The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that conducts business in Indiana or produces products or services targeted to Indiana consumers and meets certain thresholds. One such threshold relates to the amount of personal data processed or controlled. Specifically, a business is considered a “business” under the ICDPA if, in the preceding calendar year, it controlled or processed the personal data of at least 100,000 Indiana consumers. Alternatively, a business is also considered a “business” if it controlled or processed the personal data of at least 30,000 Indiana consumers and derived more than 25% of its gross revenue from selling personal data. The question asks about the threshold for processing personal data to be considered a business under the ICDPA. Therefore, the correct threshold is processing the personal data of at least 100,000 consumers. The ICDPA, like many US state privacy laws, aims to provide consumers with rights regarding their personal data and imposes obligations on businesses that handle this data. Understanding these thresholds is crucial for businesses to determine their compliance obligations under Indiana law. The law also specifies various rights for consumers, such as the right to access, correct, delete, and opt-out of the sale of personal data. The applicability of the law is tied to these processing thresholds, ensuring that smaller entities with minimal data processing activities are not unduly burdened.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that alone or jointly with others determines the purposes and means of processing personal data, and either (1) conducts business in Indiana or (2) produces or directs its activities toward Indiana residents and meets certain thresholds. These thresholds, as of the ICDPA’s effective date, include processing personal data of at least 100,000 Indiana consumers, or processing personal data of at least 30,000 Indiana consumers and deriving more than 50% of gross revenue from selling personal data. The ICDPA’s scope is generally tied to the volume of data processed and the residency of the consumers whose data is processed, not solely the physical presence of the business in Indiana. Therefore, a business that targets Indiana residents, even without a physical presence, can be subject to the law if it meets the processing thresholds. The key is the impact on Indiana consumers and the business’s engagement with them.

The Indiana Consumer Data Protection Act (ICDPA), codified in Indiana Code Chapter 24-4.9, establishes specific requirements for the collection, processing, and sale of personal data by businesses. A key aspect of this legislation concerns the rights afforded to consumers regarding their data. One such right is the ability for consumers to opt-out of the sale of their personal data. The ICDPA defines “sale” broadly, encompassing the exchange of personal data for monetary or other valuable consideration. When a consumer exercises this right, the controller must cease selling that consumer’s personal data. Furthermore, the controller cannot request the consumer to re-authorize the sale of their personal data for at least twelve (12) months following the opt-out. This provision aims to provide consumers with a meaningful and lasting control over the disposition of their personal information, preventing businesses from circumventing opt-out requests through repeated solicitations. The law also mandates that controllers provide clear and conspicuous notice about the sale of personal data and the consumer’s right to opt-out. This notice should be readily accessible, typically on the controller’s privacy policy. The enforcement of these rights and obligations falls under the purview of the Indiana Attorney General.

The Indiana Consumer Data Protection Act (ICDPA) requires that a data controller provide consumers with a clear and conspicuous privacy notice. This notice must detail the types of personal data collected, the purposes for collection and processing, and the entities with whom the data is shared. Furthermore, the ICDPA mandates that controllers establish and maintain reasonable administrative, technical, and physical safeguards to protect personal data. It also grants consumers the right to access their personal data, correct inaccuracies, and delete their data, subject to certain exceptions. The act requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers. These assessments are crucial for identifying and mitigating potential privacy risks. The ICDPA defines “sale” of personal data broadly to include exchanges for monetary or other valuable consideration, and requires controllers to provide an opt-out mechanism for such sales. When a consumer exercises their right to opt-out of the sale of personal data, the controller must honor that request and cease selling the consumer’s personal data. The law does not mandate a specific monetary threshold for data protection assessments, but rather focuses on the nature of the processing and its potential for harm. Therefore, a controller processing sensitive data for targeted advertising, even without a large volume of data, might still be required to conduct such an assessment.

