consumer under this section more than
7 two (2) times in a twelve (12) month period.
8 (d) The providing of information described in subsection (a)(1)
9 to a consumer under this section does not relieve a business of its
10 obligation to make the disclosures required by IC 24-15-3-1 at or
11 before the point of collection of the consumer's personal
12 information.
13 Sec. 2. This chapter does not require a business to:
14 (1) retain any personal information collected from a consumer
15 for a single, one-time transaction if the information is not sold
16 or retained by the business; or
17 (2) to reidentify or otherwise link to the consumer information
18 that is not maintained in a manner that would be considered
19 personal information.
20 Chapter 5. Right of Consumer to Delete Personal Information
21 Collected
22 Sec. 1. (a) A consumer is entitled to request that a business
23 delete any personal information about the consumer that the
24 business has collected from the consumer.
25 (b) A business that collects a consumer's personal information
26 shall, at or before the point of collection, inform the consumer of
27 the consumer's right under this section to request the deletion of
28 the consumer's personal information.
29 (c) Except as provided in subsection (f), a business that receives
30 a verifiable consumer request to delete the consumer's personal
31 information under this section shall:
32 (1) delete the consumer's personal information from its
33 records;
34 (2) notify any service providers or contractors to delete the
35 consumer's personal information from their records; and
36 (3) notify all third parties to whom the business has sold or
37 shared the personal information to delete the consumer's
38 personal information from their records, unless such action
39 would:
40 (A) be impossible; or
41 (B) involve disproportionate effort.
42 (d) Except as provided in subsection (f), a service provider or
2022	IN 358—LS 7186/DI 101 10
1 contractor that receives notification from a business under
2 subsection (c)(2) shall cooperate with the business in responding to
3 the verifiable consumer request for deletion and, at the direction
4 of the business, shall:
5 (1) delete, or enable the business to delete; and
6 (2) notify any of its own service providers or contractors to
7 delete;
8 any of the consumer's personal information collected, used,
9 processed, or retained by the service provider or contractor. The
10 service provider or contractor shall notify any service providers,
11 contractors, or third parties who may have accessed personal
12 information from or through the service provider or contractor,
13 unless the information was accessed at the direction of the business,
14 to delete the consumer's personal information, unless this would be
15 impossible or involve disproportionate effort. 
16 (e) Notwithstanding the duties of a service provider or
17 contractor under subsection (d) upon the receipt of a notification
18 from a business under subsection (c)(2), a service provider or
19 contractor is not required to comply with a deletion request
20 submitted by a consumer directly to the service provider or
21 contractor, to the extent that the service provider or contractor has
22 collected, used, processed, or retained the consumer's personal
23 information in its role as a service provider or contractor to the
24 business.
25 (f) A business, service provider, or contractor is not required to
26 comply with a verifiable consumer request to delete the consumer's
27 personal information if it is reasonably necessary for the business,
28 service provider, or contractor to maintain the consumer's
29 personal information in order to do any of the following:
30 (1) Complete the transaction for which the personal
31 information was collected.
32 (2) Fulfill the terms of a written warranty.
33 (3) Fulfill the terms of a product recall conducted in
34 accordance with federal law.
35 (4) Provide a good or service:
36 (A) requested by the consumer; or
37 (B) reasonably anticipated by the consumer within the
38 context of the business's ongoing business relationship with
39 the consumer.
40 (5) Perform a contract between the business and the
41 consumer.
42 (6) Secure the security and integrity of, or debug to identify
2022	IN 358—LS 7186/DI 101 11
1 and repair errors that impair the existing intended
2 functionality of, the data system of the business (or the data
3 system of the service provider or contractor), to the extent the
4 use of the consumer's personal information is reasonably
5 necessary and proportionate for those purposes.
6 (7) To enable solely internal uses that:
7 (A) are reasonably aligned with the expectations of the
8 consumer, based on the consumer's relationship with the
9 business; and
10 (B) compatible with the context in which the consumer
11 provided the personal information.
12 (8) Comply with a legal obligation.
13 Sec. 2. A business may maintain a confidential record of deletion
14 requests received under this chapter solely:
15 (1) for the purpose of preventing the personal information of
16 a consumer who has submitted a deletion request from being
17 sold;
18 (2) to comply with laws; or
19 (3) for other purposes, to the extent permissible under this
20 article.
21 Chapter 6. Right of Consumer to Correct Inaccurate Personal
22 Information
23 Sec. 1. (a) A consumer is entitled to request a business that
24 maintains inaccurate personal information about the consumer to
25 correct the inaccurate personal information, taking into account
26 the nature of the personal information and the purposes for
27 processing the personal information.
28 (b) A business that collects a consumer's personal information
29 shall, at or before the point of collection, inform the consumer of
30 the consumer's right under this section to request the correction of
31 inaccurate personal information.
