Rebooted data privacy bill moving through Statehouse
Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe Now
After her consumer data privacy legislation died in the House last year, a Fort Wayne lawmaker says she’s totally reworked the language and is optimistic the proposal will gain a better reception this year.
Sen. Liz Brown, a Republican, said Senate Bill 5 is “very very different” from the legislation that the General Assembly considered last year.
“I basically did an entire rewrite,” Brown said.
The Senate Commerce and Technology Committee voted 11-0 in favor of advancing the bill, which now moves to the full Senate.
Among other things, the legislation would give Indiana residents the right to correct inaccuracies in their personal data, opt out of the processing of their personal data, ask for copies of the data or request that the data be deleted. The bill also outlines responsibilities for the parties that control that data—for instance, requiring controllers to obtain consumer consent before processing sensitive data, such as a person’s race, mental or physical health diagnosis, genetic data or precise geolocation data.
The bill defines personal data as information that is “linked or reasonably linkable to an identified or identifiable individual.” It does not include data that has been aggregated, de-identified or is publicly available.
There is no federal law governing data privacy, and the issue has been a hot topic among state legislatures in recent years. California, Colorado, Connecticut, Utah and Virginia have all enacted comprehensive data privacy laws, and Indiana is among a number of other states whose legislatures have taken up the issue.
The current Indiana bill is modeled after Virginia’s law, which is generally considered to be more business-friendly than the law that California adopted. One difference, for instance, is that the Indiana bill gives enforcement power to the Indiana Attorney General’s Office, meaning that individuals cannot pursue litigation on their own. The Virginia law also follows that model. In California, individuals are allowed to directly sue entities that they believe have violated the state’s data privacy laws.
California’s law is modeled after the European Union’s General Data Protection Regulation, or GDPR, which took effect in 2018.
Brown’s bill would also exempt companies that fall beneath certain thresholds. It would apply only to entities that control or process personal data from at least 100,000 consumers per year (or 25,000 consumers if the company derives more than 50% of its gross revenues from the sale of personal data).
“We don’t want a barrier to entry to startups,” Brown said.
Brown said she modeled her 2022 legislation after the GDPR, but after getting feedback during the last legislative session she came up with a bill that more closely mirrors Virginia’s law.
Brown has been “very collaborative with industry and other folks” in reworking the legislation, said Jennifer Hallowell, the executive director of the Indiana Technology and Innovation Association.
The Indianapolis-based association, which lobbies on behalf of the state’s tech industry, did not take a position on Brown’s data privacy legislation last year. Hallowell said the association’s preference is for a federal data privacy standard, but in the absence of a federal law, it supports Brown’s bill.
Hallowell testified in support of SB 5 at Thursday’s committee hearing.
“Our hope is the Virginia and Indiana frameworks can be the model for an eventual federal standard,” Hallowell told the committee, according to a copy of her remarks provided to IBJ.
If SB 5 passes in the Senate, it would then move to the House for consideration.