The Indiana Consumer Data Protection Act (ICDPA), codified in Indiana Code Title 24, Article 4.9, outlines specific obligations for controllers and processors concerning consumer data. A key aspect of this legislation, similar to many other US state privacy laws, is the definition of “sensitive data” and the enhanced protections it requires. Sensitive data is defined broadly to include categories such as data revealing racial or ethnic origin, religious beliefs, a trade union membership, the contents of mail, telephone, or other communications, genetic data, biometric data processed to uniquely identify a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation. When a controller collects sensitive data, the ICDPA mandates that the controller must first provide consumers with notice of the collection of sensitive data and offer consumers an opportunity to opt-out of the processing of their sensitive data. This opt-out right is a fundamental consumer protection mechanism designed to give individuals control over highly personal information. Unlike some other data privacy frameworks that might require explicit consent for the processing of sensitive data, the ICDPA’s primary mechanism for sensitive data collection is the opt-out right after providing notice. The law emphasizes transparency and consumer control. Therefore, a controller must ensure they have a mechanism in place for consumers to opt-out of the processing of their sensitive data, following appropriate notice.

The Indiana Consumer Data Protection Act (ICDPA) establishes specific requirements for data security. While the ICDPA does not mandate a particular security framework, it does require that controllers implement and maintain reasonable administrative, technical, and physical safeguards that are appropriate to the volume and sensitivity of the personal data being processed. This includes considering the nature of the personal data, the risks to consumers presented by the processing, and the current state of technology. The concept of “reasonable security” is a flexible standard, requiring an assessment of proportionality and risk. The ICDPA’s focus is on the overall appropriateness of the safeguards, not on adherence to a single, universally prescribed standard. Therefore, a controller that has adopted a comprehensive data security program, even if not explicitly aligned with a specific NIST publication, but which demonstrably meets the ICDPA’s requirements for reasonableness and risk mitigation, would be compliant. The presence of a data protection officer, while a good practice and often a component of robust security programs, is not a standalone mandatory requirement under the ICDPA for all controllers, though it may be a factor in assessing the overall reasonableness of safeguards. Similarly, mandatory breach notification is a separate requirement triggered by a breach, not a preventative safeguard itself.

The Indiana Consumer Data Protection Act (ICDPA), enacted in 2023, grants consumers specific rights regarding their personal data. One of these rights is the right to opt-out of the sale of personal data. The ICDPA defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration. When a controller uses a third-party service provider to process personal data on its behalf, and that service provider then uses that data for its own purposes beyond the scope of the original processing agreement, this could be construed as a “sale” under the ICDPA if valuable consideration is exchanged. The key distinction for an opt-out right is whether the sharing of data is for the controller’s direct benefit or for the benefit of the third party in a way that constitutes a sale. Sharing data with a service provider solely to perform services for the controller, without any further use by the service provider for its own commercial gain or valuable consideration, generally does not constitute a sale. However, if the service provider uses the data for its own marketing, analytics, or other purposes, and receives something of value in return, it becomes a sale. The ICDPA specifically addresses the ability of consumers to opt-out of this type of data sharing. The scenario describes a situation where a company shares data with a marketing analytics firm. If the marketing analytics firm uses this data to improve its own services or for its own business intelligence, and the original company receives some form of compensation or valuable consideration for this sharing, it falls under the definition of a sale, triggering the consumer’s right to opt-out. The ICDPA’s provisions on opt-out rights are crucial for understanding how data sharing agreements must be structured to comply with the law and respect consumer privacy. The law’s intent is to give individuals control over how their data is shared for commercial purposes beyond the initial transaction or service provision.

The Indiana Consumer Data Protection Act (ICDPA) grants consumers specific rights concerning their personal data. One of these rights is the right to opt-out of the sale of personal data. The ICDPA defines “sale” broadly to include any exchange of personal data for monetary or other valuable consideration. When a consumer exercises their right to opt-out of the sale of their personal data, a controller must honor this request. The controller must cease selling the personal data that is the subject of the opt-out request. The law does not require a controller to provide a specific reason for ceasing the sale, nor does it mandate that the controller obtain a waiver or release of liability from the consumer. The primary obligation is to respect the consumer’s decision to opt-out of the sale of their data. Therefore, the most appropriate action for the controller is to cease the sale of the consumer’s personal data.

The Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2023, grants consumers rights concerning their personal data. One crucial aspect is the right to opt-out of the sale of personal data. The ICDPA defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration. When a controller shares personal data with a third party for targeted advertising, and this sharing involves any form of valuable consideration, it constitutes a sale under the ICDPA. This includes situations where the third party uses the data to improve their own services or for other mutually beneficial purposes that are not strictly necessary for providing the service requested by the consumer. Therefore, if a business shares consumer data with an analytics firm in exchange for insights that enhance the business’s marketing strategies or product development, and this exchange is not essential for the core service the consumer engaged with, it falls under the definition of a sale requiring an opt-out mechanism. The core principle is the transfer of data for something of value beyond the direct provision of a requested service.

The Indiana Consumer Data Protection Act (ICDPA) grants consumers rights regarding their personal data, including the right to access, correct, delete, and opt-out of the sale of personal data. When a consumer exercises their right to opt-out of the sale of personal data, the controller must cease selling that personal data. The law defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration. The ICDPA does not mandate a specific timeframe for a controller to cease processing personal data after a valid request for deletion, but it requires controllers to respond to consumer requests without undue delay and in any case within 45 days. The act also requires controllers to provide consumers with a clear and conspicuous notice of their rights, including the right to opt-out of the sale of personal data. The definition of “personal data” under the ICDPA is broad, encompassing information that is linked or reasonably linkable to an identified or identifiable natural person. Sensitive data, such as precise geolocation, racial or ethnic origin, and health information, receives heightened protection and requires explicit consent for processing. Controllers must implement reasonable security safeguards to protect personal data. The ICDPA does not explicitly create a private right of action for consumers to sue for violations, but it does grant enforcement authority to the Indiana Attorney General. The act requires businesses to conduct and document data protection assessments for certain high-risk processing activities, including the sale of personal data.

Indiana’s data privacy landscape, while evolving, does not currently mandate a specific private right of action for individuals to sue for violations of its data security requirements or general privacy protections under statutes like the Indiana Consumer Data Protection Act (INCDPA). The INCDPA, which became effective January 1, 2023, outlines obligations for businesses regarding the processing of personal data, including requirements for data protection assessments and consumer rights such as access, correction, deletion, and opting out of the sale of personal data. However, enforcement of the INCDPA is primarily vested in the Indiana Attorney General. Unlike some other states that have established explicit private rights of action, Indiana’s law does not grant individuals the ability to initiate private lawsuits for alleged violations of these provisions. Therefore, while consumers have rights and businesses have obligations, the mechanism for enforcing these rights against a business that fails to comply with the INCDPA does not include a direct private cause of action for damages or injunctive relief. This means that the Attorney General is the primary enforcer, rather than individual consumers bringing their own legal cases.

Indiana’s approach to data privacy, particularly concerning biometric data, emphasizes the consent of the consumer and the establishment of clear data retention policies. While Indiana does not have a comprehensive data privacy law akin to the California Consumer Privacy Act (CCPA) or the Illinois Biometric Information Privacy Act (BIPA), specific provisions regarding sensitive data types can be inferred from existing statutes and general consumer protection principles. In the absence of a specific Indiana biometric privacy statute, general principles of data security, notice, and consent would apply. For instance, if a business operating in Indiana collects biometric data, such as fingerprints or facial scans, for identification or access control, they would be expected to provide clear notice to individuals about the type of data collected, the purpose of collection, and how long it will be retained. Obtaining explicit consent before collection is also a best practice and often a legal requirement under broader data security or consumer protection frameworks, even if not explicitly detailed for biometrics in a standalone law. The core concept is that individuals should be informed and have control over the collection and use of their unique biological identifiers. The question tests the understanding of how existing legal principles might apply in the absence of specific legislation for a particular data type, focusing on the foundational elements of data privacy: notice, consent, and purpose limitation. The most accurate response would reflect the general expectation of responsible data handling, emphasizing informed consent and clear policies, which are foundational to most privacy frameworks.