32 (c) A business that receives a verifiable consumer request to
33 correct inaccurate personal information shall use commercially
34 reasonable efforts to correct the inaccurate personal information
35 as directed in the verifiable consumer request.
36 Chapter 7. Right of Consumer to Know What Personal
37 Information Is Sold or Shared
38 Sec. 1. (a) A consumer is entitled to request that a business that
39 sells or shares the consumer's personal information, or that
40 discloses it for a business purpose, disclose to that consumer the
41 following:
42 (1) The categories of personal information that the business
2022	IN 358—LS 7186/DI 101 12
1 collected about the consumer.
2 (2) The categories of personal information that the business
3 sold or shared about the consumer.
4 (3) The categories of third parties to whom the personal
5 information was sold or shared.
6 (4) For each third party category identified under subdivision
7 (3), the categories of personal information shared with that
8 third party category.
9 (5) The categories of personal information that the business
10 disclosed about the consumer for a business purpose, along
11 with the categories of persons to whom it was disclosed for a
12 business purpose.
13 (b) A business that sells or shares personal information about a
14 consumer, or that discloses a consumer's personal information for
15 a business purpose, shall disclose the information specified in
16 subsection (a) to the consumer upon receipt of a verifiable
17 consumer request to do so.
18 Sec. 2. A third party shall not sell or share a consumer's
19 personal information that has been sold to, or shared with, the
20 third party unless the consumer:
21 (1) has received explicit notice of selling or sharing of the
22 consumer's personal information; and
23 (2) is provided an opportunity to exercise the right to opt out
24 of the selling or sharing under IC 24-15-8. 
25 Chapter 8. Right of Consumer to Opt Out of Selling or Sharing
26 of Personal Information
27 Sec. 1. As used in this chapter "opt out", with respect to the
28 selling or sharing of personal information, means to direct a
29 business not to sell or share the personal information.
30 Sec. 2. (a) A consumer is entitled to direct, at any time, a
31 business that sells or shares personal information about the
32 consumer to third parties not to sell or share the consumer's
33 personal information. 
34 (b) A business that sells a consumer's personal information to,
35 or shares it with, one (1) or more third parties shall, at or before
36 the point of collection of the personal information, inform the
37 consumer of the consumer's right under this section to opt out of
38 the sale or sharing of the consumer's personal information.
39 (c) A business that receives notice from a consumer of the
40 consumer's election to opt out of the sale or sharing of the
41 consumer's personal information shall not sell or share the
42 consumer's personal information after receiving the consumer's
2022	IN 358—LS 7186/DI 101 13
1 notice to opt out, unless the consumer subsequently provides
2 consent for the sale or sharing of the consumer's personal
3 information.
4 (d) Notwithstanding subsections (a) and (c), a business shall not
5 sell or share the personal information of a consumer if the business
6 has actual knowledge that the consumer is less than sixteen (16)
7 years of age, unless:
8 (1) the consumer, in the case of a consumer who is at least
9 thirteen (13) years of age and less than sixteen (16) years of
10 age; or
11 (2) the consumer's parent or guardian, in the case of a
12 consumer who is less than thirteen (13) years of age;
13 affirmatively authorizes the sale or sharing of the consumer's
14 personal information. For purposes of this subsection, a business
15 that willfully disregards a consumer's age is considered to have had
16 actual knowledge of the consumer's age.
17 Chapter 9. Prohibition Against Discrimination for Exercising
18 Rights
19 Sec. 1. (a) A business shall not discriminate against a consumer
20 because the consumer has exercised any right granted to the
21 consumer under this title. Except as provided in subsections (b)
22 and (c), discriminatory acts prohibited by this section include the
23 following:
24 (1) Denying goods or services to the consumer.
25 (2) Charging different prices or rates for goods and services,
26 including through the use of discounts or other benefits, or by
27 imposing penalties.
28 (3) Providing a different level or quality of goods or services
29 to the consumer.
30 (4) Suggesting that the consumer will receive:
31 (A) a different price or rates for goods or services; or
32 (B) a different level or quality of goods or services.
33 (b) This section does not prohibit a business from:
34 (1) charging a consumer a different price or rate for goods or
35 services; or
36 (2) providing a different level or quality of goods or services
37 to the consumer;
38 if that price or difference is reasonably related to the value
39 provided to the business by the consumer's data.
40 (c) This section does not prohibit a business from offering:
41 (1) loyalty or rewards cards or programs;
42 (2) premium features;
2022	IN 358—LS 7186/DI 101 14
1 (3) discounts; or
2 (4) club card programs;
3 that are consistent with this article.
4 Sec. 2. (a) A business may offer financial incentives, including
5 payment to consumers as compensation, for the collection of
6 personal information, the sale of personal information, or the
7 deletion of personal information.
