Activity at the state level continues to complicate further the overall privacy landscape. On May 1st, Indiana Governor Eric Holcomb signed into law Senate Bill 5 (S.B. 5), the Indiana Consumer Data Privacy Act (ICDPA). Indiana is the second state to pass a comprehensive data privacy law in 2023 (Iowa was the first, as I noted in a recent post to the Free State Foundation blog) and the seventh overall (after California, not once but twice, Virginia, Colorado, Connecticut, Utah, and the aforementioned Iowa).
Meanwhile, Montana and Tennessee could follow quickly: bills in both states have made it to their respective governor's desks.
Uniquely, and apparently to provide an opportunity to learn how similar (but by no means identical) statutes in other states fare, the ICDPA will not go into effect until July 1, 2026. (Currently, only the laws enacted in California and Virginia are in force. The big day in Colorado and Connecticut is July 1st of this year, in Utah it is December 31st, and in Iowa it is January 1, 2025.)Based largely (though, again, not entirely) on the Virginia Consumer Data Protection Act, the ICDPA creates several consumer rights: to know, to access, to correct, to delete, and to port data, as well as the ability to opt out of its processing/sale.
And it requires businesses, among other things, to provide a privacy notice and other disclosures, to obtain affirmative consent before processing "sensitive personal data," to conduct data protection impact assessments, and to enter binding contracts with third-party data processors to ensure that they, too, respect consumer privacy rights.
The ICDPA will be enforced exclusively by the Indiana attorney general. (It does not establish a private right of action.) In addition, it provides businesses with a 30-day cure period.
At the federal level, the House Committee on Energy & Commerce's Innovation, Data, and Commerce Subcommittee held a hearing on April 27th titled "Addressing America's Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans' Personal Information." It was the sixth Committee hearing on the topic of privacy thus far this legislative session.
In a joint statement, Committee Chair Cathy McMorris Rodgers (R – WA) and Subcommittee Chair Gus Bilirakis (R – FL) wrote that "[t]he Energy and Commerce Committee is building momentum this Congress towards enacting comprehensive national privacy and data security legislation."
Fittingly, in his opening statement, Subcommittee Chair Bilirakis acknowledged that the data privacy picture "only gets more complicated as fifty different states move towards their own data privacy laws, meaning an increasingly complicated and confusing landscape for consumers and for business."