Indiana’s data privacy landscape, while not as comprehensive as some other states like California, establishes specific requirements for businesses handling consumer data. The Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2023, aligns with many principles found in other state privacy laws. A key aspect of the ICDPA, similar to the Connecticut Data Privacy Act (CTDPA) and the Utah Consumer Privacy Act (UCPA), is the definition of a “consumer” and the thresholds for applicability. For the ICDPA, a consumer is defined as a resident of Indiana acting in an individual capacity, not in a commercial or employment context. The law applies to controllers that conduct business in Indiana or produce products or services targeted to residents of Indiana and that during the preceding calendar year, processed or engaged in activities that involved the personal data of at least 50,000 Indiana consumers, excluding personal data processed solely for the purpose of completing a financial transaction. Alternatively, it applies to controllers that control or process the personal data of at least 30,000 Indiana consumers and derive more than 25% of their gross revenue from selling personal data. The question asks about the threshold for a controller to be subject to the ICDPA based on the number of consumers whose personal data is processed, excluding data processed solely for financial transactions. Therefore, the correct threshold is 50,000 consumers.

The Indiana Consumer Data Protection Act (ICDPA) grants consumers specific rights regarding their personal data. Among these rights is the right to opt-out of the sale of personal data. While the ICDPA defines “sale” broadly to include exchanges for monetary or other valuable consideration, it carves out specific exceptions. One significant exception pertains to disclosures to service providers. Under IC 24-4.9-2-17, a disclosure of personal data to a service provider for the purpose of providing a product or service requested by the consumer, or for the purpose of processing or maintaining the data on behalf of the controller, is not considered a sale, provided that the controller has provided appropriate notice and the service provider agrees not to use the personal data for any other purpose. Another exception, outlined in IC 24-4.9-2-17(2), involves disclosures to third parties to whom the consumer has directed the controller to disclose personal data. Therefore, when a controller discloses personal data to a third party for the specific purpose of fulfilling a consumer’s direct request for that third party’s product or service, and this disclosure is not part of a broader commercial transaction for valuable consideration beyond the direct service provision, it generally falls outside the definition of a “sale” under the ICDPA. This distinction is crucial for businesses operating in Indiana to ensure compliance with the opt-out provisions.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that conducts business in Indiana or produces products or services targeted to residents of Indiana and alone or jointly determines the purposes and means of processing personal data. The law specifies thresholds for applicability. A business is subject to the ICDPA if, in the preceding calendar year, it controlled or processed the personal data of at least 100,000 Indiana consumers, excluding personal data processed solely for the purpose of completing an electronic funds transfer. Alternatively, a business is subject if it controlled or processed the personal data of at least 30,000 Indiana consumers and derived more than 25% of its gross revenue from selling personal data. The question posits a scenario where a business processes the personal data of 80,000 Indiana residents, with 40,000 of those residents’ data being sold for revenue. The crucial detail is that the revenue derived from selling this data constitutes only 15% of the business’s gross revenue. Therefore, neither threshold is met. The first threshold requires 100,000 consumers (or 30,000 if the revenue from selling data is over 25% of gross revenue). The second threshold requires 30,000 consumers *and* more than 25% of gross revenue from selling data. Since the business processes 80,000 consumers’ data, it meets the consumer count for the second threshold, but it fails to meet the revenue requirement (15% is not more than 25%). It also fails the first threshold because 80,000 is less than 100,000 and the revenue condition for the reduced consumer threshold is not met. Thus, the business is not subject to the ICDPA.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that conducts business in Indiana or produces products or services targeted to Indiana residents and that meets certain thresholds. For the purposes of data breach notification, the ICDPA, like many state laws, requires businesses to notify affected consumers and the Indiana Attorney General in the event of a data breach. The specific thresholds for applicability of the ICDPA generally relate to the amount of personal data processed or controlled. While the ICDPA does not mandate a specific calculation for determining “business” status based on revenue or number of consumers processed, it does establish criteria for when an entity falls under its purview. The question tests the understanding of which entities are subject to Indiana’s data protection laws, particularly concerning their operations and the residency of the individuals whose data they process. An entity processing data of Indiana residents, regardless of its physical presence in Indiana, can be subject to the law if it targets those residents or meets other nexus criteria. Therefore, a business operating solely in Ohio but targeting Indiana residents with its online services, and processing their personal data, would likely fall under the scope of the ICDPA. The calculation is not a numerical one but rather an assessment of whether the entity’s activities and data processing meet the statutory definitions and thresholds for applicability under Indiana law. The ICDPA’s definition of a “business” is broad enough to encompass entities with a significant nexus to Indiana through their targeting of residents and processing of their data, even if they lack a physical presence.