8 (b) A business may enter a consumer into a financial incentive
9 program only if:
10 (1) the consumer gives the business prior opt-in consent after
11 being provided with information clearly describing the
12 material terms of the financial incentive program; and
13 (2) the consumer's opt-in consent can be revoked at any time.
14 (c) A business shall not use financial incentive practices that are
15 unjust, unreasonable, or usurious in nature.
16 Chapter 10. Administration, Enforcement, and Violations
17 Sec. 1. The consumer protection division of the office of the
18 attorney general is responsible for the administration and
19 enforcement of this article.
20 Sec. 2. The attorney general shall adopt rules under IC 4-22-2
21 to implement this article. In adopting the rules required by this
22 section, the attorney general may adopt emergency rules in the
23 manner provided by IC 4-22-2-37.1. Notwithstanding
24 IC 4-22-2-37.1(g), an emergency rule adopted by the attorney
25 general under this subsection and in the manner provided by
26 IC 4-22-2-37.1 expires on the date on which a rule that supersedes
27 the emergency rule is adopted by the attorney general under
28 IC 4-22-2-24 through IC 4-22-2-36.
29 Sec. 3. A violation of this article is a deceptive act that is
30 actionable by a consumer and the attorney general under
31 IC 24-5-0.5-4.
32 SECTION 2. IC 24-16 IS ADDED TO THE INDIANA CODE AS
33 A NEW ARTICLE TO READ AS FOLLOWS [EFFECTIVE JULY 1,
34 2022]:
35 ARTICLE 16. SOCIAL MEDIA PROVIDERS
36 Chapter 1. Definitions
37 Sec. 1. The definitions in this chapter apply throughout this
38 article.
39 Sec. 2. (a) "Social media" means an Internet service:
40 (1) with which an individual may become a registered user by
41 creating an account or profile; and
42 (2) used primarily as a medium by which:
2022	IN 358—LS 7186/DI 101 15
1 (A) a registered user of the service can disseminate content
2 created by the registered user; and
3 (B) advertising can be disseminated;
4 to registered users of the service, to nonregistered users of the
5 service, or to both registered and nonregistered users of the
6 service.
7 (b) The term does not include an Internet service to which one
8 (1) or more of the following apply:
9 (1) The Internet service is used primarily as a medium for one
10 (1) or more of the following:
11 (A) Dissemination of content by parties other than
12 registered users of the service.
13 (B) Remote transaction of sales of goods or services,
14 including remote submission of payment for goods or
15 services.
16 (C) Dissemination of registered users' reviews of products,
17 services, or providers of products or services.
18 (2) The Internet service is accessible only to employees of:
19 (A) the owner or operator of the Internet service; or
20 (B) an affiliate of the owner or operator of the Internet
21 service.
22 Chapter 2. Disclosure of Social Media Administrative
23 Procedures
24 Sec. 1. (a) The owner or operator of a social media service shall
25 publish on the social media service's Internet web site the
26 procedures, standards, policies, algorithms, or other mechanisms
27 used by the owner or operator for the following purposes with
28 regard to the social media service:
29 (1) To determine how content is selected for dissemination to
30 users, including:
31 (A) any attribute of a registered user, or of a registered
32 user's account or profile; and
33 (B) any attribute of an individual piece of content;
34 that is used to determine whether the content is disseminated
35 to the user and how the content, if disseminated to the user, is
36 presented, prioritized, categorized, or ranked as compared to
37 other content disseminated to the user.
38 (2) To evaluate user created content for compliance with the
39 service's terms of service.
40 (3) To impose penalties on a registered user for violation of
41 the service's terms of service, including:
42 (A) the penalties that may be imposed; and
2022	IN 358—LS 7186/DI 101 16
1 (B) the basis on which a penalty under clause (A) is
2 assigned for the violation, including with regard to:
3 (i) the severity of the violation, as evaluated under
4 standards published under subdivision (2); and
5 (ii) escalation of penalties based on the user's past
6 violations of the terms of service.
7 (4) To:
8 (A) allow a registered user to appeal:
9 (i) a finding that the user has violated the service's terms
10 of service; or
11 (ii) a penalty imposed on the user under subdivision (3);
12 and
13 (B) evaluate a registered user's appeal under clause (A).
14 (b) If the owner or operator of a social media service changes a
15 standard, procedure, policy, algorithm, or other mechanism
16 published under subsection (a), the owner or operator shall, not
17 later than twenty-four (24) hours after the change is implemented
18 by the owner or operator, update the standard, procedure, policy,
19 algorithm, or other mechanism, as published on the social media
20 service's Internet web site, to reflect the change.
21 Sec. 2. An owner or operator of a social media service that
22 knowingly and intentionally violates section 1 of this chapter
23 commits a deceptive act that is actionable by the attorney general
24 under IC 24-5-0.5 and that is subject to the penalties and remedies
25 available to the attorney general under IC 24-5-0.5.
2022	IN 358—LS 7186/DI 101