After her consumer data privacy legislation died in the House last year, a Fort Wayne lawmaker says she’s totally reworked the language and is optimistic the proposal will gain a better reception this year.
Sen. Liz Brown, a Republican, said Senate Bill 5 is “very very different” from the legislation that the General Assembly considered last year.
“I basically did an entire rewrite,” Brown said.
The Senate Commerce and Technology Committee voted 11-0 in favor of advancing the bill, which now moves to the full Senate.
Among other things, the legislation would give Indiana residents the right to correct inaccuracies in their personal data, opt out of the processing of their personal data, ask for copies of the data or request that the data be deleted. The bill also outlines responsibilities for the parties that control that data—for instance, requiring controllers to obtain consumer consent before processing sensitive data, such as a person’s race, mental or physical health diagnosis, genetic data or precise geolocation data.
The bill defines personal data as information that is “linked or reasonably linkable to an identified or identifiable individual.” It does not include data that has been aggregated, de-identified or is publicly available.
There is no federal law governing data privacy, and the issue has been a hot topic among state legislatures in recent years. California, Colorado, Connecticut, Utah and Virginia have all enacted comprehensive data privacy laws, and Indiana is among a number of other states whose legislatures have taken up the issue.
The current Indiana bill is modeled after Virginia’s law, which is generally considered to be more business-friendly than the law that California adopted. One difference, for instance, is that the Indiana bill gives enforcement power to the Indiana Attorney General’s Office, meaning that individuals cannot pursue litigation on their own. The Virginia law also follows that model. In California, individuals are allowed to directly sue entities that they believe have violated the state’s data privacy laws.
California’s law is modeled after the European Union’s General Data Protection Regulation, or GDPR, which took effect in 2018.
Brown’s bill would also exempt companies that fall beneath certain thresholds. It would apply only to entities that control or process personal data from at least 100,000 consumers per year (or 25,000 consumers if the company derives more than 50% of its gross revenues from the sale of personal data).
“We don’t want a barrier to entry to startups,” Brown said.
Brown said she modeled her 2022 legislation after the GDPR, but after getting feedback during the last legislative session she came up with a bill that more closely mirrors Virginia’s law.
Brown has been “very collaborative with industry and other folks” in reworking the legislation, said Jennifer Hallowell, the executive director of the Indiana Technology and Innovation Association.
The Indianapolis-based association, which lobbies on behalf of the state’s tech industry, did not take a position on Brown’s data privacy legislation last year. Hallowell said the association’s preference is for a federal data privacy standard, but in the absence of a federal law, it supports Brown’s bill.
Hallowell testified in support of SB 5 at Thursday’s committee hearing.
“Our hope is the Virginia and Indiana frameworks can be the model for an eventual federal standard,” Hallowell told the committee, according to a copy of her remarks provided to IBJ.
If SB 5 passes in the Senate, it would then move to the House for consideration.
Please enable JavaScript to view this content.
While Jennifer Hallowell of the ITIA says State Sen. Liz Brown has been “very collaborative with industry and other folks” in reworking the legislation, private behind-closed-doors meetings are no substitute for receiving public testimony not only from industry types but from citizens who are most personally affected by the misuse of their private data.
Too much of the legislation that comes out of the Indiana state legislature never gets those public airings, which means there are probably too many state laws and regulations that reflect only the whim of the sponsoring legislator. As a result, any broader assessment of whether the change in public policy is either needed or appropriate is never address in a transparent process.
Glad to see Indiana looking to address this. That geo-location data, for instance, can be so easily sold is wrong. Last year I needed to spend almost 2 months living with my mother in another state to help care for her. Toward the end of that time I started receiving junk mail addressed to me at her address. My siblings tell me that it continues to arrive. I did nothing to explain this other than having been there for a while. My best guess is that my cell carrier sold my info to these companies, with maybe some cross-reference to the fact that I share the same last name as my mother, and assumed I lived there now and thus the junk mail.