The Indiana Consumer Data Protection Act (ICDPA) establishes specific requirements for data breach notifications. When a data breach occurs that is reasonably likely to cause substantial harm to consumers or if the entity is required to notify by federal law, the entity must provide notification without unreasonable delay. The notification must be a written notice delivered by mail or, if the consumer has agreed to receive electronic notices, by email. It must include, at a summary of the reasonably prompt investigation into the breach, the date or approximate date of the breach, the type of personal information involved, and steps the consumer can take to protect themselves. The ICDPA does not mandate a specific timeframe for notification, but rather requires it to be done “without unreasonable delay.” However, the law does allow for delay if a law enforcement agency determines that notification would impede an investigation. The notification must also include contact information for the entity. The law’s focus is on the likelihood of harm and the nature of the compromised data, rather than a fixed number of days for notification. The ICDPA also allows for substitute notice if the cost of providing direct notice would exceed a certain threshold or if the entity lacks sufficient contact information for a specified percentage of affected individuals. This substitute notice must be in writing, delivered by mail or email, or if the entity reasonably determines that the cost of providing notice would exceed \( \$250,000 \), or the affected class of persons to be notified exceeds \( 500,000 \) persons, or if the entity does not have sufficient contact information for at least \( 500 \) persons, then the entity may provide substitute notice. Substitute notice may be accomplished by: (1) email notice, if the entity has obtained consent to receive personal information in electronic form; (2) conspicuous posting on the entity’s internet website or a generally accessible internet website; or (3) notification to the media, including a prominent statewide newspaper, radio, and television broadcast. The key is that the substitute notice must be reasonably calculated to inform affected individuals.

The Indiana Consumer Data Protection Act (ICDPA), enacted in 2023, establishes a framework for the collection, processing, and sale of personal data of Indiana residents. A key aspect of this legislation, similar to many other state privacy laws, is the definition of a “consumer” and the scope of data covered. The ICDPA defines a consumer as a natural person who is a resident of Indiana. It also specifies that the law applies to persons who conduct business in Indiana or produce products or services targeted to Indiana residents, and who process or engage in the sale of personal data of at least 100,000 Indiana consumers or control or process the personal data of at least 30,000 Indiana consumers. The definition of “personal data” under the ICDPA is broad, encompassing any information that is linked or reasonably linkable to an identified or identifiable natural person. However, the law explicitly exempts certain types of data from its purview. These exemptions are crucial for understanding the boundaries of the legislation. Specifically excluded are de-identified data, publicly available information, and data processed or maintained pursuant to specific federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) or the Children’s Online Privacy Protection Act (COPPA). The question probes the understanding of which entity’s data processing activities would fall under the ICDPA’s jurisdiction, given specific thresholds and data types. To determine the correct answer, one must evaluate each scenario against the ICDPA’s applicability thresholds and exemptions. A company processing the personal data of 150,000 Indiana residents, where 50,000 of those residents are identified through specific unique identifiers, and the remaining 100,000 are identified through aggregated, de-identified data, would still be subject to the law. The threshold for controlling or processing personal data is 30,000 consumers, and the threshold for selling personal data is 100,000 consumers. Since the company processes the data of 150,000 Indiana residents, it meets the processing threshold. The fact that some data is de-identified does not negate the applicability of the law to the data that is not de-identified. The scenario that does not meet the thresholds or falls under an exemption would be the one that is not covered. For instance, a company that only processes de-identified data for research purposes, regardless of the number of individuals whose data was originally processed, would be exempt. Similarly, a company processing the data of fewer than 30,000 Indiana consumers and not selling any data would not be covered. The question requires careful consideration of both the quantity of data processed and the nature of that data in relation to the ICDPA’s defined exemptions.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that alone, or jointly with others, determines the purposes and means of processing personal data and meets certain thresholds. These thresholds are designed to capture businesses with a significant presence or impact within Indiana. Specifically, a business is subject to the ICDPA if, in the preceding calendar year, it conducted business in Indiana and controlled or processed the personal data of at least 100,000 Indiana consumers, OR if it derived 50% or more of its gross revenue from selling personal data of Indiana consumers and processed or controlled the personal data of at least 30,000 Indiana consumers. The scenario describes a company, “Hoosier Health Solutions,” that operates a telehealth platform, collects health information, and has a substantial Indiana customer base. The key is to determine if their data processing activities and revenue streams align with the ICDPA’s applicability thresholds. Hoosier Health Solutions processed the personal data of 120,000 Indiana consumers in the preceding calendar year. This figure directly meets the first threshold: conducting business in Indiana and processing the personal data of at least 100,000 Indiana consumers. Therefore, Hoosier Health Solutions is considered a “business” under the ICDPA and is subject to its provisions, regardless of its revenue derived from selling personal data. The calculation is straightforward: 120,000 (consumers processed) is greater than or equal to 100,000 (threshold for consumer processing).

Indiana’s approach to data protection, particularly concerning consumer rights and business obligations, often involves a careful balancing act. The Indiana Consumer Data Protection Act (ICDPA), like many state-level privacy laws, grants consumers specific rights regarding their personal data. These rights typically include the right to access, correct, delete, and opt-out of the sale of personal data. For businesses, the ICDPA mandates transparency through privacy policies, data minimization principles, and security safeguards. When a consumer exercises their right to deletion, the law generally requires the controller to delete the personal data without undue delay, subject to certain exceptions. These exceptions can include legal obligations to retain the data, the need to complete a transaction for which the data was collected, or for internal uses reasonably aligned with the consumer’s relationship with the controller, or to comply with legal obligations. The key is that the retention must be necessary for the specified purpose and not for unrelated uses. Therefore, if the data is needed to fulfill an ongoing contractual obligation or a legally mandated retention period, the controller may retain it. However, if the data is no longer necessary for any of these permitted reasons, it must be deleted. The ICDPA, in its general framework, aligns with this principle of necessary retention.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that alone, or jointly with others, determines the purposes and means of processing personal data and offers goods or services to residents of Indiana or is engaged in business in Indiana. The law specifies thresholds for applicability based on annual revenue from selling personal data, controlling or participating in the sale of personal data, or deriving revenue from targeted advertising. Specifically, a business is subject to the ICDPA if, in the preceding calendar year, it met at least one of the following criteria: (1) controlled or processed the personal data of at least 100,000 Indiana consumers, excluding personal data processed solely for the purpose of completing an electronic funds transfer; or (2) controlled or processed the personal data of at least 30,000 Indiana consumers and derived more than 20% of its gross annual revenue from the sale of personal data. The calculation of “gross annual revenue” in this context refers to the total revenue generated by the business from all sources, not solely from the sale of personal data. Therefore, if a business’s gross annual revenue from all sources exceeds \$25 million, and it meets either the consumer data threshold or the revenue-from-sale-of-data threshold, it is considered a “business” under the ICDPA. The question tests the understanding of these applicability thresholds, focusing on the gross annual revenue metric in conjunction with data processing volumes.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as any entity that conducts business in Indiana or produces products or services that are targeted to consumers in Indiana and that alone or jointly determines the purposes and means of processing personal data. The ICDPA applies to controllers and processors that meet certain thresholds. Specifically, a controller or processor must process personal data of at least 100,000 Indiana consumers, or control or process personal data of at least 30,000 Indiana consumers and derive more than 25% of their gross revenue from the sale of personal data. The question asks about an entity that operates solely in Illinois, does not target Indiana consumers, and does not have any physical presence or employees in Indiana. Such an entity would not meet the jurisdictional nexus required by the ICDPA. The law’s applicability is generally tied to the location of the consumer whose data is being processed or the entity’s conduct directed towards Indiana residents. Since the scenario explicitly states no targeting of Indiana consumers and no connection to Indiana, the ICDPA would not apply.

The Indiana Consumer Data Protection Act (ICDPA) establishes specific requirements for data controllers and processors concerning the collection, processing, and safeguarding of personal data. When a data controller in Indiana receives a consumer request to opt-out of the sale of personal data, the controller must comply within a reasonable period. The ICDPA defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration, regardless of whether the consideration is direct or indirect. It also specifies that a controller must provide consumers with a clear and conspicuous link on their website titled “Do Not Sell or Share My Personal Information” to facilitate these opt-out requests. The act mandates that upon receiving such a request, the controller must honor it within 45 days, with a possible extension of an additional 45 days if reasonably necessary, provided the consumer is informed of the extension. This framework is designed to empower consumers with control over how their personal information is disseminated, aligning with broader trends in state-level privacy legislation across the United States, such as those in California and Virginia, while retaining Indiana’s specific statutory language and enforcement mechanisms. The core principle is to provide a robust mechanism for consumers to limit the commercial exploitation of their data.

The Indiana Consumer Data Protection Act (ICDPA) grants consumers specific rights concerning their personal data. One of these rights is the right to opt-out of the sale of personal data. The ICDPA defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration. However, the act also carves out specific exceptions where an exchange of personal data does not constitute a sale. These exceptions are crucial for understanding the scope of the opt-out right. Specifically, the ICDPA clarifies that sharing personal data with a processor that processes the data on behalf of the controller, or sharing data with a third party for purposes for which the consumer has received a prior disclosure and has not opted out, does not constitute a sale. Furthermore, sharing data with a third party for the purpose of providing a product or service requested by the consumer, or for purposes compatible with the context in which the consumer provided the data, and where the third party does not use the data for unrelated purposes, is also excluded from the definition of sale. The act also excludes sharing data with a third party to whom the personal data has been transferred as part of a merger, acquisition, or other similar transaction, provided the subsequent controller or processor adheres to the same privacy commitments. The core principle is that if the data transfer is for a direct service to the consumer, or for business operational needs without the intent of profiting from the data itself in a way that benefits the controller beyond the direct transaction, it is generally not considered a sale under Indiana law.

The Indiana Consumer Data Protection Act (ICDPA) grants consumers specific rights regarding their personal data. One such right is the right to access. When a consumer requests access to their personal data, a controller must respond within a specified timeframe. The ICDPA mandates that a controller must respond to a consumer request without undue delay and, in any case, within 45 days of receiving the request. This period can be extended by an additional 45 days when reasonably necessary, provided the controller informs the consumer of such an extension and the reasons for the delay within the initial 45-day period. This timeframe is crucial for ensuring timely access to information and is a key compliance obligation for businesses operating under the ICDPA. The law emphasizes transparency and consumer control over personal information.

The Indiana Consumer Data Protection Act (ICDPA), codified in Indiana Code Title 24, Article 4.9, establishes specific rights for consumers regarding their personal data and obligations for controllers. A key aspect of the ICDPA is the process for consumers to exercise their rights, such as the right to access, correct, delete, or opt-out of the sale of personal data. When a consumer submits a request, a data controller must respond within a specified timeframe, typically 45 days, with a possible extension of another 45 days if reasonably necessary and the consumer is informed of the extension. The law mandates that controllers provide consumers with a means to appeal a refusal to take action on a request. This appeal process is a critical safeguard. If a controller denies a consumer’s request, they must provide the consumer with a written explanation for the denial, outlining the reasons and instructions on how to appeal. The appeal must be submitted within a reasonable period, and the controller then has an additional 45 days to respond to the appeal, again with a potential extension. This structured process ensures that consumers have recourse and that data controllers are accountable for their decisions regarding consumer data rights. The ICDPA’s emphasis on appeal mechanisms reflects a broader trend in data privacy legislation to provide robust consumer protection and due process in data management.

The Indiana Consumer Data Protection Act (ICDPA) requires businesses that conduct business in Indiana and meet certain thresholds to implement specific data protection measures. One key aspect is the requirement for a Data Protection Officer (DPO) if the processing of personal data involves sensitive data or if the processing activities present a heightened risk of harm to consumers. The ICDPA, similar to other state privacy laws, outlines specific duties for controllers, including conducting and documenting data protection assessments for processing activities that involve sensitive data or that present a significant risk of harm. These assessments are crucial for identifying and mitigating risks associated with data processing. The law also mandates that controllers provide consumers with clear and accessible privacy notices, outlining the categories of personal data collected, the purposes of processing, and consumers’ rights. The requirement for a DPO is not absolute for all businesses but is triggered by the nature and risk of data processing activities. The ICDPA does not mandate a specific number of employees as a trigger for requiring a DPO, but rather the type of data processed and the associated risks. Therefore, a business processing sensitive data, even with a smaller workforce, might be required to appoint a DPO and conduct data protection assessments. The law emphasizes transparency and consumer control over personal data.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that conducts business in Indiana or produces products or services that are targeted to consumers in Indiana and that alone or jointly determines the purposes and means of processing personal data. It further specifies thresholds for applicability. A business is subject to the ICDPA if, in the preceding calendar year, it controlled or processed the personal data of at least 100,000 Indiana consumers, excluding personal data processed solely for the purpose of completing an electronic funds transfer. Alternatively, a business is subject to the ICDPA if it controlled or processed the personal data of at least 30,000 Indiana consumers and derived more than 25% of its gross revenue from selling personal data. These thresholds are designed to capture businesses with a significant presence and impact on Indiana consumers’ data privacy. Understanding these quantitative measures is crucial for determining legal obligations under the ICDPA, which includes requirements for data subject rights, transparency, and data security. The law aims to provide a framework for responsible data handling by entities operating within or affecting the state.

The Indiana Consumer Data Protection Act (ICDPA), codified at Indiana Code Chapter 24-4.9, establishes specific rights for consumers regarding their personal data and obligations for businesses that collect and process this data. A key aspect of the ICDPA is the definition of “sensitive data” and the heightened requirements for its processing. Sensitive data, as defined in the act, includes a narrow set of categories such as data revealing racial or ethnic origin, religious or philosophical beliefs, union membership, precise geolocation, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health, and data concerning sex life or sexual orientation. The ICDPA mandates that a controller must obtain a consumer’s consent before processing sensitive data. This consent must be freely given, specific, informed, and an unambiguous indication of the consumer’s wishes. Furthermore, the act requires controllers to provide clear and conspicuous notice to consumers about the processing of sensitive data. This includes informing them of the categories of sensitive data being processed and the purposes for such processing. The law also grants consumers the right to opt-out of the processing of their personal data for the purposes of targeted advertising or the sale of personal data, and the right to request deletion or correction of their personal data. For sensitive data, the opt-out right is particularly crucial, allowing consumers to prevent its further processing. The ICDPA’s provisions on sensitive data processing are designed to offer greater protection for particularly personal information, reflecting a growing awareness of the potential harms associated with the misuse of such data. The requirement for explicit consent before processing sensitive data is a cornerstone of this protective framework.

The Indiana Consumer Data Protection Act (ICDPA) defines a “business” as an entity that conducts business in Indiana or produces products or services targeted to residents of Indiana and meets certain thresholds. These thresholds are based on the amount of personal data controlled or processed and the gross revenue. Specifically, a business is subject to the ICDPA if, in the preceding calendar year, it controlled or processed the personal data of at least 100,000 Indiana consumers, or controlled or processed the personal data of at least 30,000 Indiana consumers and derived more than 30% of its gross annual revenue from the sale of personal data. The question asks about the threshold for controlling or processing personal data of Indiana consumers, excluding revenue derived from the sale of personal data. Therefore, the relevant threshold is the control or processing of personal data of at least 100,000 Indiana consumers. This threshold is a direct application of the statutory definition of a “business” under the ICDPA, focusing on the volume of data processed rather than revenue from data sales. The ICDPA aims to protect consumer privacy by establishing rules for businesses that handle significant amounts of personal information from Indiana residents, ensuring transparency and consumer rights in data processing activities. Understanding these thresholds is crucial for businesses to determine their compliance obligations under Indiana law.